Speaker 0
0:00 – 0:26
Hi. I'm Riddhi Shetty. I work on the privacy and data project here at CDT. Recently, we've been advocating for stronger federal and state guidance and regulations against consumer data harms that limit economic opportunity. You can support this and all we do here at CDT by going to cdt.org/techtalk and donating. Every donation matters. Thank you for enhancing civil rights and civil liberties in the digital age.
Speaker 1
0:37 – 0:40
Welcome to Tech Talk. Bye. CT.
Speaker 2
0:42 – 1:38
Welcome to CDT's tech talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Jamal Magby, and it's time to talk tech. The Supreme Court's decision in Dobbs versus Jackson overturned Roe versus Wade and planned parenthood, allowing individual states to limit or outright ban abortion. State reactions have been swift and varied with some states outlying abortions or significantly limiting them. Such laws will create a strong motive to track and know the identities of people who seek to obtain reproductive health care or to provide it. Here to talk about this decision and what can be done to protect the right to privacy of people seeking reproductive care is Alex Givens, president and CEO for CDT, and Jake LaParooque, deputy director for CDT Security and Surveillance Project. Alex and Jake, thank you so much for joining us today.
Speaker 3
1:39 – 1:43
Happy to be here. Thanks so much for having me.
Speaker 2
1:44 – 1:53
So to start us off, Alex, why was it important for CDT to join the conversation around Dobbs, and what does this decision mean for privacy?
Speaker 1
1:53 – 3:28
We felt like this was a core issue for CDT because it really is a fundamental moment for people's right to privacy. If you think about it, we live so much of our lives online today, whether it's accessing information, communicating with friends, being tracked where we go because of the information that's collected and gathered by our phones and other devices. And now what we're learning is that this could be used as evidence in investigations, not just by law enforcement, but even under some of the laws we'll talk about today by private bounty hunters who are wishing to target people that either seeking an abortion or providing abortion services. And that raises really important questions about people's individual right to choice and how their information can be used and gathered. For us, you know, one of the things I think that that really matters is that this is kind of a reckoning moment for how we think about users' privacy. And so we're really thinking about their work in three different buckets. One is just commercial data practices in general. This is something CDT has talked about for a long time that we need to be careful about just how much information is gathered, collected, and shared about people in their daily lives. But then two, and this is an area that Jake works on, we need to think a lot about how companies are gonna respond to law enforcement requests in these settings. And then third, an area I hope we'll talk about as well today is access to information. How we make sure that people even in this environment can keep getting access to reliable accurate information about reproductive care. And CDT has a long history and things to say on each of those.
Speaker 2
3:29 – 3:38
So, Jake, Alex just mentioned how evidence from our online lives can be used in prosecutions. What type of information can be used, and and what are you worried about specifically?
Speaker 3
3:39 – 4:59
Unfortunately, there there is quite a lot to worry about in this space. Like Alex said, so much of our lives are digital. And because of all these activities are now occurring in a way that are connected to devices, connected to the Internet, that means we're leaving, a digital road map behind that can reveal our most sensitive activities. So, I think we are especially concerned about things like, cell phone and location data, browsing information of what sites you go to, search history and data of what terms you look up when you're online. These are things that can all be collected targeting specific individuals, through things like warrants or sometimes because of loopholes simply by law enforcement buying their way around warrants and collecting data outright. There's also a growing trend of seeking, information by the type of content that's out there. So geofence warrants are a type of surveillance we're very worried about that try to grab information on everyone in a specific location or area. You have things like keyword search warrants, which are instead of going after a target and looking at their browsing history, we'll try to see everyone who searches specific terms. So, we're very concerned about the fact that there is all this information out there that can create basically, it can be puzzle pieces of your life and put together to reveal the most intimate details of it. There's also ways of not going over after certain types of content, certain types of people, certain types of activities.
