Late Monday, Politico published a 98-page bombshell from the heart of the Supreme Court detailing—in Justice Samuel Alito’s caustic, disdainful language—SCOTUS’ plans to overturn Roe v. Wade, the landmark decision that made abortion legal in the U.S. in 1973.
The pending decision itself may be disturbing and surreal, but it’s not wholly unexpected; over the past few months, states like Arizona, Mississippi, and Texas have drawn up an array of increasingly draconian abortion bans, all gleefully bolstered by the usual goon squad of Republican senators. Oklahoma passed a law just like Texas’ on Tuesday. Democrats have made the move from taking bland, non-committal stances on reproductive healthcare to anxiously tweeting about the topic. Meanwhile, those of us with uteruses—or even those of us who know someone with that piece of plumbing—are left grappling with facing the forfeiture of what once was a fundamental constitutional right.
The leaked brief is still a draft and could be watered down from its current, terrifying form, but even now, people are criminalized for attempting abortions in their own homes, put in prison for buying abortion pills online, and face crushing amounts of surveillance every moment in between. While I don’t know much about breaking these folks out of prison, I have been covering the nuts and bolts of data brokering for years. I’ve seen abortion seekers have their precise locations, home addresses, and Instagram accounts freely pawned off to third-party partners, and I’ve seen Capitol Hill figures waffle instead of regulate. So I’m going to tell you how to fight back for yourself instead.
Two years ago, I wrote a lengthy guide to protecting your data from third-party brokers and the police when going to a protest, and what follows is the spiritual successor to that. It’s aimed at people that want to get an abortion without the associated data slipping into the wrong hands.
Let’s get something out of the way: I know that details about your reproductive health sounds like a tender, sensitive chunk of data that should be covered under a health privacy law like the Health Insurance Portability and Accountability Act (HIPAA). And it is! But only sometimes.
If you’re a person looking to get an abortion in this country and you’re getting a consultation in a clinician’s office complete with pee cups, stethoscopes, and people in unflattering scrubs, then that clinician is legally bound by HIPAA to keep your abortion plans under wraps unless they’re offering a referral to another healthcare provider. The people who administer care to you are so-called “covered entities” under the law, along with health insurance companies, HMOs and the like. Social networks, apps, and search engines, on the other hand, are not bound by HIPAA. The law was written in the 90s, and nobody seems too bothered to update it.
Now that we know those pesky regulators aren’t involved, we can talk about the many, many (many) ways your data bleeds from your devices and into these the paws of data brokers. Last summer, the analytics firm eMarketer put out a good overview of all the ways this bleed can happen: you probably know how sites can drop a cookie on your browser, or how an app can have a sneaky piece of marketing tech chugging behind the scenes. But you also leak data when you pass by a digital billboard, when you walk through the doors of a grocery store, and when you’re waiting on hold for the umpteenth time because your goddamn pharmacy forgot to send your goddamn refills, again.
The modus operandi of major data brokers is collecting these data points—either directly from you, or from other, smaller brokers downstream—and then piecing them together to create an image of a consumer worth targeting ads at. It really is that inelegant; when you’re sucking up so many tiny data points from hundreds of thousands (if not millions) of folks on the regular, chances are it’s more efficient to collect these sorts of broad, anonymized data points than something like a person’s full name. In order to tie these fuzzier details to you, these brokers do need a bit of individualized data; something like a mobile-specific ad identifier that comes baked into your phone’s hardware, or an IP address that’s traced back to your laptop. Even if a broker doesn’t know that you, the person, are walking through that grocery store, they do know that your iPhone—with its own unique ID—tripped up the bluetooth beacon hiding by the door.
Every bluetooth ping your phone gives off as you bob around the store sends a signal back to brokers behind the scenes to remind them that you, dear reader, are bobbing (and shopping). And when your phone gives off a similar invisible ping that hits a screen in the waiting room of a abortion clinic, those brokers can surmise that you’re probably there to get an abortion.
