The threat of US data harvesting grows as abortion ban looms
The writer is founder of Sifted, an FT-backed media company covering European start-ups
Switch off location sharing on your smartphone. Plug privacy extensions into your browser. Delete apps that track your menstrual cycle. Such is the advice being given to women in the US determined to protect their rights over their own bodies following reports that the Supreme Court might soon repeal the landmark Roe vs Wade ruling.
The possibility that abortion may be recriminalised in many US states shines another unforgiving spotlight on the data harvesting and selling activities of many tech companies. The techniques used to target consumers and sell us slippers can just as easily identify those consulting abortion services. Many fear such data could be subpoenaed by the courts of anti-abortion states or simply bought by the police from data brokers. A triangular game between users, tech companies and legislators now needs to play out if privacy rights are to be protected.
To highlight the threat to civil liberties, Vice media recently paid a data broker $160 for one week’s worth of location data covering 600 Planned Parenthood clinics. This data enabled them to track where groups of people had come from and where they went afterwards.
“It is really concerning that some of this data can be sold to states that are anti-abortion and can be used to prosecute women and doctors,” says Lourdes Turrecha, a “reformed” Silicon Valley lawyer and founder of The Rise of Privacy Tech, a community of technologists. “Roe vs Wade is a foundational constitutional privacy law in the US.”
In a perfect world, we would all become more aware of the trail of data breadcrumbs we leave behind, which can be used in evidence against us. Digital civil rights groups, including the Electronic Frontier Foundation and the Digital Defense Fund, have posted action sheets to help preserve online privacy. By voting with our clicks, users can also fuel the growth of services that prioritise privacy, even if some of them remain imperfect. For instance, privacy experts prefer Apple’s iOS smartphone to Google’s Android, and recommend the Brave browser, sending emails by Proton and messaging via the Signal app.
The big tech companies may have a responsibility to pay off the “technical privacy debt” they incurred in the infant days of the internet when no one cared so much about privacy rights. But it will be near-impossible for some companies, such as Facebook and Google, to do so given that tracking users and selling ads is their business model. Expecting them to change is like asking a great white shark to switch from eating seals to seaweed.
However, Turrecha says she is excited about a new generation of tech companies that use stronger privacy-preserving techniques, such as differential privacy, homomorphic encryption and decentralised Web 3 architecture. By giving users more control over data on their device, they can do a better job of protecting privacy without losing functionality. The challenge is how these insurgent companies can ever scale quickly enough to usurp the incumbents.
Here, legislators can help by rewriting and enforcing antitrust laws. They can also close legal loopholes and enact stronger federal data rules. Under pressure from employees and users, tech companies sometimes resist complying with court orders. But ultimately they have no choice but to obey the law.
US senators are aiming to prevent prosecutors without court orders from buying up sensitive personal data, as Vice did. The Fourth Amendment is Not for Sale Act, introduced by the Democrat Ron Wyden and the Republican Rand Paul, would extend existing privacy protections. “While it would be unlawful for app developers to sell data directly to the government, a legal loophole permits app developers to sell data to a data broker, which can then sell that data to the government,” the bill states. That is crazy.
Civil rights groups and some big tech companies also agree on the need for a more sweeping national data privacy law, akin to the EU’s General Data Protection Regulation that came into force four years ago. “A comprehensive data privacy act would go a long way to protecting the lives of users and ensuring non-consensual tracking is a thing of the past,” says Bill Budington, senior staff technologist at the Electronic Frontier Foundation.
No such federal legislation is likely to emerge quickly, if at all. But even state privacy laws, as adopted in California, can raise the national bar. It has now become more expensive for tech companies to write separate code to carve out non-compliant states. Making it harder to do bad things can sometimes count as a good thing.