Tech companies are scrambling to adjust their data privacy practices in response to the Supreme Court’s decision to overturn Roe v. Wade and the subsequent criminalization of abortion in several states, as the general public realizes that the data collected by these services can be used to prosecute abortion seekers. Google, for example, recently announced that it will automatically delete location data if people visit medical facilities, including abortion clinics (it still collects that data, of course). And period-tracking app Flo is introducing an “anonymous mode” that should allow users to delete all identifiable information from their profiles.
If you’ve never cared enough about how and why you’re constantly being monitored online, you probably have a lot of questions about how this all works now—especially when it comes to reproductive health data and what can be used against you. Here, we’ve answered some of those questions, from how scared you should be of period apps to what you can do to keep your private life private… as much as possible, anyway.
Should I delete my period app?
This seems to be the biggest question people have about online privacy Roe a reversal. The short answer is: Yes. If you want to keep your reproductive health and menstrual cycle data private—especially if you’re worried about that data being part of a criminal investigation—don’t put it in the app.
The longer answer is that when it comes to online privacy and health privacy, deleting a period tracking app is like taking a spoonful of water from the ocean. The current concern about period apps is understandable, given the purpose they serve. But she is also short-sighted. There are countless and more efficient ways for interested parties to track your pregnancy status (parents-to-be buy a lot of stuff, so knowing when someone is pregnant can be lucrative to target with ads), and the police can do even more if they’re investigating you for having an abortion in country where it is illegal (more on that later). The data from the period tracker app will only tell them so much, and it will only tell them the information you gave them.
However, period or fertility tracking apps have a bad reputation when it comes to privacy, and deservedly so. Flo was once caught sending data to various third parties, including Facebook and Google, despite its privacy policy indicating that it would not. Sjaj was condemned for “serious privacy lapses and fundamental security failures”. Stardust shared user phone numbers with a third party, and its claims of “end-to-end encryption” have been retracted.
Since the draft opinion that indicates that Roe will be overturned, was leaked in May, and apps from the period have received more attention than perhaps ever before, many of them scrambling to reassure users that their data is safe or implementing additional protections. While some period trackers are better than others, the only way to make sure that no one can find out anything about you from a period app is to not use them at all.
Are there other ways to track your period that might be safer than a period app?
Yes. People have been menstruating for as long as humans have existed. Periodicals apps, smartphones, and even the Internet existed only a fraction of that time. If you track your cycle on, say, a paper calendar, that data won’t be sent to third parties or stored in a company’s cloud for law enforcement to access. There are also digital calendars, such as Google Calendar and Apple’s iCal. You might feel better about them because they’re not specifically for period tracking, and Google and Apple don’t send your data to third parties like some of those period apps do. But that doesn’t mean the data is completely protected, as I’ll explain later.
You can also use apps that don’t send your data to the cloud, as Consumer Reports suggests. That data can still be accessed if someone gains control of the device it’s on, but the same goes for paper calendars.
Ok, I deleted my period app. Now I’m all set when it comes to abortion data, right?
It’s understandable why people focus on period apps. They specifically deal with reproductive health, and deleting the app gives people what seems like a quick and easy fix and a sense of agency. But the truth is, period tracking apps are very low on the list of things you should worry about when it comes to online privacy and miscarriages. You can delete the app, but that won’t make the entire ecosystem that is based on knowing as much as possible about you disappear. If an abortion is illegal where you live, and the police are investigating you to get one, even the most privacy-focused company can be forced to give the police all the information they have about you. And you can be forced to give them all the data you have.
Let’s take a look at Google, because it probably has more data on you than anyone else. Depending on which of its services you use (or which services are used by the apps you use or the websites you visit), Google knows a lot about you, such as where you go, what you search for online, the websites you visit, the emails you send and receive, text messages you send and photos you take. Google doesn’t necessarily want to share this data with anyone else, because being the sole owner of it is one of Google’s competitive advantages. And they won’t hand it over to, say, an anti-abortion group that wants to use it as a weapon.
But Google has no choice if the police demand it and get a proper court order to do so. It’s in its privacy policy: “We will share personal information outside of Google if we believe access, use, preservation, or disclosure of the information is reasonably necessary to comply with any applicable law, regulation, legal process, or government enforcement request.”
