How tech companies and users can protect privacy | #itsecurity | #infosec


SENSITIVE MATERIAL. THIS IMAGE MAY OFFEND OR DISTURB Abortion rights protesters participate in nationwide demonstrations following the leaked Supreme Court opinion suggesting the possibility of overturning the Roe v. Wade abortion rights decision, in New York City, U.S., May 14, 2022.

Caitlin Ochs | Reuters

The Supreme Court’s decision on Friday to roll back the right to receive an abortion raises new questions about whether and how tech companies should protect the information of users seeking reproductive healthcare.

Tech companies may have to contend with issues about user privacy related to reproductive healthcare whether they want to or not. That could be the case if they are ordered by a court to hand over certain types of data, like location information of users at an abortion clinic, search histories or text messages.

Even before the decision became official, lawmakers called on Google and the Federal Trade Commission to ensure data for online consumers seeking such care would be protected in the event that the landmark Roe v. Wade decision was overturned. The letters came in the wake of Politico’s reporting on a leaked draft decision that would cut back the protections.

The official decision puts online platforms in a tricky spot. Though major tech companies have spoken out on political issues that align with their values, including advocating for certain types of privacy laws and for immigration reforms that would protect their workforce, wading into an issue as controversial as abortion rights can come with significant backlash from either side.

Advocates for people who have sought abortions or those prosecuted after experiencing a pregnancy loss say they have already contended with privacy concerns in states with restrictive abortion statutes.

“We’ve already seen, but we anticipate, that tech companies will be issued subpoenas for people’s search histories and search information,” said Dana Sussman, deputy executive director of the National Advocates for Pregnant Women, a nonprofit that provides legal defense for pregnant people.

“The problem is that, if you build it, they will come,” said Corynne McSherry, legal director at the nonprofit Electronic Frontier Foundation. “If you create huge databases of information, what you’re also creating is sort of a honeypot for law enforcement to come to you, you being a third party, and try to get that information if they think it’s useful for prosecutions.”

That’s why a group of Democrats led by Sen. Ron Wyden, D-Ore., and Rep. Anna Eshoo, D-Calif., wrote Google last month about concerns that its “current practice of collecting and retaining extensive records of cell phone location data will allow it to become a tool for far-right extremists looking to crack down on people seeking reproductive health care. That’s because Google stores historical location information about hundreds of millions of smartphone users, which it routinely shares with government agencies.”

Data privacy experts concerned about the court ruling’s implications say there are ways that both tech companies and their users can try to better protect their information in a post-Roe era.

The risk of digital technology in a post-Roe world

Sussman pointed to two cases that could foreshadow the ways prosecutors in a post-Roe era will seek to use digital communications as evidence in cases criminalizing abortion.

The first is that of Purvi Patel, who in 2015 was sentenced to 20 years in prison after being accused of feticide and neglect of a child after allegedly inducing her own abortion. Patel had told doctors at an Indiana emergency room that she’d had a miscarriage resulting in a stillbirth. The prosecution used texts between Patel and a friend, which included a discussion about ordering pharmacy pills meant to induce an abortion, as evidence against her.

In 2016, an appeals court reduced the severity of the charges, finding the law wasn’t meant to be used against women for their own abortions, and Patel was released from prison when her sentence was also diminished.

The second case is that of Latice Fisher, who in 2018 was indicted by a Mississippi grand jury on a charge of second-degree murder after she gave birth to what her lawyers said was a stillborn baby. Prosecutors used Fisher’s search history, which included searches for abortion pills and inducing a miscarriage, according to reports at the time, as evidence against her. The district attorney later dropped the charge.

Once the protections offered by Roe v. Wade and Casey v. Planned Parenthood, another case that generally upheld abortion rights, are undone, “we will see existing laws reinterpreted to expand to apply to conduct during pregnancy,” including for pregnancy loss and self-managed abortion, Sussman said.

Though many of those who champion anti-abortion laws say they should focus on providers of the procedures, Sussman predicts prosecutors will inevitably go after those seeking the services as well.

“I think that that’s just not realistic,” Sussman said of the idea that anti-abortion laws would not target pregnant people. “And I think it’s not accurate at all, both because we’ve already seen it and also because when you create laws that, that establish that a fetus is a person, you will criminalize a pregnant person. There’s just no question about it.”

