The Impact of the Post-Dobbs Criminalization of Abortion on the Cybersecurity Ecosystem in the United States

By Rebecca Saber

March 27, 2023

*This is the third post in our series Life after Roe: Grappling with the New Abortion Rights Reality. You can find the rest of the posts in the series here.*

When the Supreme Court decided Dobbs v. Jackson Women’s Health Org., the landscape of data privacy in the United States changed immensely.1142 S. Ct. 2228 (2022). By overturning Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey, cases that established the fundamental right to abortion, the Court decided that the “authority to regulate abortion must be returned to the people and their elected representatives.”2Id. at 2279; see generally Roe v. Wade, 410 U.S. 113 (1973); Planned Parenthood of Southeastern Pa. v. Casey, 505 U.S. 833 (1992). Casey codified Roe; both cases were overturned by Dobbs. Abortion rights are now in the hands of state governments rather than the federal government. Thirteen states enacted trigger laws that came into effect immediately after the Court overturned Roe.3Alabama, Arkansas, Kentucky, Louisiana, Missouri, Oklahoma, South Dakota, Tennessee, Texas, and Wisconsin have no abortion exceptions for rape or incest. Idaho is in the midst of litigation regarding whether doctors should be punished for performing an abortion if the patient’s health is at risk. Mississippi bans abortion in all cases except for rape. West Virginia bans all exceptions except for cases of rape or incest. Georgia’s ban on abortion after 6 weeks was reinstated by the State Supreme Court while it awaits appeal. Including Georgia, fourteen states ban abortion before a woman even knows she is pregnant. These laws essentially banned abortion in its entirety in these states. This number continues to grow; the future of abortion in several of the other thirty-seven states largely hinges on pending state legislation. The near-total or complete bans on abortions have forced pregnant women4This piece mostly will use the gendered terms “woman” or “women” when referring to individuals who seek abortion services. I have chosen to use the gendered terminology because the impact of the curtailment of legal abortions and the decreased ability to access abortion care falls primarily on those who identify as women. Issues surrounding reproductive care and abortion services do not only impact individuals who identify as female: transgender men and nonbinary individuals also are impacted by the end of federal abortion rights and the privacy and cybersecurity laws detailed in this piece. The choice to use gendered terminology is not intended to minimize the severe harm the limitations on abortion access will cause nonbinary and transgender patients who are also in danger of prosecution and at risk of being targeted by over-zealous law enforcement. seeking abortion services to travel out-of-state to avoid prosecution at home. In the anti-abortion states, seeking or receiving an abortion is now a crime, potentially punishable with prison time. Some anti-abortion state law enforcement agencies have decided to criminally prosecute state residents who receive an abortion. In February 2023, the South Carolina state legislature introduced the “South Carolina Prenatal Equal Protection Act of 2023,” which proposes charging anyone who receives an abortion with a minimum of 30 years in prison—or the death penalty. The data privacy issues that will be discussed in this piece have become a matter of life or death.

The evisceration of abortion rights implicates data privacy. Notably, privacy as a right to bodily autonomy is now interacting with the right to digital privacy. The contemporary cyber landscape is one that the Supreme Court never could have predicted when it decided cases rooted in the right to privacy.5See generally, e.g., Griswold v. Connecticut, 381 U.S. 479 (1965) (deciding privacy right issues in an age before digital location tracking). The need for a fundamental right to privacy has grown far beyond this initially envisioned right and has become quite urgent. Ironically, the right the Justices are currently eroding is the precise right we need now more than ever. As consumers, our digital data—including our precise location—is inherently attached to the ubiquity of technology. To live and work in contemporary society, we essentially must agree to allow surveillance technology to capture our information. Law enforcement has used this stored data against individuals suspected of crimes for many years. Now, the private information gleaned from digital activity may assist in the criminalization of women seeking abortions. In this post-Roe world, data privacy rights (or lack thereof) may hamper or bolster local law enforcement’s ability to restrict and punish abortion.

First, this piece explores the current landscape of data privacy and its interaction with the criminalization of abortion by presenting cases grappling with these issues. Second, it outlines and evaluates the actions the federal executive branch, the legislative branch, state legislatures, and private companies are taking to safeguard the cybersecurity of individuals seeking abortions. Finally, it offers suggestions of how to further protect pregnant women who need to access abortion and reproductive health services in anti-abortion states.

