Third-party data brokers give police warrantless access to 250 million devices.
It's not clear yet what role tech companies will play in helping police access data to prosecute abortions in post-Roe America, but it has already become apparent that law enforcement is willing to be sneaky when seeking data.
Cops revealed one potential tactic they could use back in June, when Meta faced scrutiny from reproductive rights activists for complying with a search warrant request from police in Madison County, Nebraska. The Nebraska cops told Meta they were investigating a crime under the state’s “Prohibited Acts with Skeletal Remains.”
But what they were actually investigating was a case involving a woman, Jessica Burgess, who was suspected of aiding her 17-year-old daughter, Celeste Burgess, in procuring an unlawful abortion in the state at 23 weeks. The mother and daughter previously told police that Celeste miscarried, but—in part because of data Meta supplied—the mother is now being prosecuted for unlawfully aiding her daughter in an abortion. Celeste is being prosecuted as an adult for other crimes.
Meta seemed blindsided by criticism over its decision to comply with these Nebraska warrants. At the time, a Meta spokesperson told Ars that “nothing in the valid warrants we received from local law enforcement in early June, prior to the Supreme Court decision” overturning Roe v. Wade, “mentioned abortion."
Some of Meta’s toughest critics didn’t buy into Meta’s explanation. Civil rights litigator Cynthia Conti-Cook and Digital Defense Fund (DDF) director Kate Bertash, both experts tracking digital surveillance of abortion, wrote in the Los Angeles Times that Meta could have discovered the true intentions of the investigation if the company had followed its own policies and reviewed the data before sharing it with law enforcement.
Facebook had the option there, the op-ed suggested, to lean on its policy to “conduct a careful review of each law enforcement request to disclose user data for consistency with international human rights standards.” Because the United Nations protects access to abortion under international human rights law, Facebook could potentially have fought the warrant from Nebraska police, these experts claimed, but it did not.
The op-ed didn't specify, however, what legal basis there would be for a US-based company like Facebook to argue in a US court to uphold its own policies adhering to international human rights laws when those policies seem to conflict with US laws.
The experts pointed in the op-ed to the Convention on the Elimination of All Forms of Discrimination against Women, a 50-year-old agreement that includes the right to abortion access—which the US famously signed but never ratified, the United Nations recently noted.
DDF does not respond to any press requests, and Conti-Cook told Ars that "Facebook should be the one to explain whether and how they apply their policies about considering international human rights standards to legal requests, as their website promises users, or whether those promises are meaningless and not applied equally in the US.” Meta did not respond to multiple requests to clarify whether its policy means it will only push back against law enforcement requests violating international human rights standards that align with US laws.
Lawyers representing Celeste and Jessica Burgess did not respond to Ars’ requests for comment. For many following their story, though, the mother and daughter’s data seizure became a prime example of how Big Tech companies would help law enforcement investigate abortions. Because of digital surveillance, experts say that abortion in post-Roe America could be prosecuted at levels unprecedented in US history because, without digital surveillance, abortion has been historically harder for police to track.
But just because Big Tech companies collect the most information on Americans, that doesn’t mean Facebook or Google will inevitably be the primary force driving abortion-related arrests. As abortion access becomes further restricted nationwide—and new legal gray areas emerge as other states pass laws attempting to protect access—the courts will have to decide which laws stand up against the others and which evidence is compelling. There will likely be other kinds of tech not yet widely known that could prove more useful to police in conducting abortion surveillance and winning guilty verdicts. A staff technologist and privacy advocate for the Electronic Frontier Foundation (EFF) tracking abortion-related privacy concerns, Daly Barnett, told Ars that even before Roe v. Wade was overturned, it was already “a constant battle" for privacy experts struggling to keep up with "what new surveillance technologies law enforcement is abusing.”
The EFF recently revealed one example of a new surveillance technology granting cops access to data that nobody knew they had. A joint investigation from the EFF and the Associated Press brought to light police software called Fog Reveal, which EFF described as a potentially illegal tool that police were trying to keep secret.
Functioning like Google Maps, Fog Reveal is marketed to police departments as a cheap way to harvest data from 250 million devices in the US. For several thousand dollars annually, the software lets police trace unique borders around large, customized regions to generate a list of devices in the area. Police can use Fog Reveal to geofence entire buildings or street blocks—like the area surrounding an abortion clinic—and get information on devices used within and surrounding those buildings to identify suspects. On top of identifying devices used in a targeted location, Fog Reveal also can be used to search by device and see everywhere that device has been used. That means cops could identify devices at a clinic and then follow them home to identify the person connected to that device. Or they could identify a device and follow it to an abortion clinic.
