Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 2:02
CT. Welcome to CDT's Tech Talk. We'll be dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Jamal Magby, and it's time to talk tech. When the Supreme Court reversed Roe versus Wade, it enabled states to further restrict and criminalize abortions. Some states can now prosecute abortion providers, insurers, and in some cases, even patients themselves. Some states also allow civil actions. Increasingly, law enforcement and civil litigants may turn to companies to gain access to data that could help them prove a person sought, received, aided, or provided an abortion. Many types of data can reveal sensitive information about a person's health and health care choices. Search queries, browsing history, and the contents of communications, and a person's location data can all reveal such private information despite not typically being thought of as sources of medical or health related data. Because of this, companies inside and outside of the health care sector must be responsible for carefully assessing and limiting the private information they collect, store, and share. Without thoughtful action, a company's data practices may be complicit in sending their customers to prison or exposing them to civil litigation. For personal choices that are still legal in the majority of The United States. In the post Dobbs era, companies must play an active role in protecting their customers and users private information. Here to explain what companies can do to protect their users' data is Andy Crawford, senior counsel for CDT's privacy and data project.
Speaker 2
2:07 – 2:10
Andy, welcome back to the show. Hey. Good to be here. Thanks, Jamal.
Speaker 1
2:11 – 2:18
Of course. So starting us off, can you give us a lay of the land? It's been a year since, Roe was overturned. Where are we?
Speaker 2
2:19 – 5:09
Great great question to start with. So for a long time, we've considered information our about our health to be private and personal, and we've got federal laws that reflect that. Right? We've got the health insurance portability accountability act. Most people know it as HIPAA. And a lot of what that law does or a big portion of what that law does is, promote the privacy of our health information. You know, when you connect with your doctor, when you look up health information, when you track your health on your smartphone, it all feels very private. But, today, companies collect information about your health, and sometimes they use it to do things like target ads at you, or sometimes they even share it with other folks like data brokers. So like I said, we've got this federal law, HIPAA, and it's got associated regulations and privacy rules associated with it. But that law was enacted back in the nineties. And as times passed, the Internet's grown up, tech quickly outpaces the law, and it's become abundantly clear, that the privacy protections associated with HIPAA failed to cover a huge universe of data, that now exists that HIPAA just doesn't address because it's held by entities that aren't regulated by HIPAA. Some of these some of these entities are things like we use every day. Right? Things like apps to track our diets. We have apps that help us track our reproductive cycles. We have fitness trackers that track our workouts. They track our BMI. They track our blood pressure and on and on and on. And most of these apps and services, they're not provided by our doctor or our insurer, and as a result, they're not covered by HIPAA. And instead, they have not that many privacy protections associated with them. Even though a lot of these records are just as private and literally, in some instances, can be literally the same record, that has protections when it's held by your doctor, but when it's held by a third party app on your smartphone, it's gonna have very limited protections. So in the wake of the Dobbs decision, Dobbs v Jackson Women's Health Organization, there's a renewed focus on how health data points, like the ones we've been talking about, could now be used by law enforcement or even private folks, seeking to sue or target people for providing abortions and reproductive health care. And that data that folks in those lawsuits and criminal proceedings may seek can often come from companies and the apps that we've been talking about. So one way that we've really been leaning in on and encouraging folks to better protect the data, especially sensitive data about our health, is for companies to step up and limit the amount of data they collect and eliminate lots of data they already have.
Speaker 1
5:11 – 5:29
So I wanna go back a little bit because you you talked about health data, and I wanna know, are there different types of of health data? And, I mean, you mentioned the Fitbits and and everything like that and and the ways companies collect this, but are there any other ways companies collect this data? Yeah.
Speaker 2
5:29 – 8:24
Another great question, Jamal. And and yeah. There's there's lots of data at play here, and there's lots of different to collect. So let's let's touch on each, and we'll do it we'll go one at a time. So let's talk about the data first. There's certain data about our health that, like, everybody understands as health data. Right? It's clear. It's things like could be things like your medical records from your doctor, like the images of X rays, you know, the results of blood work, blood tests. All that data, it's pretty clear. That's that's very, revealing about our health, and it's health data. But there's a whole other set of data that facially might not appear to be health data, but when it's used to make inferences about our health or to try to make determinations about our health, that data becomes very primitive health data as well. Think about things like if your location data reveals that you traveled to a specific clinic that specializes in a certain kind of treatment for, say, cancer care or reproductive care. That's a pretty probative data point into you might be seeking treatment for, you know, reproductive care or cancer if you're visiting one of those very specific clinics. Other things like, you know, even purchase histories or web searches. If your purchase history reveals, you're buying, you know, prenatal vitamins, not a big stretch to think, oh, you know, this person might be, thinking about becoming pregnant or maybe pregnant, or, things like your browsing history, right, if you're searching for specific, you know, medical conditions online, again, that could be very probative into, you know, a condition you may, you may have. So, you know, that's a quick overview of the data, you know, there's there's facially, like, pretty apparent health data and there's other data that can be really probative in the health data. And then it's the second part of your question was, well, how do companies collect this? And they do it in a number of ways. Sometimes they have to collect it, to provide us with the product or service we want. Right? If if I want to purchase a product and I wanna deliver it to my home, I have to give up and provide that company with certain information like my address and my billing, information in order to facilitate that transaction. But, sometimes companies, can go in apps and websites, can go about collecting data, that's not really directly responsive to the product or service, somebody's asking for. There's that famous example of, right, like, the the flashlight app on your phone that also has access to your, the content of your communications or the, all the photos in your photo album and all the GPS coordinates that your phone has traveled to. Right? Like, that's the type of over collection that that we really, encourage folks to not do, and it's not necessary to provide the service or the product they'll get to consumer once or as requested.
