Political Backlash Ramps Up Digital Privacy Laws

The wheels of justice may turn slowly, but tech ramifications sometimes turn around on a shorter timetable. 

The U.S. Supreme Court’s 2022 overruling of its landmark 1973 Roe v. Wade decision—alongside subsequent state-level prosecutions for abortions—provoked a proprivacy backlash now wending its way through administrations and legislatures. At the same time, though, there may be a catch. Between industry lobbying and legislative mistakes, some of the proposed or recent rules may leave room for data brokers to still profit and for buyers to still continue obtaining people’s locations without explicit consent.

At the moment, unlike in the early 1970s when the previous Supreme Court precedent was set, broad-sweeping digital tool kits are widely available. In states tightening their abortion laws and seeking to prosecute women seeking or obtaining abortions in defiance of those laws, prosecutors have access to mobile-phone location histories—currently available on the open market throughout the United States.

“I think there is increased anxiety that is being spurred in part by the overruling of Roe v. Wade,” says Alex Marthews, national chair of Restore the Fourth, a civil-society organization in Boston. “There is anxiety about residents’ browser and location information being subject to information requests in states that have essentially outlawed abortion,” he says.

Political leaders in both parties are responding. The Republican-led U.S. House Judiciary Committeelast week held a markup hearing for a bill that would prevent U.S. law enforcement and intelligence agencies from buying cellphone user data. And the Democrat-led U.S. Department of Health and Human Services is preparing an update to the Health Insurance Portability and Accountability Act (HIPAA) that would provide protection for abortion-related information.

At the state level, California, Massachusetts, and Washington state legislators have introduced bills that seek to limit abortion-related data sharing. Washington’s, which passed in April, requires users to request the deletion of health data, but obliges companies to do so. The so-called Location Shield Actunder consideration in Massachusetts would go further, by preventing companies from selling location data, regardless of user consent. The act would further allow for people to sue data brokers for misuse, something lobbyists managed to negotiate out of earlier drafts of both California’s 2018 Consumer Privacy Act (CCPA) and the European Union’s 2018 General Data Protection Regulations(GDPR). A more recent bill under consideration in California would have tighter protections.

The Massachusetts bill does not prevent reidentifiability from supposedly anonymized location data. The bill seeks to limit location data to a radius greater than 564 meters (1,850 feet, as specified in the statue). But that is not enough, according to David, a privacy engineering consultant who did not want to provide his last name, citing his own privacy concerns. At least one abortion clinic in Western Massachusetts, for example, is more than 564 meters from any other facility, for example. It is also easy to reconstruct a person’s movements, even with intermittently sampled location data. “This is a major flaw,” David says.

The office of the bill’s sponsor, Massachusetts state senator Cindy Creem, a Democrat, did not respond to IEEE Spectrum’s questions about the bill.

In California, tech companies have provided partial data to law enforcement, such as when law enforcement act on a so-called geo-fence warrant. Then, after law enforcement agents have analyzed the partial data and identified a smaller list of devices of interest, tech companies have provided fuller data on those devices. However, a California appeals court has ruled that broad geo-fence warrants violate the Fourth Amendment, which protects against unreasonable searches.

Instead, as more and more jurisdictions curtail location sharing, tech companies may need to brace for building data catalogs that track where they store personal location data and for what purposes they may use it. Companies will also need to set expiration dates for how long they can use data, as they already do under the EU’s GDPR. They will need to monitor and report on their own handling of personal location data, and build logic for deleting it in accordance with the appropriate rules.

Even with such safeguards in place, companies and law enforcement agencies intent on tracking people are likely to find a way to do it, warns Marthews. “Even if you are a privacy-conscious person, just by going out in public, there are going to be digital breadcrumbs that you leave.”

First published by IEEE Spectrum: [html]