The EFF discovered that Fog Reveal is already covertly used by police in various states, sometimes to conduct warrantless searches. Police demonstrating interest in the tool shows how all those smaller, less-scrutinized apps that sell user data to third parties could end up collectively contributing more data to local and state police investigations than is expected from even the biggest tech giants.
In the “worst-case scenario,” Fog Reveal could become a go-to tool allowing police to track abortions in-state and across state lines, EFF policy analyst Matt Guariglia told Ars. Because unlike similar scenarios in which major tech companies like Meta or Google are served warrants compelling them to supply data to police investigating crimes, abortion data surveillance via Fog Reveal could seemingly be conducted without warrants and without any legal oversight. That invisibility could be a desirable feature as states prepare to strictly enforce laws across state lines that either shield or block access to abortion. No one can protest another state using the tool if it's never named in court, and that, Guariglia told Ars, is often the case with Fog Reveal. As one Maryland-based sergeant wrote in a department email—touting the benefit of "no court paperwork" before purchasing Fog Reveal—the tool’s "success lies in the secrecy."
“All [police] need to do is know where [the abortions are] happening, then click and drag a box on a map and then follow all of the cellphones in the city to wherever they go next,” Guariglia said.
Fog Reveal poses a unique threat to privacy
To sell police access to its data, Fog Reveal relies on user privacy agreements between apps and their users. These agreements secure broad consent to sell user information to third-party data brokers, who can then sell it to police. It's another sneaky strategy for police that allows data brokers to claim that users gave consent for police to access their data, even though it appears that no user is ever informed when police access that data on Fog Reveal. EFF’s investigation found that local and state police agencies have licensed Fog Reveal for annual costs of between $6,000 and $40,000, with the owner of the software, Fog Data Science, marketing it as a way for police departments to save money.
Fog Reveal’s data source, the EFF and AP found, is Venntel, the same data source the feds use in their criminal investigations. Venntel previously told Ars that "the confidential nature of our business relationships" prevents the company from responding to questions. Fog Data Science Chief Operations Officer Matthew Broderick told the AP that "local law enforcement is at the front lines of trafficking and missing persons cases, yet these departments are often behind in technology adoption.” He suggested that Fog Reveal fills “a gap for underfunded and understaffed departments" investigating those complicated cases.
The EFF has found no evidence so far that Fog Reveal has been used to prosecute any abortions. Ars attempted to ask for confirmation from Fog Data Science, but the PR firm that Fog Data Science hired, Fusion PR, stopped responding after promising to follow up with a statement. Ars also attempted to contact Broderick, but he also did not respond to repeated requests for information. Guariglia confirmed that EFF never heard back from Fog Data Science after publishing its investigation.
Privacy concerns over Fog Reveal are a “cousin” to privacy concerns about geofence and reverse keyword search warrants, Guariglia told Ars. Law enforcement agencies serve those warrants to tech companies to access data like private Facebook messages or Google search histories. In those cases, police can theoretically request, for example, that Google collect data on every device within a specified area or anyone searching “abortion clinics near me.” Although resisting law enforcement requests appears rare, Guariglia said that because those data requests are warranted, tech companies at least have the choice to “dip into that giant well of resources and legal personnel they have to really attempt to resist those warrants.” Especially when warrants are “overly broad.”
Responding, Meta says it will only push back on “deficient” or “overly broad” law enforcement requests. Google directed Ars to a blog post pointing to its history of resisting law enforcement data requests and advocating for privacy laws. Other tech companies, including Amazon, Apple, TikTok, and Twitter, didn’t respond to repeated requests for comment.
With Fog Reveal, there is seemingly no opportunity for the tech companies that originally collected the data from users of small apps to push back against overly broad law enforcement requests. Instead, those smaller apps get cut out of the picture entirely when they sell the data they collect to third parties, who then end up supplying Fog Reveal’s data source Venntel with "hundreds of billions of records from 250 million mobile devices,” as Fog Reveal’s marketing materials claimed in 2019. In 2021, Congress introduced a now-stalled bill that aims to make it illegal for police to buy data from sources like Fog Reveal in order to seize data without warrants. For now, though, it remains in a legally gray area.
To the EFF, Fog Reveal represents a new extreme more ominous than other dubious ways that law enforcement has previously conducted data surveillance, precisely because police have stayed so tight-lipped about the tool. Very few people know that Fog Reveal exists.
Since publishing its Fog Reveal report, the EFF has received some support from Congress. In September, Representative Anna Eshoo (D-CA) wrote a letter urging the Federal Trade Commission to “immediately investigate Fog.” In her letter, she described Fog Reveal as “incompatible” with the Fourth Amendment, as it permits police to conduct warrantless mass surveillance.
