This story was originally published by ProPublica
Online pharmacies that sell abortion pills are sharing sensitive data with Google and other third parties, which may allow law enforcement to prosecute those who use the medications to
end their pregnancies, a ProPublica analysis has found.
Using
a tool created by the Markup, a nonprofit tech-journalism newsroom, ProPublica ran checks on 11 online pharmacies that sell abortion medication to reveal the web tracking technology they use. Late last year and in early January, ProPublica found web trackers on the sites of at least nine online pharmacies that provide pills by mail:
Abortion Ease,
BestAbortionPill.com,
PrivacyPillRX,
PillsOnlineRX,
Secure Abortion Pills,
AbortionRx,
Generic Abortion Pills,
Abortion Privacy and
Online Abortion Pill Rx.
These third-party trackers, including a Google Analytics tool and advertising technologies, collect a host of details about users and feed them to tech behemoth Google, its parent company, Alphabet, and other third parties, such as the online chat provider LiveChat. Those details include the web addresses the users visited, what they clicked on, the search terms they used to find a website, the previous site they visited, their general location and information about the devices they used, such as whether they were on a computer or phone. This information helps websites function and helps tech companies personalize ads.
But the nine sites are also sending data to Google that can potentially identify users, ProPublica’s analysis found, including a random number that is unique to a user’s browser, which can then be linked to other collected data.
“Why in the world would you do that as a pharmacy website?” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute at the University of California, Berkeley. “Ultimately, it’s a pretty dumb thing to do.”
Representatives for the nine sites did not respond to requests for comment. All were recommended on the popular website
Plan C, which provides information about how to get abortion pills by mail, including in states where abortion is illegal. Plan C acknowledged that it does not have control over these sites or their privacy practices.
While many people may assume their health information is legally protected, U.S. privacy law does little to constrain the kind or amount of data that companies such as Google and Facebook can collect from individuals. Tech companies are generally not bound by the Health Insurance Portability and Accountability Act, known as HIPAA, which limits when certain health care providers and health plans can share a patient’s medical information. Nor does federal law set many limits on how companies can use this data.
Law enforcement can obtain people’s data from tech companies such as Google, whose privacy policies say the companies reserve the right to share users’ data with law enforcement. Google
requires a court order or search warrant, which law enforcement can obtain with probable cause to believe a search is justified. The company received
more than 87,000 subpoenas and search warrants in the U.S. in 2021, the most recent year available; it does not provide a breakdown of these requests by type, such as how many involved abortion medication.
In a statement, Steve Ganem, product director of Google Analytics, said: “Any data in Google Analytics is obfuscated and aggregated in a way that prevents it from being used to identify an individual and our policies prohibit customers from sending us data that could be used to identify a user.”
Google pledged last year that it would
delete location history data related to people’s visits to abortion and fertility clinics, but the company has not announced any changes since then related to data involving abortion pill providers or how it handles government requests for data. A Google spokesperson did not respond when asked whether the company has turned over any data to law enforcement about users of online pharmacies that provide abortion medication or whether it has been asked to do so.
“This is problematic and dangerous — both the potential access that law enforcement has to figure out who is violating our new state bans and that we’ve let tech companies know so much about our private lives,” said Anya Prince, a law professor at the University of Iowa who focuses on health privacy. “It shows us how powerful this data is in scary ways.”
Continue Reading…