by AUSTIN — A panel on reproductive rights in one of the most hostile states offered tech companies this succinct advice: If you don’t like having to turn your customers’ sensitive data over to prosecutors, don’t collect it in the first place.
“It’s a new landscape and we need to think about new interventions to address it,” said Alexandra Reeve Givens, president and CEO of the Center for Democracy and Technology(Opens in a new window).
“It’s been so intense since the Dobbs decision,” said fellow American Bridge co-chair Cecile Richards(Opens in a new window) political action committee and past president of Planned Parenthood(Opens in a new window), citing the Supreme Court decision overturning 49 years of precedent and a federal right to abortion. “There are definitely people who are afraid to even look for information.”
And on that note, the data on tech companies’ servers can easily be armed by state and local law enforcement with court orders for information like search histories and saved messages. The panel moderator was Nabiha Syed, CEO of privacy news site The Markup(Opens in a new window)As he put it, “Data is not the new oil. It’s uranium.”
Givens urged companies to mine less of it.
“When they get a due process from a prosecutor, it can be very difficult to ignore those requests,” she said. “They have to be conservative with the amount of information they collect.”
Richards echoed that thought, urging companies to ask themselves, “What is the least amount of information you need to provide the product or care someone needs?”
Google took a small step in that direction in July when it announced this(Opens in a new window) that it automatically deletes the names of abortion clinics and a variety of other medical facilities from users’ location histories. Givens also advised tech companies to remember that responding to these requests does not mean complying in full, especially when a request is not an actual court order.
“If an investigator emails you asking for information, don’t do it,” she said. “You are entitled to push back.”
And if a search warrant is too broad — for example, a geofenced search warrant that requests location data for every phone within a defined area — a platform should ask that it be narrowed down.
Syed then shared how a markup study found that online patient forms from 33 out of 100 top-tier hospitals included Facebook tracking features(Opens in a new window), which has since sparked a class-action lawsuit against Facebook’s parent company Meta. “When we called it out, the hospitals, the healthcare providers, immediately changed their practices,” she said.
If the prospect of public shaming over sloppy data management isn’t enough, changes in the law can force companies to act. Givens has incorporated a plug for America’s privacy law(Opens in a new window)a sweeping privacy law introduced last summer that its Washington think tank remains optimistic about passing this year.
“It’s not just focused on reproductive care,” she said. “It’s a bipartisan bill that focuses on all the ways people’s basic information is protected.”
The ADPPA would mandate data minimization principles and limit the activities of data brokers who trade data that many people might not even know is being harvested from apps on their phones.
Recommended by our editors
At the state level, however, there isn’t as much room for optimism. Richards said, “Some states — Texas — have a completely different stance on protecting people’s rights.”
Richards and Givens cited a Texas bill, HB 2690(Opens in a new window)which would ban the posting of “information on how to obtain an abortion drug” and even force ISPs to block access to sites offering that information, specifically six (aidaccess.org(Opens in a new window)heyjane.co(Opens in a new window)plancpills.org(Opens in a new window)mychoix.co(Opens in a new window)justthepill.com(Opens in a new window)and carafem.org(Opens in a new window)).
“It raises very profound questions about the First Amendment,” Givens said, somewhat understated about such a constitutional illiteracy measure.
Even if Washington doesn’t act on privacy, Givens suggested that market forces will force companies to “go and be more thoughtful” about their data collection. Citing the reputational risk that comes with missing out, she said, “You’re seeing investors starting to ask that question in the startup scene.”
Syed urged participants to invest their money and time in privacy-preserving apps and services and recommended the search site DuckDuckGo, which does not store any search histories at all. “Vote with your feet,” she said.
But she also drew on Markup’s own experience in creating a tracking-free website to warn companies that the road to data minimization can be bumpy. “It requires elbow grease,” she said. “It’s also really annoying.”
Do you like what you read?
Sign up for security guard Newsletters for our top privacy and security stories, delivered straight to your inbox.
This newsletter may contain advertisements, offers or affiliate links. By subscribing to a newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe from the newsletter at any time.
