AUSTIN–A panel about reproductive rights in one of the states most hostile to them offered this concise counsel to technology companies: If you don’t like having to hand over your customers’ sensitive data to prosecutors, don’t collect it in the first place.
“It’s a new landscape and we need to think about new interventions to address it,” said Alexandra Reeve Givens, president and CEO of the Center for Democracy and Technology(Opens in a new window).
“It’s been so intense since the Dobbs decision,” said her fellow panelist Cecile Richards, co-chair of the American Bridge(Opens in a new window) political action committee and former president of Planned Parenthood(Opens in a new window), referring to the Supreme Court ruling that overturned 49 years of precedent and a federal right to abortion. “There are definitely people who are afraid of even searching for information.”
And in this context, the data sitting in the servers of tech companies can easily be weaponized by state and local law enforcement with court orders for such information as search histories and stored messages. As panel moderator Nabiha Syed, CEO of the privacy-news site The Markup(Opens in a new window), put it: “Data is not the new oil. It’s uranium.”
Givens told companies to mine less of it.
“When they get lawful process from a prosecutor, it can be very hard to ignore those requests,” she said. “They need to hold back on the amount of information they’re gathering.”
Richards echoed that thought, telling companies to ask themselves: “What is the least amount of information that you need to be able to provide the product or care that someone needs?”
Google took a small step in that direction in July, when it announced(Opens in a new window) that it would automatically delete the names of abortion clinics and a variety of other medical facilities from users’ location histories. Givens also advised tech firms to remember that responding to those requests doesn’t mean fully complying with them, especially if a request is not an actual court order.
“If an investigator sends you an email asking for information, don’t comply with that,” she said. “They are justified to push back.”
And if a warrant is overly broad–for example, a geofenced warrant requesting location data for every phone inside a defined area–a platform should ask that it be narrowed.
Syed then recounted how a Markup investigation found that online patient-intake forms of 33 of 100 top-ranked hospitals included Facebook tracking features(Opens in a new window), which has since sparked a class-action lawsuit against Facebook’s parent firm Meta. “When we called it out, the hospitals, the health-care providers changed their practices right away,” she said.
If the prospect of public shame over sloppy data stewardship isn’t enough, changes in laws may require companies to act. Givens put in a plug for the American Data Privacy and Protection Act(Opens in a new window), a comprehensive privacy bill introduced last summer that her Washington think tank remains optimistic about passing this year.
“It’s not just focused on reproductive care,” she said. “It’s a bipartisan bill that focuses on all the ways people’s basic information is protected.”
The ADPPA would mandate data-minimization principles and curb the activities of data brokers that traffic in data that many people may not even know is being harvested from apps on their phones.
Recommended by Our Editors
At the state level, however, there isn’t as much room for optimism. Said Richards: “Some states—Texas—have a completely different point of view about protecting people’s rights.”
Richards and Givens cited a Texas bill, H.B. 2690(Opens in a new window), that would ban posting “information on how to obtain an abortion-inducing drug” and even compel internet providers to block access to sites offering that information, naming six in particular (aidaccess.org(Opens in a new window), heyjane.co(Opens in a new window), plancpills.org(Opens in a new window), mychoix.co(Opens in a new window), justthepill.com(Opens in a new window), and carafem.org(Opens in a new window)).
“It raises very deep First Amendment issues,” Givens said in a bit of understatement about such a Constitutionally illiterate measure.
Even if Washington does not act on privacy, Givens suggested that market forces will compel companies to “step up and be more thoughtful” in their data collection. She cited the reputational risk that comes with falling short, saying “You’re seeing investors start to ask that question in the startup scene.”
Syed urged attendees to spend their money and time on privacy-preserving apps and services and recommended the search site DuckDuckGo, which doesn’t keep search histories at all. “Vote with your feet,” she said.
But she also drew on the Markup’s own experience creating a tracking-free site to warn companies that the road to data minimization can be rough. “It does require elbow grease,” she said. “It’s also really annoying.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.