Off the Kuff Rotating Header Image

More dimensions for privacy in the post-Roe world

The fall of Roe is a big boon for cyberstalkers.

All too frequently, people monitor our intimate lives in betrayal of our trust—and it’s often those we know and love. They don’t even need to be near us to capture our data and to record our activities. Surveillance accomplished by individual privacy invaders will be a gold mine for prosecutors targeting both medical workers and pregnant people seeking abortions.

Intimate partners and exes download cyberstalking apps to personal devices that give them real-time access to everything that we do and say with our phones. To do this, they only need our phones (and passwords) for a few minutes. Once installed, cyberstalking apps silently record and upload phones’ activities to their servers. They enable privacy invaders to see our photos, videos, texts, calls, voice mails, searches, social media activities, locations—nothing is out of reach. From anywhere, individuals can activate a phone’s mic to listen to conversations within 15 feet of the phone.

Now and in the future, that may include conversations that pregnant people have with their health care providers—nurses, doctors, and insurance company employees helping them determine their life’s course and the future of their pregnancies. Victims of such privacy violations are never free from unwanted monitoring. Abusers count on them to bring their cellphones everywhere, and they do, as anyone would.

For abusers, finding cyberstalking apps is as easy as searching “cellphone spy.” Results return hundreds of pages. In my Google search results, a related popular search is “spy on spouse cell phone.” More than 200 apps and services charge subscribers a monthly fee in exchange for providing secret access to people’s phones. When I first began studying stalkerware in 2013, businesses marketed themselves as the spy in a cheating spouse’s pocket. Their ads are more subtle now, though affiliated blogs and videos are less so, with titles like “Don’t Be a Sucker Track Your Girlfriend’s iPhone Now: Catch Her Today.”

Though we don’t have precise numbers of stalkerware victims, domestic violence hotlines in the United States help more than 70,000 people every day, and according to the National Network to End Domestic Violence as many as 70 percent of those callers raise concerns about stalkerware. A 2014 study found that 54 percent of domestic abusers tracked victims’ cellphones with stalkerware. Security firm Kaspersky detected more than 518,223 stalkerware infections during the first eight months of 2019, a 373 percent increase from that period in 2018. Millions of people, right now, are being watched, controlled, and manipulated by partners or exes. The United States has the dubious distinction of being one of the leading nations in the number of stalkerware users around the world. That destructive accomplishment has a disproportionate impact on women, LGBTQ individuals, and people from marginalized communities.

Abusers will use intimate data obtained from stalkerware to terrorize, manipulate, control, and—yes—incriminate victims. Now that a woman’s exercise of her reproductive liberty is soon to be, or already is, a crime in many states, abusers have even more power to extort and terrorize victims. They may threaten to disclose information about abortions unless women and girls give into their demands, including having unwanted sex or providing intimate images, both forms of sextortion. (Sextortion routinely involves threats to disclose intimate information like nude images unless victims send more images or perform sex acts in front of webcams.) If victims refuse to give into their demands (and even if they do), privacy invaders may post information about abortions online and report it to law enforcement. Two birds, one stone: the ability to humiliate, terrorize, and financially damage victims and to provide evidence to law enforcement. Exes can extinguish victims’ intimate privacy by enabling their imprisonment.

The law’s response to intimate privacy violations is inadequate, lacking a clear conception of what intimate privacy is, why its violation is wrongful, and how it inflicts serious harm upon individuals, groups, and society. Legal tools—criminal law, tort law, and consumer protection law—tackle some privacy problems, but few (if any) capture the full stakes for intimate privacy. In criminal law, privacy violations are mostly misdemeanors, which law enforcers routinely fail to pursue when reported. Criminal law is woefully underenforced when the illegality involves gendered harms, like privacy violations and sexual assault where victims are more often female and LGBTQ individuals. (Yet when the very same people are the alleged perpetrators, law enforcement eagerly investigates.) Because policymakers fail to recognize the autonomy, dignity, intimacy, and equality implications of intimate privacy violations, we have too few protections.

Call me crazy, but I don’t see any chance that legislation to deal with these issues will pass in the next Texas legislative session. Maybe in the next Congress, if Dems can hold the House and pick up a couple of Senate seats to overcome the Manchin/Synema blockage – in other words, possible but a longshot. We know the House can do it, at least. Otherwise, good luck to you.

Another place where existing law falls short: HIPAA doesn’t cover medical apps.

The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, does not apply to most apps that track menstrual cycles, just as it doesn’t apply to many health care apps and at-home test kits.

In 2015, ProPublica reported how HIPAA, passed in 1996, has not kept up with changes in technology and does not cover at-home paternity tests, fitness trackers or health apps.

The story featured a woman who purchased an at-home paternity test at a local pharmacy and went online to get the results. A part of the lab’s website address caught her attention as a cybersecurity consultant. When she tweaked the URL slightly, a long list of test results of some 6,000 other people appeared.

She complained on Twitter and the site was taken down. But when she alerted the Office for Civil Rights within the U.S. Department of Health and Human Services, which oversees HIPAA compliance, officials told her they couldn’t do anything about it. That’s because HIPAA only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners.

Deven McGraw is the former deputy director for health information privacy at the HHS Office for Civil Rights. She said the decision overturning Roe, called Dobbs v. Jackson Women’s Health Organization, should spark a broader conversation about the limits of HIPAA.

“All of a sudden, people are waking up to the idea that there’s a lot of sensitive data being collected outside of HIPAA and asking, ‘What are we going to do?’” said McGraw, who is now the lead for data stewardship and data sharing at Invitae, a medical genetics company. “It’s been that way for a while, but now it’s in sharper relief.”

McGraw noted how that’s not just the case for period-tracking apps but also some apps that store COVID-19 vaccine records. Because Congress wrote HIPAA, lawmakers would have to update it to cover those cases. “Our health data protections are badly out of date,” she said. “But the agencies can’t fix this. This is on Congress.”

Consumer Reports’ digital lab evaluated eight period-tracking apps this spring and found that four allowed third-party tracking by companies other than the maker of the app. Four apps stored data remotely, not just on the user’s device. That makes the information potentially subject to a data breach or a subpoena from law enforcement agencies, though one of the companies surveyed by Consumer Reports has said it would shut down rather than turn over users’ data.

In a press release last week, HHS sought to allay worries with some advice that sounds reassuring.

“According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care,” HHS said in the release.

The document quoted HHS Secretary Xavier Becerra about the protections provided by HIPAA: “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” Becerra said. He urged anyone who thinks their privacy rights have been violated to file a complaint with the Office for Civil Rights.

See above in re: the chances of federal legislation passing. Also note that until the law is updated, if a Republican wins the Presidency, they’ll appoint the HHS secretary and will set the direction for that agency regarding patient privacy. How much faith do you want to put in that?

Related Posts:

One Comment

  1. […] the Kuff writes again and again and again about the chaotic legal landscape we find ourselves in following the Dobbs […]