I. Reproductive Rights and Emerging Data Privacy and Cybersecurity Concerns

As criminal investigations emerge in anti-abortion states, prosecutors are trying to obtain personal data from out-of-state companies, such as internet or communications service providers.6Aaron R. Cooper, Two Americas: Cross-Border Data Requests Post-Dobbs, Lawfare (Sept. 22, 2022), https://www.lawfareblog.com/two-americas-cross-border-data-requests-post-dobbs. The Stored Communications Act, which governs communication service providers, generally protects consumers’ data privacy but allows providers to share private electronic communications with law enforcement if the “contents . . . appear to pertain to the commission of a crime.”718 U.S.C. § 2702(b)(7)(A)(ii). The Stored Communications Act is part of the Electronic Communications Privacy Act. 18 U.S.C. § 2510 – 2523. Prosecutors investigating someone for obtaining (or allegedly obtaining) an abortion can request location information, communication files, and search history from service providers through search warrants and subpoenas.8See Cooper, supra note 6. If an out-of-state government entity requests data from a communication service provider that is based in a different state, the request could implicate other jurisdictions. Generally, states accept out-of-state requests for information through legal subpoenas or search warrants if the foreign state follows the producing state’s specific guidelines for producing and obtaining data.9The National Association of Attorneys General publishes an up-to-date breakdown of each state’s subpoena and grand jury statutes. See National Association of Attorneys General, Uniform Act to Secure Witnesses Reference Chart, https://www.naag.org/uniform-act-to-secure-witnesses-reference-chart/ (last visited Feb. 17, 2023). For specifics on subpoenas and search warrants, see 18 U.S.C. § 2703. For subscriber information and non-content information (e.g., call logs), law enforcement only must send a subpoena. For content information (like text messages, files or location data), law enforcement must obtain a search warrant signed by a judge. However, the Dobbs decision has changed this precedent; it decimated the collegiality between local and foreign state law enforcement.10The term “foreign states” is interchangeable with “out-of-state.” States that are interested in protecting the right to abortion are reluctant to allow providers storing personal information (such as location data or browser history) in their states to produce the data to law enforcement in states that have criminalized abortion.11See Cooper, supra note 6. This collapse in prosecutorial reciprocity not only creates a complicated web from a legal academia viewpoint, but also engenders a dynamic of uncertainty for women considering or actively pursuing abortion services.

II. Law Enforcement’s Relationship with Private Companies and Data Brokers

Prosecutors in restricted abortion states are interested in a slew of personal data that can help lead to felony arrests. This includes personal data12See Linda A Malek, Pralika Jain, and Kiyong Song, Pandora’s Box of Data Privacy at Risk With Abortion Ruling, Bloomberg Law (July 27, 2022), https://news.bloomberglaw.com/privacy-and-data-security/pandoras-box-of-data-privacy-at-risk-with-abortion-ruling. from call histories, message contents, web browsing history,13Web browsing history would reveal searches for abortion clinics, self-induced abortion instructions, or at home abortion pills. and applications that track fertility, menstruation14Period tracker apps track a user’s menstrual cycle and contain data that reveals if the user missed her last period, which may indicate pregnancy. See, e.g., Sarah Morrison, Should I Delete my Period App? And Other Post-Roe Privacy Questions, Vox (Jul. 6, 2022), https://www.vox.com/recode/2022/7/6/23196809/period-apps-roe-dobbs-data-privacy-abortion. and/or geolocation.15If a user visited an abortion clinic, such as Planned Parenthood, apps that track location will store that information. In addition, law enforcement can easily collect geolocation data from cellphone towers, applications that follow location, and license plate readers, and then track if the owner engaged in movements that reflect what law enforcement suspects might be an abortion. Subpoenaed fertility or ovulation applications store data that may reveal incriminating information related to changes in users’ menstrual cycles. Law enforcement also can use reverse location tools, through a geofence warrant, to discover every person that has been in a particular location for a specified amount of time. This allows investigators to collect hundreds of thousands of people’s location data. Law enforcement then analyzes this information to determine which users may have been seeking abortion-related services.16See Teresa Almeida, Maryam Mehrnezhad, Laura Shipp, and Ehsan Toreini, Bodies Like Yours: Enquiring Data Privacy in FemTech (Oct. 8, 2022), https://doi.org/10.1145/3547522.3547674.

