This past Sunday, October 2 marked 100 days since the Supreme Court overturned Roe v. Wade, leaving the right to abortion federally unprotected. In that time, 13 states have criminalized abortion, while others have severely restricted its access. Retail chains have limited the purchase of Plan B pills due a surge in demand. And Meta made headlines for turning over private data to law enforcement officers investigating a 17-year-old girl in Nebraska for allegedly using abortion pills.
As people struggle to protect themselves in post-Roe America, it's become abundantly clear that data privacy is a major concern. Even before the overturn, movements (and tweets) called for the deletion of period tracking apps in fear that users' reproductive health data could be used against them. But seeing as to how detectives in the Nebraska case "noticed" the teen's uses of Facebook Messenger (and subsequently subpoenaed Meta for her private messages), are period tracking apps really what we should be afraid of?
To help break down what you actually need to know when it comes to data privacy and abortion, BuzzFeed spoke with Bethany Corbin, JD, LLM, CIPP/US, CHC, CHPC. If you're drowning in her alphabet soup of degrees, here's the bottom line: Bethany is a healthcare innovation and femtech lawyer, and she outlined six tips on how you can protect your data privacy post-Roe.
Now, if you're confused as to why data privacy, overall, poses a bigger risk than period tracking apps when it comes to the criminalization of abortions, look at it this way: Health data could show that you were, at one point, pregnant, and then you weren't. But that's circumstantial at best. Maybe you had a miscarriage. On the other hand, if you straight-up text your mom that you want to have an abortion and then order abortion pills — well, prosecutors have a much stronger case against you based on your private messages and internet search history.
Though some companies have announced that they will not turn over data for abortion-related cases, it's unlikely that they'll always know what the case involves unless it's explicitly stated in the subpoena. Case in point: After the charges in the Nebraska case came to light, Meta issued a statement revealing that "the warrants did not mention abortion at all."
Before we dive into how to protect yourself online, let's talk data practices 101, as in what most companies do with your data. Think of data as currency in surveillance capitalism. In order to use an app, you need to make an account, ultimately compensating with some of your data. "That's how they make their money," Bethany said. "They collect more data than needed to make the app function, bundle it together, and sell it to a data broker who could then sell that data to anyone — to you, me, law enforcement — who'd otherwise need a subpoena to get it from the company itself."
While selling user data as a major revenue stream is common, the overturn of Roe has sparked massive public scrutiny of data practices, especially in femtech. So here are six ways you can protect your data privacy as it relates to reproductive health in post-Roe America (and no, they don't necessitate deleting your period tracking app):
1. Read the disclosure section of privacy policies, as well as updates. Since period tracking apps collect health data, there's a misconception that HIPAA protects users. "The thing is, HIPAA doesn't apply to the data," Bethany revealed. "It applies to the entity type. You could give the exact same data to your healthcare provider and an app, and it's protected while in the provider's possession and not while in the app." So because femtech apps aren't created by covered entities, they're treated as tech solutions rather than healthcare. Many apps fall into a regulation gap as a result, subject only to state privacy laws and the FTC, which prohibits unfairness or deception toward consumers. Basically, companies can do whatever with your data so long as they're upfront about it.
2. Use encrypted messaging. Generally speaking, encryption encodes information to prevent anyone other than the sender and recipient from seeing it. So if a company received a subpoena for messages that were encrypted, it wouldn't actually have access to that data, let alone be able to provide it to law enforcement.
3. Understand that any "anonymized" data can be reidentified when using new, well-intentioned features. For example, Flo's Anonymous Mode "deidentifies data…by removing personal email, name and technical identifiers." However, anonymized data can often easily be linked back to you by matching it with another set of data (usually that's publicly available), thus revealing whom the data belongs to.
4. Keep in mind that data can be manually accessed. Let's be real — we live in a near-entirely digitized world, so you might be thinking that the best way to track your cycle is to use an app that locally stores your data (as in, on your phone vs. in the cloud) or to jot it down in your Notes app. Unfortunately, that's still not foolproof. Law enforcement can just as easily subpoena your device and access the data directly.
5. Look into where the company behind your app physically stores data, as the state's legal structure will impact how your data could be turned over to law enforcement. "I've seen some companies thinking through whether or not they should move things — like their hard drives, data storage facilities, etc. — out of states that are banning abortion," Bethany added, as law enforcement can more easily obtain data stored in states banning abortion than in states defending it.
6. Recognize that data security is not infallible. Or, as Bethany put it, "It's not a matter of if — it's a matter of when — that company is going to experience a data breach or a data leak." Just like you've received regretful emails from your email provider to change your password because they've been hacked, so, too, can your period tracking app or messaging app be hacked. Unfortunately, data leaked through hacks could be used to extort not only the company responsible for it but also the individual user, especially in states that ban abortion.
At the end of the day, Bethany's best advice — which she acknowledged "nobody really wants to hear" — is to not put anything online (or in an app) that you're not comfortable with being made public. As long as your data gives inference to the fact that you were pregnant and then not pregnant (and didn't give birth, of course), law enforcement could have reasonable suspicion to investigate. However, it's just as important that we don't rage against or abandon femtech either.
If you do choose to delete your period tracking app, confirm that deleting the app automatically deletes your data. Sometimes, companies will only delete your data upon request, if at all.