Online pharmacies that sell abortion pills are sharing sensitive data with Google and other third parties, which may allow law enforcement to prosecute those who use the medications to end their pregnancies, a ProPublica analysis has found.
Using a tool created by the Markup, a nonprofit tech-journalism newsroom, ProPublica ran checks on 11 online pharmacies that sell abortion medication to reveal the web tracking technology they use. Late last year and in early January, ProPublica found web trackers on the sites of at least nine online pharmacies that provide pills by mail: Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy and Online Abortion Pill Rx.
These third-party trackers, including a Google Analytics tool and advertising technologies, collect a host of details about users and feed them to tech behemoth Google, its parent company, Alphabet, and other third parties, such as the online chat provider LiveChat. Those details include the web addresses the users visited, what they clicked on, the search terms they used to find a website, the previous site they visited, their general location, and information about the devices they used, such as whether they were on a computer or phone. This information helps websites function and helps tech companies personalize ads.
But the nine sites are also sending data to Google that can potentially identify users, ProPublica's analysis found, including a random number that is unique to a user's browser, which can then be linked to other collected data.
"Why in the world would you do that as a pharmacy website?" said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute at the University of California, Berkeley. "Ultimately, it's a pretty dumb thing to do."
[...] While many people may assume their health information is legally protected, US privacy law does little to constrain the kind or amount of data that companies such as Google and Facebook can collect from individuals. Tech companies are generally not bound by the Health Insurance Portability and Accountability Act, known as HIPAA, which limits when certain health care providers and health plans can share a patient's medical information. Nor does federal law set many limits on how companies can use this data.
Law enforcement can obtain people's data from tech companies such as Google, whose privacy policies say the companies reserve the right to share users' data with law enforcement. Google requires a court order or search warrant, which law enforcement can obtain with probable cause to believe a search is justified. The company received more than 87,000 subpoenas and search warrants in the US in 2021, the most recent year available; it does not provide a breakdown of these requests by type, such as how many involved abortion medication.
[...] Users can install a web browser, such as Brave or Firefox, that offers privacy protections. They can also install browser extensions to block third-party trackers and adjust the privacy settings on their browsers. But these steps aren't always foolproof. Tech companies can still subvert them using hidden tools that users cannot see, and they likely retain vast troves of data that are beyond users' control.
"Individuals are not going to solve this problem; technical solutions aren't going to solve this problem," said Chris Kanich, associate professor of computer science at the University of Illinois at Chicago. "These trillion-dollar companies of the economy aren't going anywhere. So we need policy solutions."