The vast amount of data law enforcement can easily collect and use underscores the significant exposure women face when seeking abortion services. Users of any online site, including social media platforms, e-commerce sites, and other personal information applications, unknowingly give the parent companies and online platforms permission to collect and store the information gleaned from use of the service. Companies frequently collect user data from phone applications, and generally comply with subpoenas or search warrants that request that data. If the company will not share the information, law enforcement can purchase the data from data brokers. Data brokers are third-party entities that collect online information about users and consumers or buy data from other parties to aggregate, store, and sell to companies or individuals, typically to use for targeted advertising. Following Dobbs, there were reports of data brokers who sold data about women who visited abortion clinics. Even though much of the information data brokers collect is sensitive, the industry remains opaque and considerably unregulated.

III. Instances in Which Law Enforcement Utilized Private Data to Prosecute Women Seeking Abortions

Local law enforcement officers increasingly hinge their cases against purported abortion seekers on gathered data from search warrants or purchased data from data brokers. More than two years before the Dobbs decision, Latice Fisher, a mother of three in Starkville, Mississippi, was indicted for second-degree murder for giving birth in her home to a child she claimed was stillborn but the state argued was alive. Prosecutors charged her after executing a warrant for her internet searches and scraping her cell phone for its data and memory. In these searches, law enforcement found terms related to inducing a miscarriage and buying mifepristone and misoprostol, pills used for medication abortions.17Mifepristone and misoprostol are colloquially referred to as the “abortion pill,” used for medication abortions. These two drugs are taken consecutively within a 48-hour window. Mifepristone blocks the body’s progesterone, which prevents the pregnancy from growing. After ingesting mifepristone, a pregnant person takes misoprostol, which empties the uterus replicating an early miscarriage. See The Abortion Pill, Planned Parenthood, https://www.plannedparenthood.org/learn/abortion/the-abortion-pill (last visited Jan. 11, 2023). Prosecutors used Fisher’s search history, despite having no evidence indicating that Fisher ingested the abortion pills or actually attempted a medication abortion, to indict her.18See, e.g., Cat Zakrzewski, Pranshu Verma, and Claire Parkere, Texts, web searches about abortion have been used to prosecute women, The Washington Post (July 3, 2022, 9:20 AM), https://www.washingtonpost.com/technology/2022/07/03/abortion-data-privacy-prosecution/. Ultimately, Fisher was not charged after a second grand jury declined to indict. In this case, Fisher simply contemplating performing an abortion resulted in her imprisonment.

Purvi Patel, a woman in Indiana, was convicted of feticide (“knowingly or intentionally terminat[ing] a human pregnancy with an intention other than to produce a live birth…”) in 2015.19Id. To charge her, prosecutors used texts between Patel and her friend in which Patel discussed taking abortion pills. Law enforcement also scrutinized her browser history, which included a visit to the National Abortion Federation webpage that details abortion processes after twelve weeks. Prosecutors then found an email on Patel’s iPad from a website that sells mifepristone and misoprostol pills.20Id. After serving four years in prison, Patel’s sentence was overturned by the Indiana Court of Appeals, which held that the Indiana feticide law was enacted without the intention of prosecuting women for having abortions. If she had been convicted in today’s post-Roe reality, Patel may have served more than four years—or worse. Indiana’s new abortion law (which currently is blocked as lawsuits against it proceed in Indiana Supreme Court) allows for very few exceptions to its near total ban on abortion. Under this new regime, Patel’s conviction—based on her digital behavior—might stand.

Finally, the most recently publicized case involving the digital ecosystem and abortion occurred in Nebraska. In 2022, the state investigated Jessica and Celeste Burgess, a mother-daughter duo, who sent messages over Facebook Messenger about the process of inducing a medical abortion, which is now illegal in Nebraska twenty weeks after fertilization.21See, e.g., Martin Kaste, Nebraska cops used Facebook messages to investigate an alleged illegal abortion, NPR (Aug. 12, 2022, 2:49 PM), https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion. Law enforcement sent a warrant to Meta (Facebook’s parent company), which provided Nebraska prosecutors with the content of the Burgess’ private messages. This case may not stand in court due to the ex post facto clause22The ex post facto clause of the U.S. Constitution prohibits any state from passing—and therefore enforcing—a law that punishes (typically criminal) conduct retroactively. U.S. Const. art. 1 § 10, cl. 1. See also Beazell v. Ohio, 269 U.S. 167, 169-70 (1925). as this abortion took place before Dobbs and therefore before Nebraska law prohibited abortion.23See Kaste, supra note 21.

