Late Monday, Politico published a 98-page bombshell from the heart of the Supreme Court detailingâin Justice Samuel Alitoâs caustic, disdainful languageâSCOTUSâ plans to overturn Roe v. Wade, the landmark decision that made abortion legal in the U.S. in 1973.
The pending decision itself may be disturbing and surreal, but itâs not wholly unexpected; over the past few months, states like Arizona, Mississippi, and Texas have drawn up an array of increasingly draconian abortion bans, all gleefully bolstered by the usual goon squad of Republican senators. Oklahoma passed a law just like Texasâ on Tuesday. Democrats have made the move from taking bland, non-committal stances on reproductive healthcare to anxiously tweeting about the topic. Meanwhile, those of us with uterusesâor even those of us who know someone with that piece of plumbingâare left grappling with facing the forfeiture of what once was a fundamental constitutional right.
The leaked brief is still a draft and could be watered down from its current, terrifying form, but even now, people are criminalized for attempting abortions in their own homes, put in prison for buying abortion pills online, and face crushing amounts of surveillance every moment in between. While I donât know much about breaking these folks out of prison, I have been covering the nuts and bolts of data brokering for years. Iâve seen abortion seekers have their precise locations, home addresses, and Instagram accounts freely pawned off to third-party partners, and Iâve seen Capitol Hill figures waffle instead of regulate. So Iâm going to tell you how to fight back for yourself instead.
Two years ago, I wrote a lengthy guide to protecting your data from third-party brokers and the police when going to a protest, and what follows is the spiritual successor to that. Itâs aimed at people that want to get an abortion without the associated data slipping into the wrong hands.
Letâs get something out of the way: I know that details about your reproductive health sounds like a tender, sensitive chunk of data that should be covered under a health privacy law like the Health Insurance Portability and Accountability Act (HIPAA). And it is! But only sometimes.
If youâre a person looking to get an abortion in this country and youâre getting a consultation in a clinicianâs office complete with pee cups, stethoscopes, and people in unflattering scrubs, then that clinician is legally bound by HIPAA to keep your abortion plans under wraps unless theyâre offering a referral to another healthcare provider. The people who administer care to you are so-called âcovered entitiesâ under the law, along with health insurance companies, HMOs and the like. Social networks, apps, and search engines, on the other hand, are not bound by HIPAA. The law was written in the 90s, and nobody seems too bothered to update it.
Now that we know those pesky regulators arenât involved, we can talk about the many, many (many) ways your data bleeds from your devices and into these the paws of data brokers. Last summer, the analytics firm eMarketer put out a good overview of all the ways this bleed can happen: you probably know how sites can drop a cookie on your browser, or how an app can have a sneaky piece of marketing tech chugging behind the scenes. But you also leak data when you pass by a digital billboard, when you walk through the doors of a grocery store, and when youâre waiting on hold for the umpteenth time because your goddamn pharmacy forgot to send your goddamn refills, again.
The modus operandi of major data brokers is collecting these data pointsâeither directly from you, or from other, smaller brokers downstreamâand then piecing them together to create an image of a consumer worth targeting ads at. It really is that inelegant; when youâre sucking up so many tiny data points from hundreds of thousands (if not millions) of folks on the regular, chances are itâs more efficient to collect these sorts of broad, anonymized data points than something like a personâs full name. In order to tie these fuzzier details to you, these brokers do need a bit of individualized data; something like a mobile-specific ad identifier that comes baked into your phoneâs hardware, or an IP address thatâs traced back to your laptop. Even if a broker doesnât know that you, the person, are walking through that grocery store, they do know that your iPhoneâwith its own unique IDâtripped up the bluetooth beacon hiding by the door.
Every bluetooth ping your phone gives off as you bob around the store sends a signal back to brokers behind the scenes to remind them that you, dear reader, are bobbing (and shopping). And when your phone gives off a similar invisible ping that hits a screen in the waiting room of a abortion clinic, those brokers can surmise that youâre probably there to get an abortion.
