SXSW 2023: Data privacy, healthcare websites new battlegrounds over reproductive rights

AUSTIN, Texas—Data privacy and access to online information about abortion care have become the next big battlegrounds in the fight over reproductive health in a post-Dobbs world.

The overturning of Roe v. Wade last summer dramatically changed the landscape for people seeking reproductive care. Since the Dobbs decision, concerns about data privacy have grown. Research has shown that mainstream period tracking apps have faulty or weak security

A person’s browser history, search history, location and private messages can be used by law enforcement or private citizens to pursue people who are suspected of having or aiding an abortion.

There are cases in which American prosecutors have used text messages and online research as evidence against women facing criminal charges related to the end of their pregnancies. In Nebraska, a woman was charged with helping her teenage daughter end her pregnancy at about 24 weeks after investigators uncovered Facebook messages in which the two discussed using medication to induce an abortion, NPR reported.

"There's a reason why we're having a panel on this at South by Southwest this year, which is we live in a world today where we look at the type of evidence that can be used in prosecutions or that women have to worry about when you're thinking about accessing reproductive care. There's a big angle based on the sheer amount of information that we share with our phones and other technology in the course of our daily lives," said Alexandra Reeve Givens, president and CEO of the Center for Democracy and Technology, while speaking on a panel at the SXSW 2023 conference this weekend.

"We're moving into a universe where data is not the new oil, it's uranium. It's something that's actually quite dangerous if it's mishandled or if it's not stored correctly." – Nabiha Syed, CEO of The Markup

Online search history, browsing history, private messages with friends or with a loved one and location information are now "up for grabs" she noted. "That sounds like a little bit of melodrama, but we've actually already seen prosecutions where this type of evidence is being used. It's a new landscape and we need to think about new interventions to address it," Givens said.

A joint investigation conducted by nonprofit news publication The Markup and Reveal from The Center for Investigative Reporting found that hundreds of crisis pregnancy centers were using Facebook's Meta Pixel on their websites. The Meta Pixel allows companies to keep tabs on who visits their websites so they can create targeted ads on Facebook. Crisis pregnancy centers typically aren't licensed medical establishments and are not bound by HIPAA[ [the Health Insurance Portability and Accountability Act] and other privacy regulations, according to the report. Instead, they are "mostly run by religiously aligned organizations whose mission is to persuade people to choose an option other than abortion." 

"I think we're in the middle of a paradigm shift that we're really seeing here. There was a universe where data is the new oil; it was to [companies'] benefit to collect all of the data they possibly could to help serve their audience and that would help us to get a lot of care and that helps you to understand the business analytics. And now we're moving into a universe where data is not the new oil, it's uranium. It's something that's actually quite dangerous if it's mishandled or if it's not stored correctly," said Nabiha Syed, The Markup's chief executive officer, also speaking on the panel.

"We have these data brokers who exist in the landscape who are hungry, hungry, hippo-ing up data from everywhere they can, selling it and making it available to law enforcement," she said.

Privacy advocates have been sounding the alarm about the potential for prosecutors to use commercially collected data in abortion-related cases. In response, legislators in California recently passed A.B. 1242, a law that gives California-based tech and communications companies a way to resist requests for data on digital activities from being used in abortion prosecutions in other states. 

It marks the first law in the nation to explicitly block out-of-state investigators from using digital information to query abortion-related actions that are legal in-state, according to the Brookings Institution.

At a federal level, the American Data Privacy Protection Act had bipartisan support and is the closest the U.S. has come to passing a comprehensive consumer data privacy law. Privacy advocates say it marks a major step forward by Congress in its two-decade effort to develop a national data security and digital privacy framework that would establish new protections for all Americans.

Digital health apps and technology companies also have a large role to play in protecting consumers' sensitive health data, privacy advocates say.

Companies need to look at collecting and storing less data by practicing data minimalization, Givens said. That means, collecting only the data that are needed, using collected data only for authorized uses and retaining as little of those data as possible.

"The reason why we need to think about [data] reduction is when they get a lawful process from a prosecutor it can be very hard for them to ignore those requests," Givens said. "Companies need to be examining their processes, really taking stock of how they're contributing to this loose way in which people's data is used today and how it can be used for prosecutions."

She added, "We just really need to be more careful, more thoughtful and more responsible about sensitive personal information whether it's about reproductive care or mental health care or many other issues and how that is collected, used and shared."