These cases are a chilling preview of what can—and will—happen when personal data is used against women in abortion felony cases. After Dobbs, there will be a significant increase in the number of women arrested or charged with anti-abortion crimes across the country.

The continued sales of granular, non-anonymized personal data by data brokers to prosecutors, without the customers’ consent or knowledge, increase the risk that those seeking abortions will be targeted by local anti-abortion law enforcement. For example, in August 2022, the Federal Trade Commission (“FTC”) filed a lawsuit against Kochava Inc., a data broker, alleging that the company was engaging in practices that violate the FTC Act2415 U.S.C. § 45(a). by exposing individuals to harm through its sales of tracking and geolocation data. Kochava’s location data is not anonymized. As the FTC noted in its complaint, purchasers can match the geolocation data with a mobile device’s owner to determine the precise location of any specific consumer. The FTC’s complaint also served to highlight a problematic fact: most consumers have little to no “insight into how [their collected] data is used,” such as tracking and mapping past movement.  Nor do consumers understand the inferences that can be drawn about those behaviors. With the risk of abortion-related criminalization, the public has become increasingly concerned with how specific location data will be used against consumers.

IV. Legislative Proposals and Private Corporation Solutions

The federal executive and legislative branches, and many state governments and private companies are attempting to implement solutions to protect women after the Supreme Court’s Dobbs decision. These remedial measures, however, fail to safeguard individuals, predominately women of color and women in poverty, who need abortions.

A. Executive Branch Guidance and Action

Two weeks after the Dobbs decision, on July 8, 2022, President Biden signed Executive Order 14076 to protect access to reproductive health care services. The Order outlined the importance of protecting patient data. However, the shortcomings of the President’s authority quickly became clear. The United States Department of Health & Human Services (HHS) Office for Civil Rights (OCR) proceeded by releasing guidance that clarified that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered businesses are permitted but not required to disclose private health information if requested by law enforcement, and that HIPAA does not safeguard medical information saved by ovulation trackers or other personal-use applications.

B. Proposed Federal Legislation

Multiple members of Congress have introduced online privacy legislation that would function to shield the digital information of people who seek abortions. Data brokers who sell personal location and other information are major targets of this legislation. Democratic Senator Ron Wyden and Representative Jerrold Nadler introduced versions of the “Fourth Amendment Is Not For Sale Act” in April 2021. Targeting data brokers, the bills (1) require the government to obtain a court order to compel data brokers to share data with law enforcement, and (2) prohibit law enforcement from purchasing citizens’ personal data. Similarly, Senator Elizabeth Warren introduced the “Health and Location Data Protection Act of 2022” in June 2022. This bill (1) bans data brokers from transferring or selling location or health data, and (2) bolsters the power of the FTC to enforce the bill’s provisions and provide the agency with additional funding to do this work. Congresswomen Anna Eshoo and Zoe Lofgren of California introduced the “Online Privacy Act of 2021” during the 117th Congress. This legislation intends to give consumers the ability to access or delete their personal data and allows each consumer to determine how long companies can retain said information.

C. Proposed and Adopted State Legislation

California, Colorado, Connecticut, Utah, and Virginia have adopted robust privacy laws that require a higher level of scrutiny when evaluating whether companies can store and/or sell personal data.25See Malek et al., supra note 12. The Colorado legislature enacted a law that requires individual companies to inform consumers about the use of their sensitive personal data by secondary sources after the data is collected by the company. This law encourages increased corporate transparency and responsibility, and discourages unlawful discrimination and deceptive trade practices.