Speaker 1
8:26 – 8:54
So no. That's helpful. And I will say, on the camera app thing, the flashlight is very scary, the the amount of information that that that they can collect. So, this is, yeah, this is extremely informative. I I I wanna ask, CDC recently released a set of best practices for protecting, you know, health data and these types of data. Can you talk a little bit about what they are and what where what CDC is advising?
Speaker 2
8:54 – 12:21
Yeah. Absolutely. So, we released a report that's called data after jobs, and it details and outlines best practices for companies, when they go about collecting, retaining, sharing, selling, and using, data about people's reproductive health. It's intended to be a practical guide, for decision makers within these companies, for product designers, developers, and advocates, and frankly concerned customers, to understand the privacy implications and concerns associated with the data practices of the companies, they interact with every day. The main trust of our document is calling on companies, to do better and consider and closely review how they collect user data, how they store that data, and otherwise, control or, excuse me, process the data and how they ultimately might, go about sharing that data. We really want folks to consider this, especially in the light of Dobbs, when the collection and retention of information that could be revealing about people's reproductive health could potentially be sought by, law enforcement in the state that's hostile to reproductive rights and used in an abortion related prosecution, or some states even allow civil suits. They're used as potential evidence in a civil case against somebody for exercising their reproductive choice. So I won't go into all the elements of our report. I encourage folks to go check it out. It's cool. It's accessible on our website, But, you know, some of the main thrusts, that we we emphasize in our report are things like companies, that collect health data should only use it to provide the direct service or product the customer wants. We alright. I already talked about this. We really discourage companies from using data to create behavioral profiles about their users and then potentially sharing or selling those for secondary purposes. Whenever possible, we really encourage folks to use encrypted, to encrypt the data whenever that's possible. So companies encrypt the data so that it's really only the customer, the user that has access to their sensitive health information. Another way to empower customers and users is that people should have access to their data. They should be able to make clerical corrections to it. They should be able to delete it, from companies if they no longer want the company to have that data. Companies should really only keep this data for a limited time. They really have to tighten up their retention periods. Once it's no longer once data is no longer needed for the product or service the customer has requested, companies should no longer keep that data. Whenever possible, companies should anonymize location data associated with sensitive locations. This this can include things like hospitals, clinics, but also, things like, places of worship. Two other quick things, companies should tell users when law enforcement seeks their data and they've turned it over to law enforcement, and companies should offer, and encourage and make, ephemeral types of messaging, encrypted messaging, the default, the the the default settings, so that, the contents on folks' communications are private as well. Like I said, there's a lot more in the document. I just rambled through, a lot of the points, but there there's much more in there too.
Speaker 1
12:23 – 12:51
Oh, this is all helpful. And and it and it begs the question, how much of this data should companies be collecting? I mean, I I think we all understand there's a certain amount you need, to ensure that an Apple product gives you what you would like from it. But do they really need all of this data, and how should they be going about protecting the data that they do collect? Yeah. No. I mean, I'm gonna sound like a broken record here, but, really, they should be,
Speaker 2
12:52 – 14:17
frankly focused on the data that's necessary to provide the product or service that the customer has requested. Outside of that, you get into, you know, secondary and tertiary uses of data that aren't potentially even known to the customer, you could get into harmful sharing, or harmful practices when you show data that that really, not only can you know irk customers when they subsequently learn, wait. You shared my data with who? For what reason? But they can actually, you know, like I said, in the in the post Dobbs world, a lot of this data could potentially be, used by criminal prosecutors, even civil civil litigants, and and, folks should really, focus on folks in these companies should really focus on, limiting the data that they collect so that they limit the exposure, that they potentially create for law enforcement or civil litigants to come asking for that data. When when companies do have to collect this data, they should protect it. Right? They should encrypt it. They should have, security measures in place, that that make it so that access to the data is limited to only folks in the companies that need to know, and companies frankly should, be constantly, mapping out and scoping the data that they do have and consistently going through it and deleting all the data that's no longer necessary.
