Op-Ed: Another threat to abortion privacy? Health websites tracking and sharing your data

Ari Friedman and Matthew McCoy
·5 min read
34
FILE - A cursor moves over Google's search engine page Tuesday, Aug. 28, 2018, in Portland, Ore. Some federal lawmakers urged Google last month to limit the appearance of anti-abortion pregnancy clinics in certain abortion-related search results. Now, 17 Republican attorneys general, including Virginia Attorney General Jason Miyares, are warning the company that doing so could invite legal action. Their letter Thursday, July 21, 2022, to the CEO of Google parent Alphabet Inc. criticizes the letter signed by 21 members of Congress, which points to the prominence of anti-abortion pregnancy clinics in searches for abortion services. (AP Photo/Don Ryan, File)
Google and other tech behemoths receive data about people's activity on health websites via third-party trackers. (Don Ryan / Associated Press)

In the privacy of her home, a woman searches for the nearest abortion clinic. She read a news article about Google deleting abortion search data, so she uses Google to find a clinic just over the border from her state, which recently banned the procedure.

When she visits the clinic webpage, however, Google and Facebook — plus a dozen other companies — record her activity thanks to third-party tracking code embedded on the clinic’s webpage. They know that she clicked on the page to find the clinic’s address, and that she read information on how to prepare for an abortion at that clinic.

Our research team at the University of Pennsylvania’s School of Medicine and Carnegie Mellon’s CyLab found that 99% of abortion clinic webpages surveyed have at least one third-party tracker on their site. The situation is usually worse: The average clinic webpage transfers data to nine different companies. Across all abortion clinics in the U.S., we found that trackers sent data to 66 different companies, from tech behemoths to businesses with little or no consumer-facing presence.

The tracked information can be sold and resold with virtually no limit on how it can be used. Companies can send a woman targeted ads based on her likely having obtained an abortion. Prosecutors in her state can use that data to provide evidence that she did.

Even private citizens can purchase lists of people who visited abortion clinic webpages, then use those names to initiate lawsuits against providers and patients under laws such as Texas’ Senate Bill 8. It may seem shocking that an abortion clinic would transfer visitors’ browsing data to for-profit companies. But the practice is a symptom of an online health privacy crisis that’s been years in the making.

Over the past two decades, social media and advertising firms have built up an online activity monitoring infrastructure so vast that even major tech companies don’t fully understand the data that they hold. This tracking extends to the webpages of many health information and service providers. Whether it's government-run webpages for COVID tests, the Mayo Clinic’s disease-specific information pages or the webpage of your local hospital, there’s an army of companies peering over your shoulder when you seek health information online. Yet unlike the information in your electronic health record, which is supposed to be protected under the federal privacy law called HIPAA, your online activity enjoys no special protections under federal law.

Although the Supreme Court’s Dobbs decision overturning Roe vs. Wade didn’t create our digital health privacy crisis, revoking the constitutional right to abortion has raised the stakes. State prosecutors are poised to use online fingerprints to target patients seeking abortion in defiance of bans. Internet search data has already been used to prosecute patients.

As law enforcement becomes more familiar with these techniques — especially if the Supreme Court pursues the agenda proposed by Justice Clarence Thomas in Dobbs and allows states to criminalize contraception and gay relationships — it will soon be a much bigger problem for all of healthcare.

The situation may seem hopeless, but there’s plenty we can do as individuals and as a society.

First, healthcare organizations can eliminate or minimize their use of tracking. Web-based tracking is installed with the active participation of healthcare entities: Typically, a web administrator will include a snippet of computer code to gain a useful tool such as social media linkage and ad campaign tracking. But executives may not understand the full extent of third-party tracking they allow online. They should audit their websites to identify and remove intrusions on patient privacy. In all the domains of the healthcare system we have studied so far, we always find a few organizations that seem to be managing just fine delivering healthcare without giving away their users’ identities and health-related browsing. It is possible.

Second, the federal government can get serious about protecting Americans’ privacy. This starts with passing a strong version of the American Data Protection and Privacy Act. While the version of the bill voted out of the House Energy and Commerce Committee in July has weaknesses, including its preemption of strong and effective state privacy laws, it contains provisions that could significantly curb targeted advertising, the financial engine that drives third-party tracking. Congress should resume consideration of this legislation in January. The Federal Communications Commission also needs to enforce laws prohibiting cellphone service providers from selling data. The Department of Health and Human Services should vigorously enforce its recent guidelines indicating that in some cases clinics and hospitals are responsible for how third-party tracking companies use their tracking data.

Third, individuals can take basic steps to protect their privacy and minimize their digital footprints by installing privacy-protecting browsers and extensions, using search engines that do not retain logs of their activity and accessing social media sites using separate browser profiles.

Given the amount of information that still leaks out, though, individual action will never be enough. When it comes to online health privacy, abortion exposed the growing tracking ecosystem. If we don’t update data privacy tools, the concept of health privacy may soon be a memory.

Ari Friedman and Matthew McCoy are Senior Fellows of the Leonard Davis Institute of Health Economics  at the University of Pennsylvania and co-founders of the Penn-CMU Digital Health Privacy Initiative.

This story originally appeared in Los Angeles Times.