On September 27, 2022, The State of California adopted a bill protecting reproductive rights within the digital ecosystem. More narrow than generalized privacy laws, this legislation protects the data privacy of those seeking abortions by preventing foreign law enforcement from pursuing anti-abortion cases or prosecution when receiving information from California companies about affected consumers. The California Attorney General explained that this includes cell phone content and location data from any cell tower in California, or any information from Google, as the company is headquartered in California.26There is a caveat that law enforcement can receive this information if the foreign law enforcement officers attest that the evidence they seek is unrelated to investigations into abortion services. For example, if a woman travels to California to access abortion services, law enforcement from her home state cannot serve a warrant on a California-based communications company to obtain cell phone site tower location data placing the woman in question in or near a reproductive health clinic or abortion provider. Further, non-Californian law enforcement cannot serve a warrant to Google or other California-based tech companies for private messages or search data if the purpose behind the warrant is to further an investigation into a potential abortion. Abortion friendly states could follow California’s lead and adopt local measures that would prohibit assisting out-of-state law enforcement in investigating lawful abortions.

D. Corporate Implementation of Remedial Measures

In July of 2022, Alphabet Inc., the parent company of Google, announced that it automatically would delete the location data of users who visit what the company deems a “sensitive location.” Sensitive locations include abortion clinics, fertility centers, addiction treatment facilities, and other surgical clinics. Alphabet did not clarify in its statement how soon data is deleted after the user visits a sensitive location. In protecting these sensitive locations, the company will turn off location history by default for any pre-determined locations.

Many FemTech applications—technology services and products that focus on women’s health, such as female sexual wellness, reproductive healthcare services, and pregnancy, ovulation, and fertility apps—have created “anonymous mode” options for customers. This gives the application the ability to avoid identifying its users if law enforcement serves a warrant requesting the application’s data records.27See Amina Kilpatrick, Period tracker app Flo developing ‘anonymous mode’ to quell post-Roe privacy concerns, NPR (June 30, 2022, 5:00 AM), https://www.npr.org/2022/06/30/1108814577/period-tracker-app-flo-privacy-roe-v-wade. For example, Flo and Spot On are two menstruation- and fertility-tracking applications that created an “anonymous mode” for users.28Id. These applications now allow users to utilize their services without attaching a name, email address, or other personal identifier to one’s profile. With anonymous mode, the legal offices of these applications cannot connect the data of a user to an actual individual, making it impossible to fulfill any request by law enforcement for personal information.29Id.

Private associations have sought to encourage self-imposed privacy-protecting policies. The Networking Advertising Initiative (“NAI”) is comprised of third-party digital advertising companies. The NAI’s goal is to create self-regulatory regimes to promote safe data collection and advertising in the digital ecosystem. Recently, the NAI released the Precise Location Information Solution Provider Voluntary Enhanced Standards. These standards recommend restrictions for the “use, sale, or transfer of location data correlating to Sensitive Points of Interest.”30About the NAI, Networking Advertising Initiative, https://thenai.org/about/ (last visited Jan. 10, 2023). The standards prohibit sharing user data for sensitive locations such as houses of worship, healthcare services and treatment centers, military bases, correctional facilities, and immigration service locations. The standards also require its member companies to only share precise data location if they are served with a legally binding request to do so. The NAI is self-selecting: only the companies that choose to join the membership are bound to these guidelines.

V. Problems with the Federal, State, and Corporate Solutions

Private companies, the federal government, and state legislatures are taking steps to protect cyber users from the weaponization of data and from criminalization after Dobbs. However, these corporate, legislative, and executive attempts to mitigate the cybersecurity fallout have major limitations and unintended consequences.

Take Alphabet’s “blackout spot” plan to erase individual location data in specified areas that the company deems sensitive. The plan will limit law enforcement’s ability to buy that distinct location data on the open market and use it to build a case. Several legislative proposals that hope to prevent open market geolocation sales to law enforcement might bolster this corporate solution. However, this concept does not completely evade law enforcement. For example, if a Google Maps user enters a blackout spot, stays in that location for an hour, and then exits the blackout spot, law enforcement that has a suspect in mind can track her location up to the blackout spot, and then track when she leaves this blackout spot. If an abortion clinic is within the boundary of the blackout spot, law enforcement may be able to build a case based on this limited data alone. Additionally, the size of the blackout spot matters tremendously; a small blackout spot would make it easy to identify the suspect visiting an abortion clinic. Further, it is unclear how quickly Alphabet deletes the information after a user visits a blackout spot. If law enforcement is tracking someone specific, an immediate search warrant might be able to bypass the blackout spot limitation, catching the data before it disappears.

