How police can find out where you’ve been, and what you can do about it.
Tech companies are scrambling to adjust their data privacy practices in response to the Supreme Court’s decision to overturn Roe v. Wade and subsequent criminalizing of abortion in several states, as the larger public realizes that the data those services collect could be used to prosecute abortion seekers. Google, for example, recently announced that it will automatically delete location data if people visit medical facilities, including abortion clinics (it still, of course, collects that data). And the period tracker app Flo is introducing an “anonymous mode” that is supposed to let users delete any identifiable information from their profiles.
If you’ve never cared all that much about how and why you’re constantly being surveilled online before, you probably have a lot of questions about how all of this works now — especially when it comes to reproductive health data and what can be used against you. We’ve answered some of those questions here, from how scared you should be of period apps to what you can do to keep your private life private … as much as that’s possible, anyway.
Should I delete my period app?
This seems to be the biggest question people have about online privacy with regard to the Roe reversal. The short answer is: Yes. If you want to keep your reproductive health and menstrual data private — especially if you’re worried about that data being part of a criminal investigation — don’t put it in an app.
The longer answer is that when it comes to online privacy and health privacy, deleting a period tracker app is like taking a teaspoon of water out of the ocean. The current anxiety about period apps is understandable, given the purpose that they serve. But it’s also myopic. There are countless and more effective ways that interested parties can track your pregnancy status (expectant parents buy a lot of things, so knowing when someone gets pregnant to target them with ads can be lucrative) and law enforcement can do even more if they’re investigating you for getting an abortion in a state where it’s illegal (more on that later). The data from a period tracker app will only tell them so much, and it will only tell them the information you’ve given it.
That said, period tracker or fertility apps have a bad reputation when it comes to privacy, and they deserve it. Flo was once caught sending data to various third parties including Facebook and Google, despite privacy policies indicating that it wouldn’t. Glow was dinged for “serious privacy and basic security failures.” Stardust shared user phone numbers with a third party, and its “end-to-end encryption” claims have been walked back.
Since a draft opinion indicating that Roe would be reversed leaked in May, and period apps got more scrutiny than perhaps ever before, many of them have scrambled to assure users that their data is safe or that they are implementing additional protections. While some period trackers are better than others, the only way to be sure that no one can get anything about you from a period app is not to use them at all.
Are there other ways to track my period that might be more secure than a period app?
Yes. People have been menstruating for as long as people have existed. Period apps, smartphones, and even the internet have only been around for a fraction of that time. If you keep track of your cycle on, say, a paper calendar, that data isn’t going to be sent to third parties or stored in some company’s cloud for law enforcement to access. Digital calendars exist, too, like Google’s Calendar and Apple’s iCal. You might feel better about those because they aren’t expressly for period tracking, and Google and Apple don’t send your data to third parties like some of those period apps do. But that doesn’t mean that data is completely protected, as I’ll explain later.
You can also use apps that don’t upload your information to a cloud, as Consumer Reports suggested. That data can still be accessed if someone gets control of the device it’s on, but that’s also true for paper calendars.
Ok, I deleted my period app. I’m all set when it comes to abortion data now, right?
It’s understandable why people are focusing on period apps. They specifically deal with reproductive health, and deleting an app gives people what appears to be a fast and simple solution and a feeling of agency. But the truth is that period tracker apps are very low on the list of things you should worry about when it comes to online privacy and abortions. You can delete an app, but that won’t make an entire ecosystem built on knowing as much as possible about you disappear. If abortion is illegal where you live and law enforcement is investigating you for possibly getting one, even the most privacy-centric company can be forced to give law enforcement whatever data they have on you. And you can be forced to give them whatever data you have, too.
Let’s look at Google, because it likely has more data on you than anyone else. Depending on which of its services you use (or which of its services the apps you use or websites you visit use) Google knows a lot about you, such as where you go, what you search the internet for, the websites you visit, the emails you send and receive, the text messages you send, and the photos you take. Google doesn’t necessarily want to share this data with anyone else, because being the sole owner of it is one of Google’s competitive advantages. And it’s not going to hand it over to, say, an anti-abortion group that’s looking to weaponize it.
But Google doesn’t have a choice if law enforcement demands it and gets the right court order for it. That’s in its privacy policy: “We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to meet any applicable law, regulation, legal process, or enforceable governmental request.”
