A big question for tech companies post-Roe: How to respond to law enforcement requests for data?
Since the Supreme Court's decision
By Brian Fung and Clare Duffy, CNN Business
In the wake of the Supreme Court’s decision to overturn Roe v. Wade, privacy advocates have expressed renewed concerns about how tech platforms may handle requests from law enforcement for user data in states that outlaw abortion. But whether tech companies intend to hand over data on abortion-seekers to governments is a question the industry is seemingly unprepared to answer for now.
Tech platforms hold vast troves of personal and health information in the form of the products we shop for, the places we travel, the businesses we frequent, the websites we visit, the information we search for, and the messages we send to our friends and family. Digital rights groups have warned of the risks this online footprint may now pose to people seeking or providing abortions in states where the procedure is criminalized.
“Those seeking, offering, or facilitating abortion access must now assume that any data they provide online or offline could be sought by law enforcement,” said the Electronic Frontier Foundation, a digital rights group, in a statement following the Court’s ruling.
Thus far, tech giants have largely avoided saying how they intend to approach law enforcement requests that may lead to the prosecution of abortion-seekers or providers — even as some of those companies have pledged to help cover travel costs for their own employees who may need to leave their home states to access a legal abortion.
Companies including Amazon, Apple, Google, Lyft, Facebook-parent Meta, Microsoft, Uber, Snap, TikTok and Twitter either didn’t respond, declined to comment or didn’t directly answer questions about how they would handle data requests targeting abortion-seekers.
Tech companies have broadly said they comply with government data requests so long as they are consistent with existing laws. Now, the rollback of federal abortion protections, combined with the passage of new legislation in numerous states restricting abortion, could make it difficult for platforms to fight certain data demands related to abortion investigations.
It isn’t just tech giants that could be subject to these requests, said Danielle Citron, a law professor at the University of Virginia and author of the forthcoming book “The Fight for Privacy.” For example, Citron said, apps that help women track their periods contain a wealth of data that could be used against abortion-seekers as evidence.
“I’m most concerned about data brokers, including location data brokers,” she said, referring to companies that collect and sell data on consumers, “as well as fertility tracking apps and health monitors. That is where the bounty lies.”
In the case of the sprawling data broker industry, which hinges on the loosely regulated commercial sale of personal information, all the government needs is a willingness to pay, Citron said. “Location data brokers are in the business of peddling our whereabouts including visits to doctors,” Citron said. “They are already providing access to law enforcement for a fee. No subpoena necessary.”
But given their ubiquity and prominence, Big Tech platforms could still be targets for law enforcement requests related to abortion investigations.
Tech companies receive thousands of requests for user data from law enforcement every year, typically in the form of subpoenas or court orders, and usually in connection with a criminal investigation. Many companies attempt to alert users when they have received a request for data related to their accounts, although in some cases they may be prevented by government gag orders. For the past decade, the biggest tech companies have been vocal about the fact that they routinely challenge law enforcement demands.
For example, in response to questions, Meta referred CNN to its transparency center and said the company requires government requests to be consistent with the law and with the company’s own data policies. “If we determine that a government request is not consistent with applicable law or our policies, we push back and engage the governmental agency to address any apparent deficiencies. If the request is unlawful (for example, overly broad, or legally deficient in any way), we will challenge or reject the request.”
A Twitter spokesperson said the company continues to “take a principled approach to government requests for information, as well as to law enforcement requests, in line with our established policies.” In its help center, Twitter says it reviews legal requests for “any indications that the request seeks to restrict or chill freedom of expression” and may push back on requests “due to various circumstances” such as a request being overbroad or because of the nature of the underlying crime.
Still, tech companies have complied with a growing number of government requests over the years. In the first half of 2021, Google alone complied with a record-breaking 17,000 subpoenas, more than 20,500 warrants and more than 2,300 other court orders — a compliance rate of 82% for each request type, according to its transparency report. Google did not respond to a request for comment, but it has previously said it reviews each law enforcement request to ensure it is legal before complying.
With some states passing legislation to expressly ban, and in some cases criminalize, abortion, whether tech companies could successfully challenge a data request as unlawful is murky at best.
In response to CNN’s questions, some companies sought to promote the privacy protections they already have in place for users. A Snap spokesperson told CNN that location data is not collected by default on Snapchat, it prohibits users from “checking in” at sensitive locations such as clinics and that, if users enable location data sharing, that information is stored for a maximum of seven days. The spokesperson added that chats and snaps auto-delete by default, and that the company regularly evolves how its in-house teams respond to law enforcement requests to balance user privacy with the need to comply with the law.
Apple told CNN it takes numerous steps to protect health data on its devices and in the cloud, such as by encrypting health information in iCloud when a user enables two-factor authentication, though the company has previously said that other information backed up to iCloud including email and messages and browsing history may be available to law enforcement.
Telecom companies such as Verizon, AT&T and T-Mobile also receive thousands of law enforcement requests each year, including for information such as location data (which is typically measured by distance from nearby cell towers). The companies all say they carefully review and push back on some law enforcement requests, such as when they are not legally valid, according to regular transparency reports. (Verizon and T-Mobile declined to comment; AT&T did not respond to a request for comment.)
In the meantime, digital privacy experts have encouraged people seeking or providing abortions (or those who may do so in the future) to safeguard their data by taking steps such as using encrypted messaging apps with auto-delete features such as Signal, using privacy-focused web browsers such as DuckDuckGo and turning off location sharing on their personal devices.
“We are not yet sure how companies may respond to law enforcement requests for any abortion related data, and you may not have much control over their choices,” the Electronic Frontier Foundation said in a blog post. “But you can do a lot to control who you are giving your information to, what kind of data they get, and how it might be connected to the rest of your digital life.”
The-CNN-Wire
™ & © 2022 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.