Alphabet’s blackout spot solution, although potentially beneficial in protecting some women seeking an abortion, could have greater repercussions that are not in the interest of the American public. If private companies block geolocation data for all areas they deem “sensitive,” law enforcement will be unable to track individuals suspected of other crimes, such as terrorism. An overarching (or perhaps even overreaching) solution that blocks all data gathering, like the one promulgated by proposed federal legislation, might not be ideal.

Additionally, solutions implemented by private corporations and the aforementioned suggested federal legislation could create a false sense of complacency for women seeking abortions. The emergence of new technologies that threaten individual privacy is the precise reason why the reversal of Roe and its accompanying abortion rights cannot be viewed as a simple restoration of the pre-Roe status quo. The illegality of abortion before 1973 is incomparable to the criminalization of abortion today: what once could be dealt with privately and secretly—albeit illegally—can no longer occur without law enforcement easily obtaining evidence proving its occurrence.

Someone visiting an abortion clinic who has read about Google’s blackout spots may be less inclined to take other precautions to protect her data because she knows Alphabet will delete her information. However, if she takes an Uber or Lyft to the abortion clinic, those applications will store destination information. If she drives her own car from an anti-abortion state to an abortion-friendly state and then drives back the same day, her license plate will be tracked and tagged. Did she pay for gas across state lines or near an abortion center with her credit card? If she believes Google will delete her location data, she may think it is safe to browse the internet for abortion sites and to contact abortion providers. Perhaps if this woman knew to be wary of her location data, she would have taken greater precautions when performing other abortion-seeking activities aside from the abortion itself. These corporate proposals, while not wholly inadequate, are far from flawless.  

The federal and state legislative solutions also have drawbacks. Although they appear useful in the short term, their feasibility is limited given the political divide in the United States government. Federal legislation likely will override any state laws protecting abortion, and the Republican House majority will not vote to protect abortion or enact data privacy laws related to reproductive rights.

VI. Alternate Recommendations

Given that the federal government cannot currently properly protect women seeking abortions or reproductive healthcare information from local prosecution, this section suggests ideas that have not been implemented in the United States that could help protect those trying to access essential medical care. One suggestion is increasing the presence of the FTC by offering consumer protection guidelines for reproductive healthcare services. Replicating the systems in California and Vermont, which both require data brokers to register with the state to bring more transparency to data sales, the federal government could require data brokers to register through a federally operated system.

On the corporate side, there should be more of a focus on limiting the role pregnancy crisis centers play in this realm. Pregnancy crisis centers have copious amounts of information on women who contact them inquiring about abortion procedures. These crisis centers market themselves online as healthcare services that will assist with pregnancy. When contacted, the centers ask the caller for detailed information. Many of the women who contact these centers do not realize they are vehemently anti-abortion.31See Abigail Abrams and Vera Bergengruen, Anti-Abortion Pregnancy Centers Are Collecting Troves of Data That Could Be Weaponized Against Women, Time (June 22, 2022), https://time.com/6189528/anti-abortion-pregnancy-centers-collect-data-investigation/ (“Pregnancy centers, many of which are affiliated with national anti-abortion advocacy groups, including Care Net and Heartbeat International, collect personal data from the millions of women they interact with every year in person, by telephone, and through online chats.”). To mitigate the harm done by pregnancy crisis centers, search engines like Google or Bing should prevent their websites from populating pregnancy crisis centers on the results page when a user searches “abortion” or types a related inquiry. The search engines also should include a warning, similar to those displayed by media sites for graphic images or posts containing misinformation, that warn the user that these crisis centers will not provide abortions. On a federal level, the government should begin regulating the databases of pregnancy crisis centers. These centers house significant health and personal data about every individual who contacts or visits them, and their databases remain unregulated.

