Nya hårdare abortlagar väcker oro för oreglerad telefondata

Post-Roe, concerns that data broker services could be used to enforce anti-abortion laws have highlighted the lack of rules governing the industry.

The Supreme Court’s June decision to overturn Roe v. Wade set off widespread concerns that location data collected and shared by smartphones could be used to prosecute people who receive or provide abortions. There’s scant regulation of the industry built around the selling and buying of personal data, which IDC says generates $15 billion annually. That puts a lot of weight on the privacy protections set by location-data brokers themselves.

These safeguards are inconsistent at best. Over the summer, a Bloomberg Businessweek reporter signed up for a free trial on the website of Advan Research Corp., a New York-based company that markets “unmatched, global, foot traffic analytics” to clients in real estate and finance. When he searched for the term “abortion,” the company’s administrators disabled his trial account and sent him an email warning that it doesn’t allow users to “obtain information on such sensitive locations.” But another reporter entered the street addresses of established abortion providers and was able to access the data his colleague had been looking for without an issue. An Advan spokesperson says that the company blocks sensitive locations like abortion clinics and jails, but adds that it’s “technically next to impossible” to have a comprehensive, real-time list.

On Aug. 29 the Federal Trade Commission sued Kochava, an Idaho-based location-data broker, claiming that someone could identify a mobile device that had been inside an abortion clinic and trace it back to a single-family home with just a free trial of the company’s service. Because Kochava’s data services also include unique ID codes for mobile devices, the FTC warned, its clients can connect location data directly to actual people.

If the suit is successful, Kochava would have to stop selling geolocation data about sensitive places such as reproductive health centers and places of worship, and delete any information it has already amassed. Kochava general manager Brian Cox said in a statement that the FTC has a “general misunderstanding” about the company’s business and that its marketplace has new restrictions on sensitive geographic data.

In addition to the Kochava lawsuit, the FTC is in the early stages of writing new privacy rules that would apply to data brokers. “Geolocation is a portal to all sorts of other sensitive information about your life,” says Alvaro Bedoya, an FTC commissioner who’s prioritized the issue, in his first interview on the topic since joining the agency in May. “Having an aggressive enforcer that is willing to call companies out when they’re engaging in conduct that can harm people will help.”

That brokers’ data could be used to prosecute those suspected of violating state-level abortion laws is not the FTC’s only concern. The agency cites the easy identification of other sensitive locations in its suit. Using a free trial of a tool offered by the data broker SafeGraph, Businessweek reporters were able to easily access data about visits to an addiction recovery center in Charlotte, as well as information about which commercial establishments visitors likely frequented afterward. Reporters were also able to see roughly how long customers spent inside a gun store in Plattsburgh, N.Y. SafeGraph, which declined to comment for this story, told lawmakers in June that the tool provides “an approximate composite of visits to a location rather than identifying specific devices or persons.”

Smartphone users create large amounts of data that they have little effective control over, in part because of code within apps that records device activity, which brokers can package and sell. Analyses provided to Businessweek by app analytics companies Apptopia and MightySignal show location-tracking is particularly common in popular apps for gaming, navigation, weather, and tools like voice recorders or smart TV remotes.

Developers regularly add such code to their apps through software development kits, or SDKs. Some SDKs record data that developers find useful for analytics or other utilities, says Sean O’Brien of the Yale Privacy Lab. In other cases, he says, creators of SDKs pay developers to embed trackers that funnel user data to brokers. X-Mode, which supplied an SDK that O’Brien’s research showed was commonly found on apps catering to Muslim communities, has offered developers that install it $30,000 a month for each million daily US users. Another location broker, Quadrant IO, has advertised $15,000 a month for the same number of users. Spokespeople from both companies say they’ve discontinued the SDKs and tightened rules around sensitive data.

SafeGraph and other brokers say their data doesn’t reveal individuals’ identities. Yet in one 2013 study published in the scientific journal Nature, researchers were able to identify more than half the cellphones in a purportedly anonymous data set of calls, because of, as they put it, “the uniqueness of human mobility.”

Since that research, both the amount of data collected and the sophistication with which it can be analyzed has increased significantly. There’s even a category of service known as “identity resolution” that matches data points like travel, credit card, and web browser histories, further eroding privacy.

Supporters of abortion rights worry about the possibility of law enforcement agencies using data collected by brokerage services to enforce state-level bans. (Data brokers could also prove useful to private individuals in states like Texas, which has a law offering financial incentives for people who help identify others violating the state’s abortion law.)

Many brokers already have relationships with government agencies, including law enforcement, according to investigations by the Electronic Frontier Foundation (EFF), a digital-rights group.

Cynthia Conti-Cook, a former criminal defense attorney and a technology fellow at the Ford Foundation who’s studied the impact of digital surveillance on abortion rights, says emerging technologies are commonly used in modern policing with few legal limits. Data providers, she says, “are good at marketing what they do to police departments.”

User data from cellphones is also regularly packaged and sold on marketplaces such as those run by Oracle and Snowflake. For example, brokers on Amazon Web Services’ marketplace sell everything from lists of countries to which US residents have traveled, to locations frequented by veterans, to the nation’s most engaged cereal eaters. More than 1,000 data products are listed in the marketplace’s “Retail, Location & Marketing” category alone.

When pressed by lawmakers in July, Oracle and Amazon offered assurances that the information couldn’t be used to track individuals seeking abortion services. In an email, an Amazon spokesperson added that the company had guardrails in place to prevent misuse of data and that it reviewed all data sets for compliance.

SafeGraph, which sells data on most major marketplaces and counts Goldman Sachs among its customers, has worked with governments on Covid-19 tracking. The agencies it has pitched its services to include state health and law enforcement bodies in jurisdictions where abortion is now criminalized, according to emails obtained by Businessweek under public-records laws. One of them was the Mississippi State Department of Health—the plaintiff in the case that overturned Roe. “We license feeds of raw places and foot-traffic data,” a SafeGraph salesperson wrote to officials in Missouri, another one of the states it contacted, last September. The SafeGraph overtures viewed by Businessweek came before Roe was overturned.

The commercial availability of personal data will always come with the potential for abuse, says Kurt Opsahl, deputy executive director of the EFF. “The sale of even mundane-seeming data points about sensitive private activity can become incredibly harmful in the wrong hands, especially when some states criminalize behavior that is recognized as a protected right in another,” he says. “We cannot let the commercialization of deeply personal information become an end run around the Fourth Amendment.”

While policymakers have been professing their concerns about the potential for abuse for years, there’s a sense that privacy-eroding technology practices are evolving faster than the government’s ability to protect against them. “I don’t know if we can put the cat back in the bag,” the FTC’s Bedoya acknowledges. “But we wouldn’t be doing our jobs if we didn’t try.”

More stories like this are available on bloomberg.com.