Speaker 1
5:00 – 5:40
And I think one thing to note, Jamal, in that context is that this isn't hypothetical. We've actually already seen prosecutions against people for their pregnancy outcomes where they lost a baby. There was an accusation that it was a self induced abortion and people's Internet search history was used. Their online purchasing history was used as evidence against against them. And there was even a case where a woman's text messages with a friend was used as evidence as to what her intent had been. So there is actually a record of these cases happening even while Roe v Wade was the law of the land. And so when we say that there's a future concern about this, it's very, very real and something that we're hearing about directly from advocates on the ground.
Speaker 2
5:41 – 5:52
So this reminds me of some work that CDT published previously about the role of data brokers in the ecosystem. Can you explain what these are and and how they fit into this picture?
Speaker 3
5:52 – 7:45
So data brokers are essentially I mean, it it's kind of right there in the name. They are companies organizing organized around the idea of purchasing, stockpiling, reformatting, and selling data on a mass scale. That's typically been for commercial purposes for advertising, target advertising, things like that. But now it's an area that the government's interested in buying as well. And so we have a problem here of law enforcement. Typically, for a lot of this information, they need a warrant sometimes for things like location tracking or at least a court order for other types of records. But you will have law enforcement agencies ranging from the FBI and ICE to local police will say, well, why would I go through all the trouble of going to a court and showing cause and getting authorization when I can simply go to a data broker and buy my way around that? It's a pretty backward system. Obviously, law enforcement, instead of being a search warrant, they couldn't go to your landlord and say, hey. I'll slip you a $100 if I can search this person's house without a warrant. But that's essentially the system we have when it comes to digital data. It's a buy your way around a warrant requirement. Now what exactly are these data brokers selling and handing over to law enforcement as well as many others? It can be very types of specific information to this issue. There's been some great reporting lately about how data brokers will have asked list of basically, you know, list of women who are pregnant based on either self reported information from those individuals or series of things like purchase records, other types of activities and trends. It can also be a lot more general. So things like data on all phones that are in a given location, data on all individuals that are visiting certain websites. This is the type of thing that might seem innocuous on a small scale, but when put together and when combined with other types of data can be incredibly revealing about individuals' lives, their activities, their preferences, their interactions, just the the intimacies
Speaker 2
7:45 – 8:01
about the most basic parts of of what your life is and what you do. And before we move on to our next question, I just wanna make sure we plug our recent report, for folks who wanna learn more about data brokers. Please feel free to read our report, legal loopholes and data for dollars.
Speaker 1
8:02 – 8:25
If we're in the mood for plugs, we also should talk about legislation that's pending that would help close some of those loopholes. So senator Wyden and others in congress have the Fourth Amendment is not for sale bill, which is trying to close-up some of these holes, thinking not just about the Dobbs context, but the much broader civil liberties implications for how easy it is for law enforcement to access people's information without having to go through traditional legal process.
Speaker 2
8:25 – 8:31
I I wanted for us to touch a little bit on HIPAA because a lot of what we're talking about is sensitive health information.
Speaker 1
8:32 – 9:11
Does HIPAA apply here? Yes. So you're right that HIPAA, the the Health Insurance Portability and Accountability Act protects sensitive health data. But there's a huge catch, and I think that most users out there in the world probably don't think about it. So HIPAA only covers health providers like your doctor or insurer and the information that they have. So that's why you sign that form at the doctor's office. But it doesn't apply to the wide universe of commercial applications and products that collect information that can be revealing about our health, which is all the examples that Jake was giving, like your search history or even most commercial period tracking apps, for example. HIPAA doesn't apply to any of those.
Speaker 3
9:12 – 10:20
And there there is another element of how this, about hip, and health data typically interacts with law enforcement. HHS has issued some helpful guidance on this about health providers in that narrow bucket that, you know, as Alex was saying, isn't totally protective, how they share data. In general, for those providers can't share data with third parties voluntary, including law enforcement, but HIPAA does have some limits even in that regard. It does say that health providers have to comply with lawful law enforcement demands made through appropriate legal process. So if we're thinking about potential future uses and concerns, HIPAA would say protect, individuals who are talking to their doctor about issues. The doctor has data on them. They couldn't voluntarily hand that over to police or law enforcement. If police said, oh, we'd really love data on your patient. Would you mind just giving us a peek at the records? The doctor would be obligated to say no based on HIPAA. That's not an option for them. But if police show up with a warrant or a lawful quarter that meets the legal requirements, they do not have a choice. HIPAA is not a shield against those type of lawful surveillance demands and and orders for data.