The market for your data is wildly lucrative—$29 billion paid for user data last year alone—and wildly unregulated, which means brokers are unlikely to bother vacuuming up less of our data anytime soon—even when that data’s concerning something as sensitive as our health. So if you want to outsmart them, you need to start thinking like them. It’s not as hard as it sounds.
Here’s a cautionary tale: in 2015, a Massachusetts pro-life group tapped a local digital ad company, Copley Advertising, to set up digital boundaries (or “geofences”) around Planned Parenthood branches and other reproductive health clinics in nearby cities. When people walked into these buildings, phone in hand (or pocket), those geofences registered that device crossing the line via mobile data like GPS or those aforementioned bluetooth broadcast signals.
Once these women were inside the fence, Copley pummeled their devices with ads for “abortion alternatives,” like adoption. Roughly 800,000 women were targeted by the campaign, and these ads kept playing for weeks after they left the clinic. And because of the way mobile ads work, every ad that played sent back a pretty sizable amount of data about these women’s devices directly back to the agency, and the pro-life group that contracted it.
Two years later, Boston Attorney General Maura Healey would sue and quickly settle with the ad agency on the condition that the agency never geotarget clinics in the state with its creepy ads again. The practice remains legal for others, though, and those marketing pro-life “abortion alternatives” still make use of it.
The easiest way to avoid being one of those statistics is making your phone as unrecognizable as possible. A good first step is to reset your phone’s mobile ad ID: It’s quick and easy on both Apple and Android. That’s what most brokers use to identify your personal device. But honestly, that isn’t good enough.
Thanks to growing (albeit imperfect) privacy legislature in the States and moves from companies like Apple to tamp down tracking, adtech middlemen are getting wilier. Even if your phone has a shiny new identifier, brokers can still re-identify your device using details about your mobile browser, or other info baked into the hardware like your phone’s International Mobile Equipment Identity (IMEI) number. If brokers see two different mobile ad ID’s but the same IMEI all tied to one device, then it is not hard to discern it’s the same device. Sorry.
If you want to be airtight about you anonymity, your best bet is to never use any of your regular devices anywhere nearby or inside a Planned Parenthood, or any similar clinics. There’s no way to know how large a fence around a clinic might be, which means your best bet is to just turn off your phone whenever you’re remotely nearby. Within a city block or two is a good estimate.
If you do need a phone on hand, get yourself the cheapest burner device you can find with a unique phone number, and buy it with cash. Credit bureaus and card issuers are notorious for pawning off data about people’s purchases, and the last thing you want is this device getting tied back to your wallet.
Once you have your device, turn it on when you’re close to your clinic of choice, and turn it off as soon as you leave. If you use that burner to connect to your home’s Wi-Fi, some middleman can quickly recognize that the device is yours. Ditto if you log onto that phone using your regular email address or social media profile.
If you’re booking with a clinic over the phone—burner or otherwise—pay attention to any notices that the call “may be monitored for quality assurance,” or something similar. Plenty of medical practices (including abortion clinics) use call-tracking software that’s typically connected to more adtech middlemen. Most adtech companies require their healthcare clients to include a blurb like that at the start of the call. If you want to be safe, use your burner to put those calls through, too—and do it outside your house.
These same principles apply to any abortions protests you might attend, too. We’ve already seen adtech firms use this same geofencing tech to digitally encircle groups of protesters, harvest device info from the people inside, and then pass that data off to cops. The good news is that if your phone’s invisible in a clinic, it’s going to be invisible in a protest, too. As long as you’re not using that burner at home or browsing your Instagram feed in the waiting room, it’s a-ok to carry with.
If you want to read more, the Electronic Frontier Foundation’s Surveillance Self Defense guide has a ton of handy tips specifically geared towards protestors. The big one, besides using a burner and the encrypted messaging app of your choice (we’re a big fan of Signal here at Gizmodo), is to look as nondescript as possible.