Even before the widely discussed overturning of the Roe v. Wade ruling, there had been cases of using technology to curtail reproductive rights in the US. For instance, in 2017, in the US State of Mississippi, a browser’s search history was used as evidence to file a criminal complaint against Latice Fisher, who was charged with murdering a foetus of more than 35 weeks. Although there was no evidence that she had ingested an abortion pill, the police detected the entry “buy the abortion pill Misopristol Online” in her iPhone search history.
The Roe v. Wade precedent, which guaranteed women’s right to abortion in the US, was overturned by the US Supreme Court on 24 June 2022. According to Justice Samuel Alito’s vote, which informed the majority opinion, “[t]he Constitution makes no reference to abortion, and no such right is implicitly protected by any constitutional provision, including the one on which the defenders of Roe and Casey now chiefly rely—the Due Process Clause of the Fourteenth Amendment”. Next, he pointed out that “[t]he Constitution does not prohibit the citizens of each State from regulating or prohibiting abortion. Roe and Casey arrogated that authority. The Court overrules those decisions and returns that authority to the people and their elected representative”. Consequently, US states now enjoy legislative autonomy to authorise, prohibit or criminalise abortion. Some states, such as Texas, have already decided to criminalise abortion, except in cases that endanger the pregnant woman’s life.
Previously, based on the Roe v. Wade case law, it was recognised that a pregnant woman’s right to privacy, implicit in the Fourth Amendment, supports the right to abortion. More specifically, the right to abortion was connected to the concept of privacy that encompassed the right to be let alone, previously advocated by Samuel Warren and Louis Brandeis. Similarly, the 1948 Universal Declaration of Human Rights and the 1966 International Covenant on Civil and Political Rights recognise the internal negative obligation that is inherent in the right to privacy and which was used to justify the state’s obligation to allow abortion.
This was the first time, since the release of the Roe v. Wade judgment, that the US Supreme Court was called to reconsider its stand towards abortion, in an era of fast-paced technological innovation. And it did so by radically challenging the right to abortion in a context of increasing collection, processing, and use of personal data by both private and public entities – a fact that may affect women’s privacy and reproductive rights.
Today, at least 55 million people use such apps (e.g., Clue, Flo, Stardust, Period Calendar and Period Tracker) to monitor menstrual cycles and to predict period and fertility time frames. It is also common to record other information, such as sexual activity, and to provide health related data. In addition, these apps collect metadata, such as device data and the user’s IP address, and often track the user’s precise location without their explicit permission.
In the US, there are no centralised general laws for the protection of personal data (as is the case in the EU, with the General Data Protection Regulation). Instead, there are only specific laws that deal with the use of certain types of data or regulate the use thereof in certain areas, such as health, finance, and telecommunications, both at the federal and state level.
From 2018 to 2020, geographic search warrants, which request internet application providers to provide users’ location data, increased from 982 to 11,554. Similarly, criminal justice authorities can compel internet application providers, including apps, to share their users’ data for criminal investigation purposes. The Fourth Amendment to the US Constitution requires a warrant to collect personal data directly from individuals. Also, in the case of menstrual cycle tracking apps, the Carpenter v. United States case extended this interpretation to limit the third-party doctrine and protect users “against law enforcement surreptitiously using GPS tracking to conduct extended and comprehensive surveillance of a person’s movements”.
As to the restriction of reproductive rights in this context, it is worthy to mention that in Texas Senate Bill 8 took effect on 1 September 2021, prohibiting abortion after six weeks of gestation, even in cases involving rape and incest. In addition, as of 25 August 2022, House Bill 1280, also called the “Trigger Ban”, imposes penalties on those who assist in performing illegal abortions at any stage of pregnancy, whether medical personnel or a third party.
Furthermore, the Medical Privacy Act (2001) regulates issues related to access to medical data, internalising the Health Insurance Portability and Accountability Act (HIPAA) requirements. The HIPAA requires notification of the patient whenever there is a breach or sharing of information related to their health. However, the HIPAA does not protect personal data related to the menstrual cycle, because it is not owned by a medical provider, or similar covered entity. In this context, considering that private companies may have different privacy policies as to how they use and store data, and that many of these are not transparent, there is a risk of data sharing, identified or not, with public authorities for, inter alia, criminal investigation purposes.
After the Roe v. Wade ruling was overturned, several menstrual tracking apps modified their privacy policy, implementing cryptographic standards and privacy by design.[1] Despite these efforts towards enhancing transparency of data access and data transfers, these apps still collect a large amount of data, such as geolocation data, cookies, search and browsing histories, which can lead to the identification of their users. In addition, the interdependence of these applications (e.g., sharing data with storage servers or with companies that process payments) for proper functioning purposes makes it necessary to share specific data with third parties, increasing the risk of user data exposure. The use of cloud for storage purposes may also add an extra layer of vulnerability for the app user. Due to the lack of a single federal data protection law in the US, there is an increased risk that criminal justice authorities will issue investigation orders to gain access to this information. There is a perceived effort by these apps to avoid sharing data to restrict reproductive rights. According to a research study recently conducted by Beth Israel Deaconess Medical Center (MIND) and The Digital Standard, there are four core measures that these apps could implement to improve their privacy and security: 1) store data locally (directly on user’s devices); 2) provide information about third-
party sharing (to help users understand which third parties may access their data, why and which measures are being implemented); 3) adopt policies to allow the exercise of the right to delete personal data; and 4) provide information as to whether an app explicitly stores location data and, if so, which security and privacy measures are taken. This study then evaluated the implication of such measures in the case of the following apps: Flo, Clue, Stardust, Period Calendar, Period Tracker, and Period Tracker by PG Apps. None of these apps store data locally and all of them share at least the users’ IP address with third parties.
Without a proper legal framework, any app provider which receives a subpoena will risk making its users vulnerable. The use of such apps to prosecute women reduces the community to a surveillance asset. In this context, the accumulation of data is not reciprocal, but rather one-sided to sustain power asymmetries within an automated and institutionalised global infrastructure that has the potential to attack social, ethical, or religious minorities. For now, women need to be aware of and evaluate the privacy risks inherent in the use of menstrual cycle tracking apps. In any event, without a comprehensive approach to end-to-end encryption implementation by these apps, it is considerably difficult to guarantee privacy and security to their users. In that sense, the lack of an enforceable obligation puts women’s rights at risk and may undermine decades of struggle to protect reproductive rights.
[1] For instance, the Flo app has launched an anonymous mode that grants users access without providing their name, email address, or any information related to their health. Similarly, the Stardust app has modified its privacy policy to provide for end-to-end encryption and make explicit whom the app shares data with and the purpose of this sharing.