The Centers for Democracy and Technology is working to provide resources to smaller health tech and digital health companies to educate them about law enforcement access to data and the need to change data practices

"There's a huge education deficit out there and we need to be educating businesses that they are justified to push back. Law enforcement aren't always that specific in explaining the basis for the request they are making. Do people even know if there's an ethical reason they should push back? One of the things that we spend time on is educating small businesses in particular on the need to insist on valid legal process," Givens said. "If an investigator sends you an email asking for a customer's information, you don't comply with that, right? We're talking about the need for court-ordered warrants. This is where we need to make sure that the Fourth Amendment and people's constitutional rights are actually respected."

Companies also should consider providing end-to-end encryption by default on messaging apps and email.

A new period tracker app called Embody that touts itself as privacy-forward plans to launch this summer. Led by a team of women, Embody leverages cryptography to guarantee local storage of data and end-to-end encryption

"This moment is putting a sharp focus on the need to better protect consumers’ data. [Startups] need to have a serious conversation within your teams, and it can be about the technical team or product design teams, thinking about what the monetization model is but also looking at what data is collected and why are you collecting it? How are you using it and who are you sharing it?" Givens said.

The Brookings Institution also urges the technology industry to accelerate ongoing efforts to develop consumer-friendly trustmarks related to the privacy and security of internet-connected devices and services. Trustmarks are badges, logos, seals or labels offered by a third-party authority.

Another Markup investigation found that many hospital websites have a tracking tool that sends sensitive medical information to Facebook when people schedule appointments.

Healthcare organizations need a stronger understanding about the use of tracking pixels and how they can be placed on an intake form or websites that then share information with third parties, privacy advocates say.

"You're seeing an increasing number of shareholder resolutions trying to push companies to talk about not only what they're doing with regard to data privacy in general, but this specific reputational risk that is created when you might be in the position as a company of handing over some of your customers' most private reproductive health information for use in a prosecution against someone. How will companies address that threat and what are they going to do? We're seeing shareholders mobilize around that and we're seeing investors starting to ask that question in the startup scene in a way that I think is really valuable," Givens said.

The Federal Trade Commission (FTC) also is stepping up enforcement action against digital health companies for alleged data misuse. In February, the agency took enforcement action against online pharmacy GoodRx for failing to notify customers and regulators of unauthorized disclosures of consumers’ personal health information. The action is the first of its kind under the FTC’s Health Breach Notification Rule. 

The FTC also recently reached a $7.8 million settlement with online therapy company BetterHelp, which is owned by Teladoc, over allegations that it shared consumers’ health data with companies like Facebook and Snapchat for advertising purposes.

Beyond consumers' health data, some red states also are trying to block access to online information about abortion care.

A new bill in Texas would require internet service providers inside the state to block sites that provide abortion information as well making it illegal to host or even provide domain registration for sites that help people in Texas obtain or pay for abortions.

"When you look at the language surrounding the legislation, they're targeting not only abortion providers directly but also the advice websites that help guide you to access different resources and the abortion fund-type websites as well," Givens said. "It raises very deep First Amendment issues in terms of access to information. It also raises really interesting questions under Section 230. What it is to host information from third parties on the site and whether or not that gives rise to liability."

She added, "This level of going after protected speech where people are just trying to get an understanding their health options is just another game where the fight is playing out."

As some states continue to fight for reproductive rights, there are legislative efforts to protect medical providers as well.

Last summer, following the Supreme Court's ruling overturning Roe v. Wade, California Gov. Gavin Newsom signed into law a bill to protect abortion providers and patients from bans, lawsuits and penalties in other states.

"The notion behind this is to protect healthcare providers so that they know that they can treat people when they come into their facility without the risk of having police investigations take place," Givens said.

Medical providers' fear of being prosecuted or losing their license for providing abortion care will only exacerbate challenges for women to get access to reproductive health services, said Cecile Richards, former president of Planned Parenthood

"We used to talk about how there are going to be abortion deserts in this country. There are going to be Ob/Gyn deserts in this country," Richards said while speaking on the panel. "I've been in Louisiana now and women are having a hard time even getting miscarriage support from hospitals. They will have a hard time getting even prenatal care because of the fear that the medical profession has over merely being involved with anyone who's pregnant, to be honest."