The market for your data is wildly lucrativeâ$29 billion paid for user data last year aloneâand wildly unregulated, which means brokers are unlikely to bother vacuuming up less of our data anytime soonâeven when that dataâs concerning something as sensitive as our health. So if you want to outsmart them, you need to start thinking like them. Itâs not as hard as it sounds.
Hereâs a cautionary tale: in 2015, a Massachusetts pro-life group tapped a local digital ad company, Copley Advertising, to set up digital boundaries (or âgeofencesâ) around Planned Parenthood branches and other reproductive health clinics in nearby cities. When people walked into these buildings, phone in hand (or pocket), those geofences registered that device crossing the line via mobile data like GPS or those aforementioned bluetooth broadcast signals.
Once these women were inside the fence, Copley pummeled their devices with ads for âabortion alternatives,â like adoption. Roughly 800,000 women were targeted by the campaign, and these ads kept playing for weeks after they left the clinic. And because of the way mobile ads work, every ad that played sent back a pretty sizable amount of data about these womenâs devices directly back to the agency, and the pro-life group that contracted it.
Two years later, Boston Attorney General Maura Healey would sue and quickly settle with the ad agency on the condition that the agency never geotarget clinics in the state with its creepy ads again. The practice remains legal for others, though, and those marketing pro-life âabortion alternativesâ still make use of it.
The easiest way to avoid being one of those statistics is making your phone as unrecognizable as possible. A good first step is to reset your phoneâs mobile ad ID: Itâs quick and easy on both Apple and Android. Thatâs what most brokers use to identify your personal device. But honestly, that isnât good enough.
Thanks to growing (albeit imperfect) privacy legislature in the States and moves from companies like Apple to tamp down tracking, adtech middlemen are getting wilier. Even if your phone has a shiny new identifier, brokers can still re-identify your device using details about your mobile browser, or other info baked into the hardware like your phoneâs International Mobile Equipment Identity (IMEI) number. If brokers see two different mobile ad IDâs but the same IMEI all tied to one device, then it is not hard to discern itâs the same device. Sorry.
If you want to be airtight about you anonymity, your best bet is to never use any of your regular devices anywhere nearby or inside a Planned Parenthood, or any similar clinics. Thereâs no way to know how large a fence around a clinic might be, which means your best bet is to just turn off your phone whenever youâre remotely nearby. Within a city block or two is a good estimate.
If you do need a phone on hand, get yourself the cheapest burner device you can find with a unique phone number, and buy it with cash. Credit bureaus and card issuers are notorious for pawning off data about peopleâs purchases, and the last thing you want is this device getting tied back to your wallet.
Once you have your device, turn it on when youâre close to your clinic of choice, and turn it off as soon as you leave. If you use that burner to connect to your homeâs Wi-Fi, some middleman can quickly recognize that the device is yours. Ditto if you log onto that phone using your regular email address or social media profile.
If youâre booking with a clinic over the phoneâburner or otherwiseâpay attention to any notices that the call âmay be monitored for quality assurance,â or something similar. Plenty of medical practices (including abortion clinics) use call-tracking software thatâs typically connected to more adtech middlemen. Most adtech companies require their healthcare clients to include a blurb like that at the start of the call. If you want to be safe, use your burner to put those calls through, tooâand do it outside your house.
These same principles apply to any abortions protests you might attend, too. Weâve already seen adtech firms use this same geofencing tech to digitally encircle groups of protesters, harvest device info from the people inside, and then pass that data off to cops. The good news is that if your phoneâs invisible in a clinic, itâs going to be invisible in a protest, too. As long as youâre not using that burner at home or browsing your Instagram feed in the waiting room, itâs a-ok to carry with.
If you want to read more, the Electronic Frontier Foundationâs Surveillance Self Defense guide has a ton of handy tips specifically geared towards protestors. The big one, besides using a burner and the encrypted messaging app of your choice (weâre a big fan of Signal here at Gizmodo), is to look as nondescript as possible.