A smartphone can hold a lot of personal data. Many people have one. They automatically register their daily activities via Internet searches, browsing and location data. Your phone knows more than you know about yourself. Evan Greer, director at the non-profit digital rights organization Fight for the Future, says that your phone could contain data that can reveal how often you use the toilet each day. These are intimate details that could be used to track your movements. “If, because of these draconian laws, basic activities like seeking or providing reproductive health care become criminalized in a manner that would allow law enforcement to get an actual warrant for your device, it could reveal incredibly sensitive information–not just about that person but about everyone that they communicate with.”
Even with Roe intact, this type of digital footprint has already been used to prosecute those seeking to terminate pregnancies. In 2017 a woman in Mississippi experienced an at-home pregnancy loss. A grand jury later indicted her for second-degree murder, based in part on her online search history–which recorded that she had looked up how to induce a miscarriage. (The woman was eventually acquitted. )
Such information can be obtained directly from a smartphone. However, a warrant must be issued by a judge in order to legally extract such information. To do this legally, law enforcement officers must prove they have probable cause for believing that a search is warranted. While this requirement can be used to deter unreasonable searches, it can also be avoided with relative ease. Privacy activists are concerned that law enforcement agencies could bypass the requirement for a warrant and obtain much of the same information from private businesses. Data brokers are a treasure trove of personal information about Americans. They sell their digital dossiers to anyone who will pay them,” says Riana Pfefferkorn (a Stanford Internet Observatory research scholar). Data brokers have been used by law enforcement agencies to circumvent the Fourth Amendment’s warrant requirements. They just buy the information they’d otherwise need a warrant to get.”
They can also access these data by presenting tech companies with a subpoena. This is easier than a warrant, because it only requires “reasonable suspicion of the need to search,” Greer explained. Not the higher bar for probable cause. Greer adds that law enforcement has made incredibly broad requests in the past. “For example, requesting that a search engine hand over the IP addresses of everyone who has searched for a specific term or requesting that a cell phone company hand over what’s considered ‘geofence data,’ [which reveal] all of the cell phones that were in a certain area at a certain time.”
A agency can get bulk data, whether it’s through subpoena or purchase, to crack down on large numbers of people. Geofence and other data about location can be used to identify who has visited an abortion clinic. Greer’s worry is not merely theoretical: Vice‘s online tech news outlet Motherboard recently reported two cases of location data brokers selling or freely sharing information about people who had visited abortion clinics, including where they traveled before and after these visits. Although both companies claimed they had stopped selling or sharing this information in the wake of the news coverage, other data brokers are free to continue this type of tracking.
This information can be more private if it is combined with personal health data. For that reason, some privacy advocates warn against period-tracking apps, which many use to stay on top of their menstrual cycles and track their fertility. According to Daniel Grossman, an expert in obstetrics and gynology at the University of California, San Francisco, “if software is tracking your period, and it’s regular, then it’s late, [the app] could definitely identify a pregnancy before anyone might be aware of.” In fact, government officials have already charted the periods of people to determine their pregnancy status. For example, in 2019 a Missouri state official said his office had created a spreadsheet to track the periods of patients who had visited the state’s lone Planned Parenthood facility. Although the government didn’t obtain the information via an app in this case, it does show the potential interest authorities may have in such data.
Experts say that although policies can vary depending on the app, companies producing menstrual-cycle programs are generally not required to keep this data private. Grossman states, “If it isn’t part of a healthcare system, which most of these [apps] don’t, I don’t believe there would necessarily be any [privacy] requirements.” Despite the fact that these data are about personal health, they are not protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protects health information from being shared without a patient’s consent. Pfefferkorn warns that HIPAA (the federal health privacy law) is not as powerful as many believe. Your period-tracking application is not one of the entities HIPAA applies to. HIPAA also has exceptions that can be used to enforce the law and in judicial proceedings. So even if an entity (such as an abortion clinic) is covered by HIPAA, that law doesn’t provide absolute protection against having your reproductive health care records disclosed to the police.”
Ultimately, the vulnerability of users’ phone data depends on the choices made by the companies that develop the software and apps they use. For instance, when contacted with a request for comment, a representative of the period-t