How police could use apps to investigate abortion
This summer, The Washington Post reported that police have wrongly prosecuted abortions based on misleading text messages and abortion-related searches where it was later proven that no abortions occurred. Jaclyn Dean, a National Partnership for Women & Families reproductive rights policy expert, told Ars that legal battles between states that either criminalize or protect the procedure are expected to be “ongoing,” and privacy advocates say it will be up to users to track shifting state laws if they want to protect their data.
Abortion policy whiplash feels something like watching Senator Lindsey Graham (R-SC) introducing a federal abortion ban at 15 weeks, then two weeks later seeing the state of California ban all state-based tech companies—like Google, Meta, and Twitter, to name a few—from complying with abortion-related warrants. The situation is hard to track at both state and federal levels, and Dean noted that because laws are changing so fast, “people are generally very confused about what the state of legality is on abortion, no matter where they live.”
Reproductive rights experts and Democratic state lawmakers told Ars they're concerned that police from states with heavy restrictions could reach across state lines to potentially prosecute abortions that are performed in places where it’s still legal, possibly going after both patients and providers. California’s law and other state laws attempt to stymie that by protecting abortion data, granting rights to non-residents to access healthcare services, and shielding abortion providers. Graham and other Republican lawmakers did not respond to Ars’ requests for comment on recent policy shifts restricting abortion access proposed at the federal level or implemented in red states.
As states battle for political high ground, it’s unclear how successful states from either side will be in enforcing their own laws in other states, but tech companies are expected to be firmly in the middle of these battles. Some of the biggest tech companies have said they will have no choice but to comply with most law enforcement data requests. And even with ambitious laws that get creative in attempts to shield reproductive health data nationwide, like California's recent law, the Meta case from this summer shows that law enforcement could seemingly skirt any law attached to abortion-related warrants just by omitting any mention of abortion in their warrants.
In the Meta case, police began suspecting that Celeste Burgess was hiding an abortion when an attentive Nebraska detective noticed that the teen checked her Facebook Messenger when asked to provide the date of her alleged miscarriage. Wanting to get at the teen’s data, the cops then issued the warrant, not mentioning abortion. They asked Meta to provide Facebook records and ordered Meta not to tell Celeste or Jessica about the data seizure.
Meta complied, sending over what was requested, including every uploaded photo of the mother and daughter, plus every photo they'd been tagged in, all their private messages, and location data via their IP logs.
Police found that in messages with her daughter, Jessica referred to pills, hormones, and dose times. Once law enforcement had those messages and other Facebook data, an officer’s affidavit showed they had enough evidence to pursue a second search warrant, this time seizing more than a dozen laptops and phones.
After getting hit with back-to-back waves of data seizures, both mother and daughter were arrested on misdemeanor and felony charges, and they now face individual trials scheduled for this upcoming December and January at the Madison County District Court. Celeste has waived her right to a speedy trial and will be charged as an adult. Jessica now faces multiple felony charges, including one for allegedly performing an abortion after 20 weeks as an unlicensed abortion provider.
If it happened to them, it could happen to others, and serving warrants to Big Tech companies like Meta or Google is still expected to be the most predictable path for law enforcement to request abortion-related data. These warrants could target individuals already suspected of having abortions, or police could use them to conduct “digital dragnets,” relying on common data surveillance tactics already used by police investigating crimes like drug trafficking to potentially generate a list of suspects.
Some Big Tech companies have recently taken small steps to defend data privacy that could shield more abortion-related data. Perhaps the biggest win for privacy advocates was Apple's decision to start asking users if they want to opt out of activity tracking from apps with a single click. The EFF reported that Apple made it so easy that nearly all iOS users chose to opt out of tracking, reportedly causing Facebook to lose billions and small businesses to lose profits, too.
Meta said it plans to start reducing the personal information it collects and shares with advertisers. Google said it would delete location data stored during abortion clinic visits. But the Guardian reported that no major tech company came forward to make changes that fully protect vulnerable users—because they would have to change entire business models to do so—and Bloomberg reported that experts expect that all tech companies will comply with at least some law enforcement requests for data.
Some smaller apps, like pregnancy or period-tracking apps, have also been heavily scrutinized because they specifically collect reproductive health data. While it’s possible that these apps will also be served warrants by law enforcement, another concern is that police will seize an individual’s devices, as Celeste’s and Jessica’s were, and then smaller apps can serve as an evidence base, too. Warrants would be required in both those instances, but adding in the potential for police to have warrantless access to a tool like Fog Reveal, it becomes clearer how abortion-related data collected by smaller apps could offer police as many opportunities as the major apps when generating evidence on suspects, if not more.
