(Bloomberg) -- Technology giants including Apple Inc., Microsoft Corp. and Google, facing questions about whether they’d hand over users’ personal data to authorities pursuing evidence on abortion seekers, are bracing for the multi-state legal quagmire that will govern privacy in a post-Roe world.
From map searches to private messages, a trove of information stored in the companies’ data centers could be used as a digital trail of breadcrumbs linking a patient to the termination of a pregnancy, a procedure being restricted in multiple US states, after the Supreme Court overturned Roe v. Wade. The largest tech companies, which have in the past mounted high-profile legal opposition to law enforcement data requests, have been largely silent about what they’ll do in these cases.
Consider a hypothetical online search for abortion pills: A woman in Texas searches for "mifepristone" and buys it from a New York pharmacy. Google may have a record of the web search, and the receipt may land in a Microsoft Outlook inbox. Google is based in California and Microsoft in Washington, but digital records of her queries and her inbox may be stored at Google’s data center in New Albany, Ohio, or Microsoft’s in Des Moines, Iowa. If law enforcement officials in Texas seek evidence from Google or Microsoft, a clash of four different sets of state laws and two companies may ensue. It’s a question that could be replicated across a host of different online services and data sources—and involve information that in many states could incriminate not just patients, but their confidants and health-care providers.
“The world has changed in many fundamental ways since 1972—since the pre-Roe world—but one of the most important ways its changed that’s relevant here is we have a digital surveillance apparatus that didn’t exist before,” said Corynne McSherry, legal director at the Electronic Frontier Foundation, a digital-rights advocacy group based in San Francisco. “It’s going to be very, very messy, and a lot will depend on what companies decide to do in terms of pushback.”
The situation may put technology companies under the most acute pressure over data-sharing practices since the backlash following Edward Snowden’s revelations of big corporations’ cooperation with U.S. government surveillance in 2013. Those disclosures caused some companies, like Microsoft, to issue specific public guarantees to customers about how they would handle government data requests and fight them in certain instances.
Tech companies are already coming under pressure to similarly oppose abortion-related data requests. Still, because abortion views in the US are so polarized, the companies are almost certain to encounter pushback no matter what they decide to do, which may be why they’re staying mostly quiet for now, waiting for specific requests to publicly communicate a broad policy.
Some are taking early steps to reassure customers. Google on July 1 said it will automatically delete location-tracking records of user visits to sensitive places, including abortion clinics, and will make it easier to delete period logs from its Fitbit app. The Alphabet Inc.-owned search giant also underscored its track record of fighting government requests for information that the company deems inappropriate.
“We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable,” the company said in a blog post. Google declined to specify if it would fight abortion-related data requests, and didn’t mention the changing legal landscape at all.
Apple said it builds privacy protections into it products and is particularly careful with software and devices that relate to health care. For example, if a user’s iPhone is locked with a passcode, fingerprint or Face ID, the health and fitness data is encrypted. On the latest version of the operating systems for the company’s watches and phones, if users opt for two-factor authentication, health and activity data can’t be viewed by Apple, including information in the period-tracking features of the health app. Apple also places privacy requirements on developers who sell through its App Store. The company didn’t comment on how it might respond to an abortion-related warrant or subpoena for user data.
Microsoft, which runs large email and chat apps, also declined to say what it will do. So did Meta Platforms Inc., owner of Facebook, Instagram and WhatsApp. Amazon.com Inc., the largest cloud-infrastructure company and owner of health-care services like Amazon Care and Amazon Pharmacy, also declined to comment.
Microsoft and Apple just a few years ago fiercely fought against US government or law enforcement demands that they turn over user data or unlock phones, gaining support from many other tech firms and privacy advocates for their stances. Apple in 2016 refused to unlock the phone of one of the gunmen in a mass shooting in San Bernardino, California, even after it was sued by the FBI. Microsoft took the US Justice Department all the way to the Supreme Court with the company’s refusal to turn over the emails of a suspected drug trafficker that were stored in Ireland.
It’s unclear whether the companies will go to battle to protect women and health-care providers facing possible prosecution over abortions. The situation is complicated by the patchwork of state laws on reproductive choice, and an industry in which data isn’t always stored in the state where a patient resides or where a company is based. Patients may have to travel to seek care, or seek pills from elsewhere, and it’s not known which jurisdiction would prevail in a tussle over data. Companies will be facing warrants and subpoenas in both civil and criminal cases.
There are also varying state laws protecting the privacy of health-care data specifically, as well as the federal Health Insurance Portability and Accountability Act, or HIPAA. The rules are different based on how a company is classified and what kind of personal information it holds, said Iliana Peters, shareholder at Washington DC law firm Polsinelli. Because health plans and care providers that take insurance from those insurers are covered by HIPAA, it’s probable that the cloud-computing providers that store data for them could be covered, too.
At the same time, a court order that’s signed by a judge or court-ordered warrant could permit a HIPAA entity to provide the data, Peters said, but “the entity could challenge the order if they felt strongly about not disclosing that information.”
Some companies have referred to past statements and policies when asked about how they’d handle personal data requests related to abortion. “We always scrutinize every government request we receive to make sure it is legally valid, no matter which government makes the request,” Meta said in May. “We comply with government requests for user information only where we have a good-faith belief that the law requires us to do so. In addition, we assess whether a request is consistent with internationally recognized standards on human rights.”
Most large technology companies publish regular updates on how many requests they get from courts, governments and law enforcement in the US and other countries. Still, those reports indicate that the companies comply with the vast majority of requests. In its most recent summary, Meta reported it got about 215,000 requests globally for the final six months of 2021, and handed over at least some data in almost 73% of cases. In 70% of cases, the company wasn’t allowed to notify the impacted users. For that same period, Microsoft received 25,182 requests and rejected a quarter of them. Google’s most recent data, for the first half of last year, showed the search company got just over 50,000 requests and gave up some data in 82% of cases.
Tech workers are also pressuring employers to take a stand against sharing data. After Google released its updates on consumer privacy, the labor group Alphabet Workers Union called on the company to take “decisive action” in the face of legal challenges.
States where abortion remains legal have also been taking steps to bolster support for women living in areas with harsher restrictions. Washington Governor Jay Inslee pledged to block hardline anti-abortion jurisdictions from accessing information on who travels to his state for the procedure, and California’s Gavin Newsom signed an order preventing medical records and patient data from being shared by state agencies or departments as part of investigations by states that limit abortion access.
Meanwhile, some cases are testing law enforcement agencies’ right to access users’ search history as a dragnet to find evidence. A 17-year-old charged with setting a deadly fire filed suit in a Denver court challenging police use of something called reverse-keyword searching. A judge’s order had compelled Google to scan its records of all queries for anyone searching for the address of the home set on fire in 2020, NBC News reported.
“It’s going to be years of litigation before we really have clarity around the question of the data,” EFF’s McSherry said. “And also of course, around whether you can prosecute—whether legitimate prosecution or not—if it’s across state lines.”