Under His Eye
Digital surveillance is tailor-made for a world of criminalized abortion
I've written quite a bit over the last few years about digital surveillance and the four-way dynamic between 1) companies that have your data, 2) law enforcement agencies, who want that data, 3) Congress, who continues to fail to protect your data with new laws, and 4) the courts, who struggle to apply analog doctrine in digital contexts.
Now that abortion is a criminal offense in 13 states at the time of this publishing, employment of digital surveillance to investigate and prosecute women, doctors, et al is a given. This article looks at the actors involved, the tools they have (and don’t have), and the shared accountability for what is shaping up to be a textbook case of how removal of a fundamental right produces harmful state action.
POLICE STATE
The reporting and literature on digital surveillance (including my own) have often focused on the inadequacy of the Fourth Amendment and the Stored Communications Act (1986) to protect users of modern technology from government intrusion via service of legal process (administrative subpoenas, court orders, and search warrants). The most insidious example of this is the geofence warrant, aka the reverse location search warrant, and its cousin, the reverse keyword search warrant. In both cases, law enforcement has the ability to lawfully access private sector location data about where you have been physically, and search-term data about where you've been on the web. These techniques emerged in circa 2017 to identify unknown subjects in serious, violent crimes like murder, rape, and armed robbery, but have since expanded to aid investigations of less serious offenses like property crimes and vandalism. In other words, as investigative techniques go, it's no longer some sort of secret weapon that's only used in the most serious cases ... it's increasingly a standard, go-to tactic for any and all crimes involving an unknown subject. It’s been normalized. Law enforcement uses this tool every day, companies with data expect to be served with these requests, and judges see more and more of this evidence in cases over which they preside. Data brokers are even in on the action, circumventing service of legal process by selling data to law enforcement, which is allowed under current law (more on this in a minute).
POST-ROE
The U.S. Supreme Court's overturning of Roe v. Wade (1973) and Planned Parenthood v. Casey (1992) has essentially unblocked government efforts in several states to criminalize abortion. If we've learned anything from considering the surveillance apparatus employed by modern law enforcement, there is little doubt the police will use the most modern methods available in pursuit of women seeking abortions, medical professionals providing services, and nearly anyone else aiding, abetting, and/or supporting a woman's ability to access relevant services or medications. This new reality should not be a surprise to anyone. In fact, since 1969 the U.S. Centers for Disease Control and Prevention (CDC) has conducted abortion surveillance “to document the number and characteristics of women obtaining legal induced abortions” using abortion data voluntarily provided by the central health agencies of every state in America. University of North Carolina professor Zeynep Tufekci has been writing about abortion surveillance for a decade, most recently in her New York Times column, which visits the fundamentals of privacy rights so eloquently described by Louis Brandeis in his seminal 1890 article in the Harvard Law Review. The intersection of digital data and abortion-related prosecutions is comprised of a large body of work, well-chronicled in a 2020 article published by civil rights attorney Cynthia Conti-Cook in the University of Baltimore Law Review titled “Surveilling the Digital Abortion Diary”, in which she connects multiple dots relating to reproductive justice, digital privacy, and government surveillance.
When the Court’s draft opinion in Dobbs v. Jackson Women’s Health Organization leaked in May, a number of other pieces emerged combining existing literature with new reporting, including this Vice piece describing how spending $160 with a data broker gets you “a week's worth of [location] data on where people who visited Planned Parenthood came from, and where they went afterwards.” So how advanced does modern data-sleuthing need to be in order to track and uniquely identify an investigation target with the specificity of ‘seeking an abortion’?
INFRASTRUCTURE ALREADY IN PLACE
Following the leak of the draft opinion in Dobbs there was a flurry of reporting and social media activity centering on women’s health apps for period tracking. These apps are both popular and helpful for millions of women, and it wasn’t long before the calls to delete these apps reached a fever pitch, alongside other ideas such as the entering of false data to indicate a period every day in an effort to corrupt the datasets that law enforcement would ostensibly use to infer a pattern indicative of illegal access to healthcare. Think of it as a post-Roe adversarial attack. Sadly, it wouldn’t matter. As NBC News reporter Kevin Collier writes, “Seeing more calls today to delete your period-tracking apps. But experts say that if you look at how states have already brought evidence in abortion-related cases, the *much* bigger concern is unsecured, unencrypted communications & stored search history.” Tufekci concurs, writing “It won't be enough in today's surveillance environment, especially with law-enforcement powers.”
The reality is that the fine-grained data these apps produce are not required for law enforcement to pursue women seeking abortions. Coarse-grained data is often good enough, as described in this 2020 piece by Fast Company reporter Lauren Rankin in which Mississippi prosecutors used search results for abortion pills on a suspect’s phone as proof of intent for an alleged self-induced abortion, a disturbing harbinger for a future in which desperation combines with lack of access to abortion clinics. Conti-Cook is quoted in the piece, saying “The most harmful type of digital evidence is online search browsing history … At least as it’s presented by the prosecution, it gives them evidence of intent, when otherwise they’re trying to piece it together through circumstantial evidence.”
