If this were about some country in the Middle East, or South America, you’d probably tut at the lack of scruples and the religiously driven vendetta against women’s rights and medicine.
But no – it’s America 😈
5 May 2022 – As the line between our digital and physical selves fades, in the U.S. surveillance researchers and reproductive rights advocates and anti-abortionists increasingly see data as the next big front in the war on abortion. U.S. law enforcement has new tricks to land convictions for miscarriages or post-ban abortions; anti-abortion activists are making sophisticated updates to tried-and-true methods of stalking, harassment, and disinformation; and data brokers are having a field day.
Ars Techica, Gizmodo, Mother Jones, and Politico have all published pieces on the new abortion surveillance landscape. This morning I digested the lot and the following is a mash-up of the main points.
Late Monday, Politico published a 98-page bombshell from the heart of the Supreme Court detailing – in Justice Samuel Alito’s caustic, disdainful language – SCOTUS’ plans to overturn Roe v. Wade, the landmark decision that made abortion legal in the U.S. in 1973. I covered that earlier this week in this post.
The pending decision itself may be disturbing and surreal, but it’s not wholly unexpected. As I noted in my earlier post, over the past few months, states like Arizona, Mississippi, and Texas have drawn up an array of increasingly draconian abortion bans, all gleefully bolstered by the usual goon squad of Republican senators. Oklahoma passed a law just like Texas’ on Tuesday. Democrats have made the move from taking bland, non-committal stances on reproductive healthcare to anxiously tweeting about the topic. Meanwhile, those of you with uteruses – or even those of us who know someone with that piece of plumbing – are left grappling with facing the forfeiture of what once was a fundamental constitutional right.
The leaked brief is still a draft and could be watered down from its current, terrifying form, but even now, people are criminalized for attempting abortions in their own homes, put in prison for buying abortion pills online, and face crushing amounts of surveillance every moment in between. While I don’t know much about breaking these folks out of prison, I have been covering the nuts and bolts of data brokering for years and I have explained why any concept of data privacy is simply ludicrous. I’ve seen abortion seekers have their precise locations, home addresses, and Instagram accounts freely pawned off to third-party partners, and I’ve seen Capitol Hill figures waffle instead of regulate. But … heh, its tech. It ain’t nevah, evah gonna be controlled.
And let’s get something out of the way. I know that details about your reproductive health sounds like a tender, sensitive chunk of data that should be covered under a health privacy law like the U.S. Health Insurance Portability and Accountability Act (HIPAA). And it is, but only sometimes. As Charles Warzel summarised in his blog last night:
If you’re a person looking to get an abortion in the U.S. and you’re getting a consultation in a clinician’s office complete with pee cups, stethoscopes, and people in unflattering scrubs, then that clinician is legally bound by HIPAA to keep your abortion plans under wraps unless they’re offering a referral to another healthcare provider. The people who administer care to you are so-called “covered entities” under the law, along with health insurance companies, HMOs and the like. Social networks, apps, and search engines, on the other hand, are not bound by HIPAA. The law was written in the 90s, and nobody seems too bothered to update it.
Now that we know those pesky regulators aren’t involved, we can talk about the many, many (many) ways your data bleeds from your devices and into these the paws of data brokers. Last summer, the analytics firm eMarketer put out a good overview of all the ways this bleed can happen: you probably know how sites can drop a cookie on your browser, or how an app can have a sneaky piece of marketing tech chugging behind the scenes. But you also leak data when you pass by a digital billboard, when you walk through the doors of a grocery store, and when you’re waiting on hold for the umpteenth time because your goddamn pharmacy forgot to send your goddamn refills, again.
The modus operandi of major data brokers is collecting these data points – either directly from you, or from other, smaller brokers downstream – and then piecing them together to create an image of a consumer worth targeting ads at. It really is that inelegant; when you’re sucking up so many tiny data points from hundreds of thousands (if not millions) of folks on the regular, chances are it’s more efficient to collect these sorts of broad, anonymized data points than something like a person’s full name. In order to tie these fuzzier details to you, these brokers do need a bit of individualized data; something like a mobile-specific ad identifier that comes baked into your phone’s hardware, or an IP address that’s traced back to your laptop. Even if a broker doesn’t know that you, the person, are walking through that grocery store, they do know that your iPhone – with its own unique ID – tripped up the bluetooth beacon hiding by the door.
Every bluetooth ping your phone gives off as you bob around the store sends a signal back to brokers behind the scenes to remind them that you, dear reader, are bobbing (and shopping). And when your phone gives off a similar invisible ping that hits a screen in the waiting room of a abortion clinic, those brokers can surmise that you’re probably there to get an abortion.
The market for your data is wildly lucrative – $29 billion paid for user data last year alone – and wildly unregulated, which means brokers are unlikely to bother vacuuming up less of our data anytime soon – even when that data’s concerning something as sensitive as our health. So if you want to outsmart them, you need to start thinking like them. It’s not as hard as it sounds.
Here’s a cautionary tale: in 2015, a Massachusetts pro-life group tapped a local digital ad company, Copley Advertising, to set up digital boundaries (or “geofences”) around Planned Parenthood branches and other reproductive health clinics in nearby cities. When people walked into these buildings, phone in hand (or pocket), those geofences registered that device crossing the line via mobile data like GPS or those aforementioned bluetooth broadcast signals.