Speaker 1
14:18 – 14:25
So let me ask, why do they collect all of this? Some would call it unnecessary data. Like, if you're,
Speaker 2
14:26 – 15:51
if you're not providing any service that requires those location data, why does a company feel like they need that location data? Sure. I mean, there's gonna be a number of reasons, and there's a host of different business models that that would dictate, you know, why you might want that. Sometimes, having extra data is helpful for companies as they, develop new products or new features, and those extra data points can help with with future product development. Sometimes, you need to collect data because you have, you know, certain industries are heavily regulated already, things like financial tech, or you know tech that involves, that might involve children, or you know those industries, have, certain reporting requirements that require certain data to be kept and maintained, for those, you know, for those legal reasons. But sometimes companies, collect data because they wanna create behavioral profiles about people that they can then better target ads at them, or they might wanna collect the data because it's valuable to sell. You know, you can you know, there's a market out there for third party data brokers to not only, collect data and and build profiles about folks, but then turn around and offer those profiles to, advertisers to to potentially target, and, identify new markets.
Speaker 1
15:51 – 16:09
Well well, on that scary note, is there anything that the government can or or or should be doing to to, you know, force companies to protect or or or persuade companies, I should say, to protect this this health data? Yeah. So we've seen lots of efforts. I'll focus on the federal level.
Speaker 2
16:09 – 19:30
We've got, you know, on the hill in congress, we we've seen the introduction of, you know, health specific privacy bills, especially in the wake of Dobbs, bills like My Body, My Data Act, that was reintroduced, in this year, and that CDT has has endorsed. These, like, bills like this, help protect the privacy of health data by limiting how long companies can keep, reproductive health data, how they can use it, how they collect it, and providing clear ways for consumers to access and delete it. So a lot of the same, contours and and provisions that I talked about in our data after jobs report, there's a lot of overlap with the approaches that you see in a bill like MyBodyMyData. More generally speaking, you know, CBT has long advocated for comprehensive federal privacy legislation. So not just a bill that focuses on health data, but frankly, a bill that focuses on all data, and creates baseline, protections, for all consumer data. You know, we saw last congress the American Data Privacy and Protection Act, actually known as ADPA. CBT endorsed, the last version of that bill that was introduced in the last congress. We're waiting to see if it's reintroduced this congress, and we'll see what potential changes they've made to the bill. But a lot of what that the previous iteration of that bill did, was raise baseline privacy protections for a host of data, including sensitive datasets like health. That really would have gone a long way to to better protect and keep that data private. Outside of legislative efforts, we've seen, some of the federal agencies also taking action in this space, agencies like, health health and human services. They recently put out a, notice of proposed rule making, an NPRM, to make amendments to HIPAA's privacy rule to limit, some potential disclosures to law enforcement in the wake of Dobbs along the lines of, you know, some of those situations and scenarios that I've been talking about earlier. And we've seen the Federal Trade Commission, the FTC, take action as well. Recently they put out, a notice of rulemaking around, their health breach notification rule, and we've seen them take actions, enforcement actions earlier this year and last year around, inappropriate uses of of health data, both, misrepresentations, but also, utilizing some of the jurisdictions they have under the help reach notification rule. So, you know, you're seeing a lot of action, at the government level. Frankly, like to see more at the legislative level, but in the interim, you're seeing the executive agencies use their existing authorities, to do what they can to better protect consumer health data. And frankly, you know, we'd also like to see, the private sector do more, as we wait. They've done some, but there's there's plenty more that that companies can be doing now as we wait for, both, you know, executive agencies and also, federal legislative efforts.
Speaker 1
19:31 – 19:42
Or or they can also read our recent report, our recent best practices report. Oh, man. Great idea. And get some ideas from there. Andy, before I let you go, any final thoughts?
Speaker 2
19:43 – 20:21
I I think I'll just kinda end where I just left off. There there's a lot of work still to do. We need, updated, federal privacy laws, be it sector specific or comprehensive. We we need to see our laws catch up with tech. As we wait, we need to continue to see federal agencies utilizing their existing authorities to to do what they can to keep folks health data private, And like I said, we really need to see companies continue to step up. We've seen some. We need to see more, and we need to see companies, embrace the principles that, you know, are included in in our data after jobs report, for instance.
Speaker 1
20:21 – 20:43
Well, Andy, as always, it's been a pleasure having you, and thank you so much for joining us here today. Absolutely. Thanks, Jamal. So for all for all our listeners, to keep up with the work that CDT's policy teams are doing, please visit us at cdt.org and follow us on Twitter, Facebook, and Mastodon at and LinkedIn at SendDemTech. I'm Jamal Magdi, and thank you for talking tech.
Speaker 0
20:47 – 21:13
Hi. I'm Riddhi Shetty. I work on the privacy and data project here at CDT. Recently, we've been advocating for stronger federal and state guidance and regulations against consumer data harms that limit economic opportunity. You can support this and all we do here at CDT by going to cdt.org/techtalk and donating. Every donation matters. Thank you for enhancing civil rights and civil liberties in the digital age.