Speaker 2
10:20 – 10:28
CDC recently launched a task force on protecting reproductive health information. Alex, can you tell us about the goal of that and how is it working?
Speaker 1
10:29 – 13:58
Sure. So for all of the issues that we've just discussed, tech companies are really on the front lines of these issues. You know, in many cases, they're the ones who collect, store, and share information that could be revealing about somebody's personal reproductive choices. And, really, that means that this creates a very important moment right now for companies to think about their data practices in general and then, of course, how they're going to respond to law enforcement requests. So we created this task force to bring together decision makers within the tech companies that are working directly on these issues, civil society experts with backgrounds in health data privacy, in civil liberties, in reproductive rights and reproductive justice so that we could create a trusted forum for people to be thinking through these questions and thinking through the steps that the companies should be taking to better protect their users' information and help them have access to information as well. I think what's interesting about about this is that these questions, you know, they don't all have easy answers. One thing that we continually focus on is that it's gonna be better if the companies collect less. If you don't wanna be handing over very sensitive information about your users' choices to law enforcement, one way to get out of that is to not collect and store that information for a long time in the first place. So, there are big questions around data minimization for example that companies can and should be talking about. But then there are things like the law enforcement request. Right? If you're served a warrant, a company needs to be responsive to that. So how do we make sure that they are treating that in the most responsible way to give the utmost strength, and support and privacy to their users? Some of the challenges that we're uncovering, I mean, this also creates new dialogue, like, new reasons for dialogue and for research, is that they the decisions are often a little bit thorny. So I'll give you one example. A common refrain after Dobbs has been for tech companies just to push back on warrants that are seeking information for prosecutions that relate to an abortion. That's a very easy thing to want the companies to do. But if you talk to the companies, they will tell you that those warrants typically don't actually have the statutory basis on them. So they don't know when they receive a request for information from law enforcement what crime has been committed, what the underlying facts alleged are. So then it's actually very hard for them to have that type of targeted response. So then you think, okay. Well, one policy solution could be to mandate that when law enforcement comes to a company with a warrant, they have to disclose the basis for it. They have to give the statute that they're planning to use. So we could all rally behind that as an intervention. But then we have reproductive rights experts on the phone, including people that have defended women who have been prosecuted for their pregnancy outcomes, who say, well, actually, you know, our clients aren't being prosecuted under an abortion statute. Statute. They're being prosecuted for child endangerment or child abuse or murder or assault. So getting that specified on a warrant actually is gonna be really difficult and very unlikely to succeed as an outcome. So the takeaway from all of this is that it's a very nuanced conversation, and we need to have these different communities speaking to one another. And the vision of this task force is creating a space for people to do that as CDT and other groups like ours really try to move forward thinking about what best practices are gonna be. Turning over to you, Jake, what's some of the work you're focused on currently?