And if there ever comes a time when states decide to prosecute abortion retroactively, Guariglia said the potential police use of Fog Reveal to investigate abortions suddenly becomes “twice as scary” because many people’s devices log historical data.
“Just knowing that this tool exists now and knowing the very, very limited oversight that the police have when using it, that is absolutely terrifying to think about that tool being used to criminalize and investigate people's reproductive issues,” Guariglia told Ars.
Expecting laws to change
Cops won't be the only ones getting sneaky with abortion-related data as laws change. While Celeste and Jessica Burgess await trial after talking on Facebook about mail-ordered abortion pills, access to abortion in some states has already become so limited that The New Yorker recently described how activists have formed a “post-Roe underground.” Relying on encrypted Signal texts, activists have been smuggling abortion pills from Mexico to people seeking abortions in Texas, which restricts access after only six weeks.
As pregnant people navigate this gray terrain to weigh all available options, US President Joe Biden seems to be dangling a promise to make things more black and white by codifying federal abortion protections—but only if enough Democrats were elected to Congress in the midterms. Although the midterms delivered what CNN called a "ringing endorsement" of abortion rights from voters, Democrats didn't get enough votes for Biden to follow through. The president called it last week, announcing in a press conference, "I don’t think there’s enough votes to codify."
Because of the staunch political divide between parties on abortion, attempts by Congress so far to codify Roe, guarantee abortion access, provide abortion travel funds, and protect reproductive health data have faced serious hurdles and are not expected to pass—if they’ve not already failed.
Jaclyn Dean, the reproductive rights policy expert, said that although attempts to codify Roe failed and many predict that the Ensuring Access to Abortion Act is likely to fail next, Biden recently signed an executive action that was a “really big step” for reproductive rights advocates. The president authorized the Department of Health and Human Services to work with states to help pregnant people fund abortion travel using Medicaid waivers. But even while that travel could be federally funded, anti-abortion states have already shown that legal risks could follow pregnant people across state lines. And Fog Reveal shows how police could easily track them.
Some states have taken steps to block other states from any potential overreaches. Connecticut protects abortion providers and anyone getting an abortion in the state (not just residents). Colorado Governor Jared Polis signed an executive order mandating that Colorado won’t cooperate with other states’ investigations. Delaware forbids health providers from releasing abortion records to be used as evidence in other states’ investigations.
At the federal level, potentially the most ambitious legislation regarding reproductive health data is the My Body, My Data Act, which Dean said is a “very rare” bill specific to reproductive rights that “really addresses the specific needs of people who are fearful of having their data tracked.” That bill was introduced in Congress in June but faces similar hurdles to passing as all the other abortion rights-related legislation.
As all these new laws have been debated and some cast down, Biden took executive action in July and asked the FTC to do more to regulate reproductive health data surveillance. Recently, the FTC seemed to follow through on that demand by suing a firm that was allegedly selling sensitive data on abortion clinic visits.
The EFF's Guariglia said that data brokers feeding law enforcement more options to conduct even more mass surveillance is “a huge problem that is really ripe for solving.” As the FTC mulls Eshoo’s letter recommending an investigation into Fog Reveal, Guariglia is waiting to see if other Congress members will take an interest in both Fog Reveal’s legal concerns and broader concerns about technologies buying and selling third-party data to police. Those concerns have long prompted calls for comprehensive data privacy laws.
The bipartisan American Data Privacy and Protection Act has also been introduced in Congress. If passed, it would set a new standard nationwide for how much data can be collected while granting the right to sue for violations of privacy. It could fare better than bills that specifically mention abortion—like My Body, My Data—while incidentally protecting abortion-related data from improper police access by broadly restricting all companies from indiscriminately collecting and selling data to third parties.
The EFF's Daly Barnett told Ars that approaching apps with more caution is all that can be done until comprehensive consumer privacy laws are enacted that would restrict data collected on both niche and popular apps that people love to use and hate to give up.
Barnett said there is no one-size-fits-all approach to protecting abortion-related data. Each individual must be aware of what information is being collected, where it's stored, and who has access to it. If figuring that out feels difficult, it’s probably because those are the very things tech companies have been criticized for obscuring in their user agreements. Getting users to opt in to selling data to third parties ensures the profitability of free services. Apple's privacy changes in the past year show how hard-hit businesses could be if all users suddenly opted out.
Because of concerns about abortion surveillance, privacy-focused organizations like the EFF and the DDF have created guides to help users protect sensitive data from being accessed by both tech companies and law enforcement. Barnett said the guides offer easy steps to take to raise adequate defenses against invasive data collection across all apps and all devices.
“Right now, it's up to the individual end users of these technologies to protect themselves,” Barnett said.
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.