Once these women were inside the fence, Copley pummeled their devices with ads for “abortion alternatives,” like adoption. Roughly 800,000 women were targeted by the campaign, and these ads kept playing for weeks after they left the clinic. And because of the way mobile ads work, every ad that played sent back a pretty sizable amount of data about these women’s devices directly back to the agency, and the pro-life group that contracted it.
Two years later, Boston Attorney General Maura Healey would sue and quickly settle with the ad agency on the condition that the agency never geotarget clinics in the state with its creepy ads again.
NOTE: the practice remains legal for others, though, and those marketing pro-life “abortion alternatives” still make use of it.
The easiest way to avoid being one of those statistics is making your phone as unrecognizable as possible. A good first step is to reset your phone’s mobile ad ID: It’s quick and easy on both Apple and Android. That’s what most brokers use to identify your personal device. But honestly, that isn’t good enough.
Thanks to growing (albeit imperfect) privacy legislature in the States and moves from companies like Apple to tamp down tracking, adtech middlemen are getting wilier. Even if your phone has a shiny new identifier, brokers can still re-identify your device using details about your mobile browser, or other info baked into the hardware like your phone’s International Mobile Equipment Identity (IMEI) number. If brokers see two different mobile ad ID’s but the same IMEI all tied to one device, then it is not hard to discern it’s the same device. Sorry.
If you want to be airtight about your anonymity, your best bet is to never use any of your regular devices anywhere nearby or inside a Planned Parenthood, or any similar clinics. There’s no way to know how large a fence around a clinic might be, which means your best bet is to just turn off your phone whenever you’re remotely nearby. Within a city block or two is a good estimate.
If you do need a phone on hand, get yourself the cheapest burner device you can find with a unique phone number, and buy it with cash. Credit bureaus and card issuers are notorious for pawning off data about people’s purchases, and the last thing you want is this device getting tied back to your wallet.
Once you have your device, turn it on when you’re close to your clinic of choice, and turn it off as soon as you leave. If you use that burner to connect to your home’s Wi-Fi, some middleman can quickly recognize that the device is yours. Ditto if you log onto that phone using your regular email address or social media profile.
If you’re booking with a clinic over the phone – burner or otherwise – pay attention to any notices that the call “may be monitored for quality assurance,” or something similar. Plenty of medical practices (including abortion clinics) use call-tracking software that’s typically connected to more adtech middlemen. Most adtech companies require their healthcare clients to include a blurb like that at the start of the call. If you want to be safe, use your burner to put those calls through, too – and do it outside your house.
NOTE: when time permits I’ll write about medical practices and medical services and how they work hand-in-hand with adtech middlemen and data brokers. As I have said many, many times before – data privacy is a complete joke.
And remember: these same principles apply to any abortion protests you might attend, too. We’ve already seen adtech firms use this same geofencing tech to digitally encircle groups of protesters, harvest device info from the people inside, and then pass that data off to cops. The good news is that if your phone’s invisible in a clinic, it’s going to be invisible in a protest, too. As long as you’re not using that burner at home or browsing your Instagram feed in the waiting room, it’s a-ok to carry with.
BOTTOM LINE: how to get an abortion in the Age of Surveillance? With a burner phone and some awareness of geofencing, you can conceal yourself from for-profit data brokers and others who would spy on your health.
The Darth Sidious for this industry
The Darth Sidious of this industry is a company called SafeGraph, a location data broker, the weapon of choice for anti-choice radicals attempting to target out of state clinics’ providing medical care. Allegedly, after being called out this week by Vice and Mother Jones, it has stopped offering data related to Planned Parenthood and other similar family planning centers. Anybody could buy information on how many people were visiting the facilities, where they came from, and where they went afterwards, something that experts saw as highly concerning in the wake of the Supreme Court’s plan to repeal Roe v. Wade.
Few are convinced they’ll stop selling that data. It brings in a nice chunk of change.
But SafeGraph actually sells access to several different types of data. Those include information on where businesses or other points of interest are physically located in the world; aggregated transaction data on how much money people spend at them; and aggregated location data showing where groups of people who visited these points of interest came from on a census block level, and what other businesses they went to afterwards. That last set of data is based on location information harvested from ordinary apps installed on peoples’ smartphones.
The reason SafeGraph stands out in the location data industry is because it does make the data very easy for anyone to buy, with a self-serve shop that requires no verification on who the buyer is. This could benefit businesses who may only want to buy a small slice of data. But that raises that risk of those who want to abuse the data more readily getting their hands on it. The company mantra used to be that part of “democratizing access to data” means making it available in a self-serve way. But of course, just one big drawback – the ability to control who buys the data and for whatever nefarious reasons they choose.
AND BY FAR THE WORST USE OF THIS DATA: The Texas law that bans abortions after six weeks of pregnancy includes an unusual measure designed to ensure the law is enforced: Residents of the state can sue clinics, doctors, nurses and even people who drive a woman to get the procedure, for at least $10,000. Texas lawmakers have in effect deputized the state’s citizens as bounty hunters, offering them cash prizes for civilly prosecuting their neighbors’ medical procedures. And by accessing data on Oklahoma Planned Parenthood locations (most Texans who can go to Oklahoma for abortion advice) you’d be able to find Texas residents and their “enablers” seeking that advice and maybe get some reward money.
Oh, the cost? Just $165 gets you a week’s worth of data on where all the people who visited a defined Planned Parenthood location came from, and where they went afterwards.