Every other company is going to have a version of that clause. Even Apple, which has a better reputation for privacy than its Big Tech peers, will give data to the police if it’s compelled to do so. When it refused to help the FBI access iPhones owned by suspected terrorists, that was because Apple didn’t have a backdoor into its devices and wouldn’t make one. But any data those people had uploaded to iCloud, like backups of those devices — that is, the data Apple itself possessed — it did provide.
Google, for what it’s worth, has responded to the Roe news by announcing that it will automatically delete location data around certain places, like abortion or fertility clinics. That should mean that police can’t get it because there’s nothing for them to get. But there’s still plenty of potentially incriminating evidence left that they can find.
What are the chances that law enforcement will actually do any of this?
We don’t know if and how law enforcement will go after abortion seekers, but we do know how they’ve obtained and used data to go after others. That includes the case of a woman who was suspected of killing her baby just after it was born, and another woman who was accused of intentionally inducing a miscarriage. In those cases, texts, web searches, and emails taken from the women’s own phones were used as evidence against them. There’s nothing to suggest that police won’t do the same when investigating people suspected of obtaining now-illegal abortions.
What about data that non-governmental organizations can get?
When the Roe reversal decision first leaked, there were several stories showing just how much of your data is in the hands of random data brokers and how easy it is for that data to fall into the hands of anyone else. That data is “de-identified,” but depending on what data is collected and shared, it may be possible to re-identify someone from it. For example, last year, a priest was outed by data from Grindr. (One important caveat: While the publication that outed him said the data it used was “commercially available,” it never said it got that data from buying it.)
The chances that a private party will purchase data and be able to figure out that you got an abortion and who you are is, frankly, pretty remote. It’s the people who have access to much more specific and sensitive data — the police — you have to worry about, if abortion is illegal where you live. But nothing is impossible, especially when so much of our data is sent to so many places.
Isn’t my medical information protected by HIPAA?
Probably not as much as you think. First of all, not every single medical or health-related service is covered by HIPAA. Those anti-abortion pregnancy centers collect plenty of sensitive, reproductive health-specific data, and they may not be subject to HIPAA’s privacy rules, even if they perform medical procedures — and even if they reference HIPAA in their privacy policies.
But let’s say you see a provider who is a covered entity. Then, yes, your health information is protected. Unless you’re breaking the law, in which case police may be able to get those records or certain details in them. The Department of Health and Human Services, which enforces HIPAA, recently issued new guidance on reproductive health care disclosures in response to the Roe reversal, stressing that such disclosures can only be made under very select circumstances.
How can I protect my data? What about privacy apps like Signal?
Again, what data law enforcement or data brokers can get on you depends on what you give them. Google can only give the police what it has. Services like Signal and Proton that use end-to-end encryption and don’t store your data don’t have anything to give the police no matter how many warrants they’re served with. But if you have that data on your device and police get access to that, all the end-to-end encryption in the world won’t save you. That’s why Signal, for instance, offers a feature called disappearing messages, which will permanently delete messages in a chat after a set amount of time from every device in the chat.
There are also things you can do to prevent your data from being collected, but these might involve more steps and technical knowledge than you’re willing, or know how, to take. That’s especially true if you’re only trying to figure it out when the need for privacy suddenly arises and you have other things to worry about — like when you’re dealing with an unwanted pregnancy.
Which means your best bet is to read and get familiar with these measures now, when you have the time and emotional bandwidth to figure out what you can and want to do and practice incorporating them into your daily life. Some of them may not be as difficult or inaccessible as you think, especially when you do them often enough that they become automatic.
The Verge recently published some good and clear advice. The Electronic Frontier Foundation has a guide. And Gizmodo’s privacy how-to tells you all the things you can do and why you should do them. Nothing is foolproof in a world with few privacy protections and an economy based on furtive data collection, but these are measures you can take that should significantly reduce your data exposure.
What else can I do?
The best privacy protections are the ones our government has yet to give us: data privacy laws. The Roe reversal has made the consequences of not having them more clear than ever, and lawmakers have already introduced Senate and House bills specifically addressing health data in response to the decision. You can urge your representatives to support and push for those bills to be passed, as well as some of the broader consumer privacy bills that have been introduced (or are reportedly soon to be introduced). Those may limit the data companies can share or sell to other companies, and even the data they can collect in the first place.