Every other company will have a version of that clause. Even Apple, which has a better reputation for privacy than its Big Tech counterparts, will hand over data to the police if forced to do so. When he refused to help the FBI access iPhones owned by suspected terrorists, it was because Apple didn’t have a backdoor in its devices and wouldn’t build one. But any data that those people uploaded to iCloud, such as backups of those devices—that is, data that Apple itself owned—that did provide.
Google, for what it’s worth, answered the Roe news announcing that it would automatically delete location data around certain places, such as abortion or fertility clinics. That should mean the police can’t get it because there’s nothing to get. But there is still a lot of potentially incriminating evidence left that I can find.
What are the chances that the police will actually do any of this?
We don’t know if or how law enforcement will go after abortion seekers, but we do know how they came and used the data to go after others. These include the case of a woman who was suspected of killing her baby shortly after its birth, and another woman who was accused of intentionally causing a miscarriage. In those cases, texts, web searches and e-mails downloaded from the phones of the women themselves were used as evidence against them. There’s nothing to suggest that police won’t do the same when investigating people suspected of having a now-illegal abortion.
What about the data that non-governmental organizations can access?
When is Roe The reversal decision first leaked, there were several stories showing how much of your data is in the hands of random data brokers and how easy it is for that data to get into the hands of anyone else. That data is “de-identified,” but depending on what data is collected and shared, it may be possible to re-identify someone from it. For example, last year a priest was kicked out according to Grindr data. (One important caveat: Although the publication that published it said the data it used was “commercially available,” it never said it obtained the data by purchase.)
The chances of a private party buying the data and being able to find out that you had an abortion and who you are are frankly pretty slim. People who have access to much more specific and sensitive information – the police – you have to worry about whether abortion is illegal where you live. But nothing is impossible, especially when so much of our data is being sent to so many places.
Isn’t my medical information protected by HIPAA?
Probably not as much as you think. First of all, not every medical or healthcare service is covered by HIPAA. Those anti-abortion pregnancy centers collect a wealth of sensitive data specific to reproductive health and may not be subject to HIPAA privacy rules, even if they perform medical procedures — and even if they reference HIPAA in their privacy policies.
But let’s say you see a provider who is a covered person. Then, yes, your health information is protected. Unless you are breaking the law, in which case the police can get hold of those records or certain details in them. The Department of Health and Human Services, which enforces HIPAA, recently issued new guidance on reproductive health care disclosures in response to Roe cancellation, stressing that such disclosures can only be made under very select circumstances.
How can I protect my data? What about privacy apps like Signal?
Again, what law enforcement or data brokers can get from you depends on what you give them. Google can only give the police what it has. Services like Signal and Proton that use end-to-end encryption and don’t store your data have nothing to give the police no matter how many accounts they have. But if you have that data on your device and the police get access to it, all the end-to-end encryption in the world won’t save you. That’s why Signal, for example, offers a feature called disappearing messages, which will permanently delete messages in a chat after a certain amount of time from every device in the chat.
There are also things you can do to prevent your data from being collected, but it may involve more steps and technical knowledge than you are willing or know how to undertake. This is especially true if you’re only trying to figure it out when the need for privacy suddenly arises and you have other things to worry about — like dealing with an unwanted pregnancy.
Which means it’s best to read and familiarize yourself with these measures now, when you’ve had the time and emotional bandwidth to figure out what you can and want to do and practice incorporating them into your daily life. Some of them may not be as difficult or inaccessible as you think, especially when you do them often enough that they become automatic.
The Verge recently published some good and clear advice. The Electronic Frontier Foundation has a guide. And Gizmodo’s privacy guide tells you all the things you can do and why you should. Nothing is safe in a world with few privacy protections and an economy based on hidden data collection, but these are measures you can take that should significantly reduce your data exposure.
What else can I do?
The best privacy protections are the ones our government has yet to give us: data privacy laws. The Roe the reversal has made the ramifications less clear than ever, and lawmakers have already introduced bills in the Senate and House that specifically address health data in response to the decision. You can encourage your representatives to support and advocate for the passage of these laws, as well as some of the wider consumers privacy policy which have been introduced (or are expected to be introduced soon). This can limit the data companies can share or sell to other companies, and even the data they can collect in the first place.