Speaker 3
13:59 – 16:08
Well, in addition to working with companies to try to limit how much day is available, and that's a very fundamental solution, companies quite simply can't turn over to to law enforcement what they don't have, there are a lot of other areas we're focused on. First, we're looking at general solutions for protecting privacy and that will, by doing so, make it a lot harder to pursue, investigations into reproductive health decisions. So things like the Fourth Amendment Knots for Sale Act, which you mentioned, which would close this very key loophole that's being exploited for surveillance without a warrant. We're also looking at other reforms, trying to build in clarity and additional safeguards on collection of data about your browsing activities, for location tracking and use of geofence warrants, for tools like facial recognition that are becoming more and more powerful and used more and more frequently, but have very few, if any, limits on them. Just all those types of areas where limiting the scale of overbroad surveillance will limit how it can be used in these cases. Second, we're investigating specific ways to limit reproductive health surveillance. So we're looking at issues like how can the federal government limit aid and surveillance support to investigations? Right now, 45% of local law enforcement agencies say that they use FBI field offices for assistance with digital evidence and looking at digital records. That's an area where if the administration wants to be helpful and protect reproductive health rights, they might want to reconsider how that aid could flow into those types of investigations. We're looking at how surveillance orders that cross state lines could be limited so that, you know, as we continue to see both aid and abetting laws focused around abortion bans as well as potentially, bans from limiting people from going out of state entirely, what limits can we place on that and surveillance around that? And then, as Ox mentioned, this idea about looking at what types of statutes and areas are enforced to use this so we can get a better sense of when these investigations are occurring. Could just shining a light on that. And if there are ways to try to put more information in warrants and orders about why the investigation is occurring, that could help us try to at least provide some transparency and, hopefully, from their accountability on this issue. So, Alex, you you mentioned earlier in the conversation
Speaker 2
16:09 – 16:18
about tech issues after jobs, and and they aren't just about data privacy. It's about access to information. Can you elaborate on that point a little bit more?
Speaker 1
16:19 – 19:40
Yeah. So one of the things that we're seeing and we'll see increasingly, is a proliferation of real questions of how people can gain access to reliable information about reproductive care in states where, abortion has been and those types of resources are no longer being provided. We're seeing this already. There was a new bill introduced in South Carolina earlier this summer that's being circulated in other states as well that would literally make it a felony to host or maintain a website that helps women access abortions. How broadly would that be construed? What information gets pulled into this when we're talking about things like an aiding and abetting theory of liability? The vision here is clearly to chill people's speech in terms of putting any type of resources or guidance out online. So this raises very clear first amendment concerns. Scholars and advocates have been very vocal about this. You've even seen some people who are against abortion say that those laws overreach because they raise such significant constitutional concerns about free speech. But that constitutional issue is gonna take a while to percolate up through the courts. So one of the things that we're watching now is just what are the ramifications of those chilling effects, and how do we help encourage companies to stay strong and resist this pressure, to take down information that is truly essential to people at a very difficult time in their lives. So those are the types of free expression concerns that we're thinking about. Our old friend section two thirty comes up in this regard for the websites that are hosting information posted by third parties. And CDT is doing legal research on this. We'll also, very likely be preparing if there are future litigation over this. CDT would be likely participating as an amicus in those types of cases. But in the meantime also just helping companies understand what the legal landscape is and how to push back on that. So those are all conversations that are happening in the task force as well. The final one about access to information that I'll mention is we need to make sure that there is good reliable information out there for people seeking care. We also need to be really careful about misinformation and targeting of people when they are seeking resources online. We mentioned before how some of the statutes being pursued in different states after the overturning of Roe v Wade incentivize private bounty hunters to be able to file their own lawsuits against providers of abortion services or people who aid and abet the delivery of of abortion services. And that creates a really dangerous incentive for people to be using websites to trap and try and get private information about people who are seeking, reproductive care. So the tech companies are gonna also have to think about that, about doxing, about disinformation, about, you know, misleading videos being posted online, about ways to to induce self care. So there is this whole host of content moderation questions that companies are navigating as well. And so that's another area that CDT is very focused on and trying to work in close collaboration both with decision makers inside the companies, but then with civil society allies and all of the folks in the reproductive rights community who are trying to make sure, that people are protected and can get the support they need.
Speaker 2
19:45 – 20:15
Wow. Well, I I must say it sounds like there's a lot of work in in front of all of us, over the next coming months. So, Alex and Jake, I I wanna thank you both for for joining us here on Tech Talk, and, and we really appreciate your time and your and your conversation today. This was great. Thank you so much. Thank you. And for our listeners, if you'd like to learn more about CDT or our work with Dobbs, please visit cdt.org. I'm Jamal Magby, and thank you so much for talking tech.