Law enforcement has, not surprisingly, become increasingly reliant on digital evidence in criminal investigations. A 2019 survey of 2,700 global law enforcement officers reveals most frequently viewed data types in a typical investigation (artifacts below 50% omitted):
Images from Digital Evidence – 94%
Text Message – 93%
Social Media – 92%
Videos from Digital Evidence – 90%
Contacts – 90%
Location History from Digital Evidence – 86%
Interviews (Witness, Victim, Suspect) – 72%
Documents and Files – 80%
Email – 78%
CCTV Videos – 68%
Data from Internal Police Databases – 64%
Digital Data from Other Cases – 64%
Crime Scene Photos – 59%
Audio from Digital Evidence – 59%
Call Detail Records – 53%
It does not take a vivid imagination to map the data sources above onto the typical actions a woman would take to even consider obtaining an abortion, much less having the procedure. These data sources and investigative capabilities are greatly expanded when combined with deanonymization techniques that make it harder than ever not to leave digital traces about nearly everything we do.
ANONYMIZATION FALLACY
To put it simply, it’s easier than ever before to reidentify people through their anonymized data. Research and study in this domain has been under way for a long time, going back to the 1950’s, which saw “computational automation of simple anonymization methods such as rounding and aggregation,” and through the 1980’s when computer scientist Dorothy Denning stated in one of her papers on database security that “when working with data it can probably never be completely ensured that no sensitive information is revealed.”
Access to troves of data has advanced findings in this area, notably in 2015, when researchers studied three months of credit card records for 1.1 million people and that “four spatiotemporal points are enough to uniquely reidentify 90% of individuals … [and] that even data sets that provide coarse information … provide little anonymity and that women are more reidentifiable than men in credit card metadata.” In a 2018 piece describing the surveillance potential unleashed by location data, New York Times reporters analyzed the location paths of over one million unique devices during a three-day period, and found one that “tracks someone from a home outside Newark to a nearby Planned Parenthood, remaining there for more than an hour.” Researchers in 2022 further found that interaction data among people allows for reidentification even across long periods of time, writing “Fine-grained records of people’s interactions, both offline and online, are collected at large scale. These data contain sensitive information about whom we meet, talk to, and when. … [P]eople’s interaction behavior is stable over long periods of time and can be used to identify individuals in anonymous datasets.”
As Daniel Solove has said, too much of what we consider best practices for privacy protection involves both state and private-sector actors putting the onus on individuals when “many privacy problems are systematic.” We are left to fend for ourselves, and with the infrastructure in place, that’s becoming next to impossible.
MORE CALLS FOR NEW LAW
The private sector’s ability to collect massive amounts of data is not lost on government actors, nor is it a mystery to anti-abortion organizations. In 2016, investigative reporter Sharona Coutts describes how an advertiser’s efforts to more effectively target “abortion-minded women” with anti-choice ads won him the attention of anti-choice activists and conservative Christian organizations. As Coutts describes, “Before long, he’d been hired by RealOptions, a network of crisis pregnancy centers in Northern California, as well as by the evangelical adoption agency Bethany Christian Services … [and] he was invited to speak at the Family Research Council’s ProLifeCon Digital Action Summit”. There is no end to the web of interest-conflicting connections between businesses, nonprofit activist organizations, law enforcement agencies, and ordinary people just trying to exist in the world. Privacy legislation is the most tangible and impactful way to address this situation with any kind of expediency.
If you’re as disillusioned by the Court’s ruling as I am, there is plenty of blame to go around, be it the Court’s abandonment of precedent & its removal of an unalienable right, and/or certain states’ creepy fixation on draconian control of women and their healthcare decisions. But in a country where the rule of law still means something, lawmakers cannot get a free pass, either for their inaction to date, or their waste-of-time, content-free, platitudinous tweets in the wake of the ruling. Whether Congress has the ability or the will to codify Roe/Casey protections in federal law is a bigger and separate issue. Here we’re talking about privacy protections and the continued ability of government to surveil, track, and predict our every move using its access to private sector data. This expanding capability exists in a context of declining rights. This is not up for debate … Americans (women in particular but also medical professionals & others) have fewer rights than they had last week. Expanding surveillance in a world of contracting rights puts lawmakers under more pressure than ever before, but these problems can be compartmentalized and solved individually. Placing a statutory check on surveillance through modernized privacy protections obviously does not solve the abortion rights issue, but it creates a buffer between the abortion debate (which will continue in perpetuity) and the idea written about extensively by legal scholar Danielle Citron, including today: the urgent need to codify intimate privacy as a civil right protected by federal law.
/end