What will make the most significant difference given that the reversal of Dobbs and federal legislation protecting abortion are not feasible in the current political climate? Greater education on how to stay digitally secure and legally safe when seeking an abortion. When discussing any aspect of an abortion in the cyber ecosystem, each person involved in the discussion should use Signal or a similar encrypted messaging application. SMS texts that use cellular carriers (like AT&T or Verizon) can be monitored by the government and the service provider. Encrypted messaging applications provide for “end-to-end encryption” which prevents outside monitoring because the service provider cannot decrypt the data in the messages. Apple iMessage is a form of end-to-end encryption, however Signal provides more security because the application is open source allowing any party to verify the encryption of the application’s code. Additionally, an abortion seeker should use a private browser (not incognito mode) such as DuckDuckGo or open-source software that allows anonymous communication like Tor, rather than Google, when searching for abortion or reproductive healthcare services.32Incognito mode only deletes browsing history; it does not prevent the websites you visit from tracking your digital fingerprint. These services neither track digital activity nor save data profiles on their users. Knowing to leave one’s cell phone at home and pay fully in cash for any reproductive healthcare services is also essential. Unfortunately, those most impacted by Dobbs are women in low-income households who may be unable to access websites that provide guidance on how to safely seek and receive an abortion, or who lack the time and resources to pay for abortion services fully in cash while remaining untraceable. Furthermore, even if these women can access these guidance websites, they may not know to use secure search engines when searching the web.

VII. Conclusion

This piece explored more problems than solutions regarding the use of private data to criminalize women seeking abortions. Until there is an increase in the weight society places on the value of data privacy, these issues are likely to remain. Regardless, the remedial measures private companies and the government have implemented post-Dobbs are incremental steps toward fully protecting our personal data and increasing cybersecurity in the digital ecosystem.


Rebecca Saber, J.D. Class of 2023, N.Y.U. School of Law.

Suggested Citation: Rebecca Saber, The Impact of the Post-Dobbs Criminalization of Abortion on the Cybersecurity Ecosystem in the United StatesN.Y.U. J. Legis. & Pub. Pol’y Quorum (2023).