How tech platforms could protect reproductive health data

For tech platforms, the EFF suggested in a recent blog post that minimizing data collection and storage could best reduce the risk of that data becoming the subject of an investigation. The group suggests companies cut down on behavioral tracking, pare down the types of data they collect to only what’s necessary and encrypt data by default so it’s not easily read by others.

EFF also urges companies to push back on what it says would be improper demands, like asking a search engine for information for a search term like “abortion” or geofence warrants that order data on every device in an area, such as an abortion clinic. If still required to comply with the demands, companies should at least inform users about them if they’re not prohibited from doing so, the group wrote.

“I think companies are being a little quiet, but I’m quite sure that they’re thinking about it,” McSherry said.

“The tech platforms have a major role to play here,” said Sussman, who said the companies should use their vast resources to challenge court orders for information related to abortion or pregnancy loss cases.

“The reality is, prosecutors’ offices have a certain amount of resources,” Sussman said. “And if they think that the best way to use their resources to improve the quality of life in their community is to fight to get the digital footprint of people who are pregnant, then they’re gonna have to expend those resources, and they don’t have limitless resources. So if tech companies can make it much, much, much more difficult for them to access this information, that will play a huge role in stymieing their ability to bring these prosecutions.”

A Meta spokesperson said the company already pushes back on overly-broad requests for information, pointing to the company’s policy on government requests that says it “may reject or require greater specificity on requests that appear overly broad or vague.” The policy also states that Meta will inform users and advertisers when they receive such requests, unless they’re barred from doing so.

While many tech companies may be inclined to be as politically neutral as possible, McSherry said, “companies should always be standing up for their users with privacy no matter what the issue is. And this is an opportunity for them to do that.”

McSherry anticipates that if tech companies don’t take steps to protect the information of users seeking abortions, their employees will likely push them to do more, just as they have on other issues.

How consumers can protect their own data

While companies minimizing their own data collection and retention is the most clear-cut way to reduce the risk of that data being exposed, experts focused on surveillance and digital rights say there are some ways consumers can reduce risk themselves.

McSherry said it’s important to remember that “privacy is a community activity.” That means consumers need to think about not only the privacy and security of their own devices and services, but also those of their friends, family and providers that they communicate with.

That’s because even under some existing state laws like that in Texas, prosecutors may seek warrants for information from third parties they believe may have somehow helped a pregnant person seek out an abortion.

“Yet again, the responsibility of protecting oneself from unjust criminalization is falling on the people themselves who have the least resources,” said Sussman. “I would also just caution folks to ensure that they are not sharing information with a lot of people, which is, again, also incredibly hard if you need the support of your family and friends and community. But that people be very intentional about who they share information with, because not only will one’s digital footprint be at issue, but the people who have information could also be involved here in one way or another.”

The EFF doesn’t endorse specific products, but McSherry suggested a few basic ways for users to increase their data privacy protection.

The first is to use a search engine or browser that minimizes data collection or retention by default, like DuckDuckGo, Firefox or Brave and to use a private browsing window that won’t save the search history.

Second, consumers should only communicate sensitive information over encrypted messaging services, like Signal.

EFF also suggests in a blog post about protecting sensitive information that users set up secondary email addresses and phone numbers for communications they don’t want to be too closely connected to. They point to Protonmail and Tutanota as two email service providers with robust privacy offerings, and Google Voice as an option for creating a secondary phone number.

The group also recommends browsing the internet while on a virtual private network, that can mask a computer’s IP address. It also suggests installing browser extensions that can enhance privacy, disabling advertising identifiers on mobile devices and only enabling location services when necessary. When visiting a sensitive place that might have increased surveillance, EFF adds, it may make sense to turn off devices altogether to minimize location tracking.

McSherry expects that renewed data privacy concerns arising out of the court decision could have a much greater effect on how consumers think about privacy protections more broadly.

“Up until now, I don’t think most people have thought a lot about the law enforcement aspects,” McSherry said. “I think most people think, ‘well, those warrants are probably only going to get used against bad guys’ … I don’t think that’s necessarily true. But it does mean that this situation where now you can see it affecting millions of people will, I think, lead to a reset in how people think about data privacy in general. And that I think, can only be a good thing.”

Subscribe to CNBC on YouTube.

WATCH: Protesters amass outside the Supreme Court after leaked doc suggests justices to overturn Roe v. Wade



Original Source link

Leave a Reply

Your email address will not be published.

− five = four