The recent case of a Nebraska teenagerover an alleged abortion — charges that prosecutors were able to bring thanks to messages they obtained from Facebook — is causing alarm in privacy and technology circles. Lawyers and and privacy advocates highlight a chilling new reality of digital surveillance in which even discussing the procedure in states that have made illegal potentially exposes people to criminal prosecution.
Among the digital breadcrumbs that Americans leave by the billions is some of the most sensitive information about people's lives and thoughts. Most of that data can be accessed by someone with a modicum of technological know-how, a search warrant or just a little cash. That includes most of the commonly used message platforms, which as the Nebraska case shows are far from private.
"Texts, emails, communications on Facebook — if you're the subject of a criminal investigation, those are subject to subpoena and discovery," said Molly Meegan, general counsel and chief legal officer at the American College of Obstetricians and Gynecologists (ACOG). The same goes for apps that collect any health information, location information or even cellphone network data — or pretty much any app on the market.
"If it were me at this point I'd use a notebook — I wouldn't use an app," she said.
Case in point: The police warrant that led to Facebook-owner Meta's handing over of messages between 17-year-old Celeste Burgess and her mother, Jessica Burgess, included a trove of other information. According to the document, obtained by Vice, police asked for the girl's profile contact information, wall postings, friend listing, photos she uploaded and photos uploaded by others that tagged her.
No encryption, no privacy
In a statement, Meta has said it responded to the search warrant without knowing the case was related to abortion and that the request came with a nondisclosure order that barred the tech company from speaking about it. The warrant was issued June 7, the company said — three weeks before the Supreme Court Roe. v. Wade.
But privacy activists point out that if Facebook had encrypted its messaging — something privacy groups have been demanding for years — it would not have been able to access the content of the teen's messages to offer them to police.
"When messages are encrypted, only the people sending and receiving them have access to them," said Caitlin Seeley George, campaign director at Fight for the Future. "So if Facebook is served with a lawful warrant, they will not be able to hand them over. They physically would not have them," she said.
"This isn't a new issue — end-to-end encryption has been demanded for years — by Black Lives Matter activists, digital rights activists, sex workers, journalists," she added. "It's a crucial protection that people should be demanding to protect people's communications and right to privacy."
Meta has said it plans to roll out end-to-end encryption across its platforms in 2023. Still, Facebook is just one platform out of many, while all the major communications platforms respond to hundreds of thousands of police requests every year.
In the second half of 2021 (the most recent figures available), Meta received nearly 60,000 requests from American law enforcement across all its services and produced data in response to about 80% of them. In that same time period, Google-parent Alphabet received more than 50,000 requests, with a similar compliance rate. Twitter received 2,300 requests spanning more than 11,000 accounts. Microsoft, which owns Skype, Outlook and MS Office, received 5,600.
Twitter did not immediately respond to a question about whether it was considering increasing privacy protections. Alphabet pointed CBS MoneyWatch to an announcement that it would limit some location tracking, and Microsoft referred to its most recent law enforcement report.
First collect data — then figure out what to do with it
Companies don't always comply with law enforcement requests. The tech giants have said they push back on some demands and sometimes give less information than is requested. But data from large tech firms shows that about 4 in 5 demands from police results in at least some info being turned over and that, generally, companies will have a hard time resisting a warrant.
That's why digital rights activists are now calling on tech companies to drastically reduce how much information they collect on users in the first place. Small changes, like Meta broadening encryption or Google saying it will limit location tracking for places related to health care, aren't enough, activists say.
"These companies are trying to find ways in which they can protect data in the specific case, now that the Dobbs decision has come down — without overhauling what they do in the general," said Katharine Trendacosta, associate director of policy and activism at the Electronic Frontier Foundation, referring to the Supreme Court decision in June that . "They don't want to stop collecting data. As a matter of fact, the default has always been to collect as much data as you can, and then figure out its utility later."
People who are messaging about potentially sensitive topics can somewhat protect themselves by turning on encryption settings in their messaging apps. (It's possible to encrypt Facebook messenger chats, although it's not the default. Encryption is the default on the Signal messaging app and messages sent between iPhones in iMessage.)
Yet privacy experts note that, rather than trying to decide whether a particular conversation is "sensitive," it's often wiser for people to use encrypted messaging for all their needs.
"In my job, we use end-to-end encrypted messaging for everything, because it's easier if it's just your default practice. I'll use it to say, 'I'm running late to lunch,'" said Trendacosta of the Electronic Frontier Foundation.
"Why do we allow that?"
By contrast, lawyers caution that even encrypted messaging isn't foolproof.
"To the extent that we keep those messages on our phone, that's another avenue for data extraction. If someone has your device, they'd be able to access it," said Jolynn Dellinger, a privacy lawyer who teaches as Duke University.
As states like Texas and Oklahoma create bounty hunter laws to prod citizens into reporting on suspected abortions, data surveillance offers a plethora of possible sources of evidence for prosecutors.
Commercial tracking systems employed by dozens of data brokers routinely hoover up billions of data on Americans that they can then sell for any reason. Federal agencies have been able to buy some of this data without having to go to the trouble of getting a warrant.
"Data brokers could, for example, sell a list of people who are 15 and interested in family planning," Dellinger said. "Why do we allow that? That just shouldn't be a thing."
The legal battles to come
The limited privacy laws governing health care information in the U.S. offers no help when it comes to discussing abortion — or even searching for information about the medical procedure online. HIPAA, the federal law governing health records, is "limited to health care plans, health care providers and health care clearinghouses. It doesn't apply to you or I, or a social media entity," said ACOG's Molly Meegan.
The law also leaves out health-tracking apps, most of which make their money by selling health information that many people would consider personal.
Some states, notably California, Illinois and New York, have taken steps to protect abortion, while California also has the strongest data in the nation.
But what happens when a prosecutor in a state like Texas with strict abortion restrictions believes someone in a state where it is protected helped a Texas resident end her pregnancy? It sets up the states for a drag-out legal fight.
"You are raising an issue that is going to be the subject of a tremendous amount of litigation over the next few years," Meegan said. "A state [like Texas] doesn't have the ability to subpoena information from a doctor working in New York. Say that doctor visits their parents in Texas and finds themselves in the territory — certainly Texas can try to assert its jurisdiction. It's going to be a very heavily litigated area."
For years, technology entities have profited from collecting huge swaths of private data, claiming that doing so allows them to provide better services and new products or that the data collected isn't really private, or that giving up private information is just the price of being online.
In its, the Supreme Court essentially went beyond Big Tech's own arguments to say that Americans have no right to privacy whatsoever — making those troves of digital evidence even more vulnerable, privacy advocates say. The Burgess case in Nebraska is just the beginning, they warn.
"Dobbs is about physical privacy, bodily integrity, decisional privacy, your ability to choose what you're going to do — and information privacy," Dellinger said.
"As all these states start criminalizing abortion and pregnancy outcomes, we're going to see people's information being used against them in criminal proceedings in ways they could not have begun to anticipate."
for more features.