  • 1
    142 S. Ct. 2228 (2022).
  • 2
    Id. at 2279; see generally Roe v. Wade, 410 U.S. 113 (1973); Planned Parenthood of Southeastern Pa. v. Casey, 505 U.S. 833 (1992). Casey codified Roe; both cases were overturned by Dobbs.
  • 3
    Alabama, Arkansas, Kentucky, Louisiana, Missouri, Oklahoma, South Dakota, Tennessee, Texas, and Wisconsin have no abortion exceptions for rape or incest. Idaho is in the midst of litigation regarding whether doctors should be punished for performing an abortion if the patient’s health is at risk. Mississippi bans abortion in all cases except for rape. West Virginia bans all exceptions except for cases of rape or incest. Georgia’s ban on abortion after 6 weeks was reinstated by the State Supreme Court while it awaits appeal. Including Georgia, fourteen states ban abortion before a woman even knows she is pregnant.
  • 4
    This piece mostly will use the gendered terms “woman” or “women” when referring to individuals who seek abortion services. I have chosen to use the gendered terminology because the impact of the curtailment of legal abortions and the decreased ability to access abortion care falls primarily on those who identify as women. Issues surrounding reproductive care and abortion services do not only impact individuals who identify as female: transgender men and nonbinary individuals also are impacted by the end of federal abortion rights and the privacy and cybersecurity laws detailed in this piece. The choice to use gendered terminology is not intended to minimize the severe harm the limitations on abortion access will cause nonbinary and transgender patients who are also in danger of prosecution and at risk of being targeted by over-zealous law enforcement.
  • 5
    See generally, e.g., Griswold v. Connecticut, 381 U.S. 479 (1965) (deciding privacy right issues in an age before digital location tracking).
  • 6
    Aaron R. Cooper, Two Americas: Cross-Border Data Requests Post-Dobbs, Lawfare (Sept. 22, 2022), https://www.lawfareblog.com/two-americas-cross-border-data-requests-post-dobbs.
  • 7
    18 U.S.C. § 2702(b)(7)(A)(ii). The Stored Communications Act is part of the Electronic Communications Privacy Act. 18 U.S.C. § 2510 – 2523.
  • 8
    See Cooper, supra note 6.
  • 9
    The National Association of Attorneys General publishes an up-to-date breakdown of each state’s subpoena and grand jury statutes. See National Association of Attorneys General, Uniform Act to Secure Witnesses Reference Chart, https://www.naag.org/uniform-act-to-secure-witnesses-reference-chart/ (last visited Feb. 17, 2023). For specifics on subpoenas and search warrants, see 18 U.S.C. § 2703. For subscriber information and non-content information (e.g., call logs), law enforcement only must send a subpoena. For content information (like text messages, files or location data), law enforcement must obtain a search warrant signed by a judge.
  • 10
    The term “foreign states” is interchangeable with “out-of-state.”
  • 11
    See Cooper, supra note 6.
  • 12
    See Linda A Malek, Pralika Jain, and Kiyong Song, Pandora’s Box of Data Privacy at Risk With Abortion Ruling, Bloomberg Law (July 27, 2022), https://news.bloomberglaw.com/privacy-and-data-security/pandoras-box-of-data-privacy-at-risk-with-abortion-ruling.
  • 13
    Web browsing history would reveal searches for abortion clinics, self-induced abortion instructions, or at home abortion pills.
  • 14
    Period tracker apps track a user’s menstrual cycle and contain data that reveals if the user missed her last period, which may indicate pregnancy. See, e.g., Sarah Morrison, Should I Delete my Period App? And Other Post-Roe Privacy Questions, Vox (Jul. 6, 2022), https://www.vox.com/recode/2022/7/6/23196809/period-apps-roe-dobbs-data-privacy-abortion.
  • 15
    If a user visited an abortion clinic, such as Planned Parenthood, apps that track location will store that information.
  • 16
    See Teresa Almeida, Maryam Mehrnezhad, Laura Shipp, and Ehsan Toreini, Bodies Like Yours: Enquiring Data Privacy in FemTech (Oct. 8, 2022), https://doi.org/10.1145/3547522.3547674.
  • 17
    Mifepristone and misoprostol are colloquially referred to as the “abortion pill,” used for medication abortions. These two drugs are taken consecutively within a 48-hour window. Mifepristone blocks the body’s progesterone, which prevents the pregnancy from growing. After ingesting mifepristone, a pregnant person takes misoprostol, which empties the uterus replicating an early miscarriage. See The Abortion Pill, Planned Parenthood, https://www.plannedparenthood.org/learn/abortion/the-abortion-pill (last visited Jan. 11, 2023).
  • 18
    See, e.g., Cat Zakrzewski, Pranshu Verma, and Claire Parkere, Texts, web searches about abortion have been used to prosecute women, The Washington Post (July 3, 2022, 9:20 AM), https://www.washingtonpost.com/technology/2022/07/03/abortion-data-privacy-prosecution/. Ultimately, Fisher was not charged after a second grand jury declined to indict.
  • 19
    Id.
  • 20
    Id.
  • 21
    See, e.g., Martin Kaste, Nebraska cops used Facebook messages to investigate an alleged illegal abortion, NPR (Aug. 12, 2022, 2:49 PM), https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion.
  • 22
    The ex post facto clause of the U.S. Constitution prohibits any state from passing—and therefore enforcing—a law that punishes (typically criminal) conduct retroactively. U.S. Const. art. 1 § 10, cl. 1. See also Beazell v. Ohio, 269 U.S. 167, 169-70 (1925).
  • 23
    See Kaste, supra note 21.
  • 24
    15 U.S.C. § 45(a).
  • 25
    See Malek et al., supra note 12.
  • 26
    There is a caveat that law enforcement can receive this information if the foreign law enforcement officers attest that the evidence they seek is unrelated to investigations into abortion services.
  • 27
    See Amina Kilpatrick, Period tracker app Flo developing ‘anonymous mode’ to quell post-Roe privacy concerns, NPR (June 30, 2022, 5:00 AM), https://www.npr.org/2022/06/30/1108814577/period-tracker-app-flo-privacy-roe-v-wade.
  • 28
    Id.
  • 29
    Id.
  • 30
    About the NAI, Networking Advertising Initiative, https://thenai.org/about/ (last visited Jan. 10, 2023). The standards prohibit sharing user data for sensitive locations such as houses of worship, healthcare services and treatment centers, military bases, correctional facilities, and immigration service locations. The standards also require its member companies to only share precise data location if they are served with a legally binding request to do so.
  • 31
    See Abigail Abrams and Vera Bergengruen, Anti-Abortion Pregnancy Centers Are Collecting Troves of Data That Could Be Weaponized Against Women, Time (June 22, 2022), https://time.com/6189528/anti-abortion-pregnancy-centers-collect-data-investigation/ (“Pregnancy centers, many of which are affiliated with national anti-abortion advocacy groups, including Care Net and Heartbeat International, collect personal data from the millions of women they interact with every year in person, by telephone, and through online chats.”).
  • 32
    Incognito mode only deletes browsing history; it does not prevent the websites you visit from tracking your digital fingerprint.