If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.
For millions of Americans, finding abortion services in the US just became a legal minefield. With the Supreme Court’s ruling on Friday, suddenly “how to find an abortion” is a lot more complicated than a simple Google search.
Abortion is now illegal or restricted in nine states, with many more planning to outlaw procedures in the coming weeks. People seeking abortions in those states may now be at risk of investigation or prosecution, and many privacy advocates are warning that those people’s search history, medical records, or other data could be used against them in court. In some notable cases, they’ve seen it happen already.
The Verge talked to experts about where they see the greatest privacy vulnerabilities for people seeking abortions in a post-Roe United States — and how people can protect their information.
How law enforcement will know if you had an abortion
Let’s start with how a person might get flagged for investigation in the first place. If you are on social media at all, you might think period trackers play a major role in prosecutions (more on those later). But many cases start at the doctor’s office. According to the National Advocates for Pregnant Women (NAPW), which provides legal defense for pregnant people targeted by abortion restrictions, one of the most common ways for a prosecution to begin is with healthcare providers.
“At NAPW, we have had many, many cases where people are criminalized because healthcare providers have reported them to the police,“ says Dana Sussman, acting executive director at NAPW. “In many of our cases, the site of care is also the site of criminalization, even in the pre-Dobbs reality.”
A doctor normally isn’t able to disclose personal health information because of the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA. But under HIPAA, doctors and medical organizations are allowed to report personal health information if they think that a crime has been committed at the institution or tell law enforcement if they think there’s criminal activity happening at the site of a medical emergency. In states where abortion is a crime, a doctor could report that they think one was performed — and police could use that report as grounds to begin a more serious investigation.
“People who aren’t terribly familiar with medical records tend to think HIPAA is much more protective than it actually is,” says Carly Zubrzycki, a health law professor at the University of Connecticut School of Law.
HIPAA also doesn’t apply to all groups that might seem to be providing medical care. The risk is particularly acute at crisis pregnancy centers: sites operated by anti-abortion activists that work to guide women to abortion alternatives in the guise of providing healthcare. These sites can collect information on the pregnancies of anyone who walks through the door and tie it to contact information and other data. Because these centers offer counseling rather than medical care, they are generally not subject to restrictions on health data — and because they’re run with the explicit goal of discouraging women from getting abortions, they may be eager to collaborate with investigations when they suspect a person has sought care elsewhere.
“They are dating pregnancies, they are confirming pregnancies, and they are operating in states that are extremely hostile to abortion rights,” says Sussman. “They can create all sorts of problems for people who are pregnant and having an abortion.”
The Crisis Pregnancy Center Map, an academic project from the University of Georgia, identifies more than 2,500 such centers across the US, more than triple the number of abortion clinics. Groups like NAPW and Digital Defense Fund recommend that pregnant people avoid them completely.
In other cases, police follow up on tips made by angry partners or just casual acquaintances, emphasizing the importance of keeping the medical details as private as possible. The reproductive rights group If/When/How deals with many of these cases through its legal helpline, and senior counsel Farah Diaz-Tello says cases usually begin with a personal report.
“The precipitating factor is always someone else reporting them to law enforcement, who then have the power to seize people’s devices,” Diaz-Tello told The Verge. “Understanding how to reduce one’s digital footprint is important, but the first line of defense is not sharing information unless absolutely necessary.”
After the investigation starts, the risk to personal data increases
Once a person comes under investigation, the picture becomes much more complex. It’s impossible to erase every digital trace investigators might find — there are simply too many — but simple precautions can go a long way toward minimizing the risk of a person’s data being used against them.
For the purposes of this piece, we’ve avoided more complex tracking systems like IP-based identification or the tracking pixels used in ad networks; neither has a track record of being used in law enforcement investigations of this kind, and there are few accessible tools for avoiding them. Instead, we’ve focused on the most urgent risks and most effective defenses.
Still, for anyone protecting patients or defending clients, the sheer volume of data is hard to ignore. “I think law enforcement is more tech-savvy than they’ve ever been in history and have more resources than they’ve ever had,” Jerome Greco, a public defender in the digital forensics unit of the Legal Aid Society in New York City, told The Verge. Once police start looking for data to confirm an abortion took place, there are lots of places to find it.
How to protect your search history from an abortion investigation
Search history played a role in a particularly prominent recent case, in which Latice Fisher, a Mississippi woman, was charged with second-degree murder after a failed pregnancy. The investigation began with a 911 call from her husband, who believed his wife had given birth only for paramedics to find the fetus unresponsive. Prosecutors later claimed that Fisher confessed to a nurse at a local hospital that she wanted to terminate her pregnancy and had investigated the best methods for doing so.
Once the case began, prosecutors drew heavily on Fisher’s search history, which contained searches like “buy Misoprostol abortion pill online.” Notably, local reporting claims the police found record of these searches from Fisher’s own phone rather than through Google itself.
But Google does provide data in response to valid court orders, so once an investigation has been launched, a valid court order is enough to get a person’s entire search history. None of that is enough to prove guilt, but it’s a liability for anyone researching abortion services in places where abortion is now illegal. It’s also easy enough to avoid. Signing out of Google or using a privacy-minded search engine like DuckDuckGo will prevent searches from showing up in a search history.
There is a more aggressive version of this warrant, called a “reverse keyword search warrant,” which would proactively identify users searching for a specific query. It’s a broad and alarming power and has given rise to a concern about dragnet surveillance around terms related to abortion. But, in practice, these warrants have only been issued for queries tied to specific incidents, like the name of a trafficking victim or the address of a building targeted by arson. As a result, it’s unlikely that a general term like “how to hide a body” or “how to obtain misoprostol” would be sufficient grounds for such a warrant, and Google has contested those requests in other contexts.
Are period-tracking apps really a threat?
Apps that collect and store health information, like period trackers, are notoriously leaky, and many have poor privacy protections. Digital health products aren’t covered by HIPAA, so companies behind them have flexibility around what they do with user data. That’
(read more)
