Julia Bourkland, Research Assistant | February 2, 2023 Blog Post

Introduction

Surveillance of pregnant people and criminalization of abortion is nothing new in the United States’ long history of trying to control bodily autonomy. Historian Leslie J. Reagan details the timeline of anti-abortion laws in the U.S. beginning in the nineteenth century, followed by law enforcement tactics of interrogating those who had abortions, clinic raids, and prosecution of people who had abortions. Today, Pregnancy Justice, formerly National Advocates for Pregnant Women, seeks justice for those criminalized for their pregnancy outcomes, including those whose cases involved exploitation and weaponization of digital data

In the post-Roe landscape, modern technologies and emboldened anti-abortion actors bring about unique data privacy concerns and threats to our reproductive freedom. Among the mass surveillance and criminalization of reproductive care is the particular concern of people’s personal data being housed by anti-abortion centers (AACs). AACs, through their own peer centralized databases and software, are sitting on troves of personal and medical data unregulated by any measure except their own fine print. They are poised to lure people in with their deceptive advertising helmed by anti-abortion marketing agencies. These imposters disproportionately target pregnant people of color, who are more likely to be searched and subpoenaed by law enforcement, and people with lower incomes, who AACs deliberately appeal to with their conditional “free services"; due to the prevalence of abortion deserts, they are also more likely to search online for abortion information and providers. This perfect storm means AACs are effectively employed as an unrestricted “surveillance infrastructure for the anti-abortion movement.” 

Over the course of multiple blogs, Equity Forward will detail how AACs’ unchecked handling of personal and medical data is a direct threat to our collective reproductive freedom. We must take this problem seriously by implementing the recommendations of SRHRJ leaders and privacy experts who have long sounded the alarm on this evergreen problem of reproductive data privacy.

Exploiting Our Privacy and Dignity: Why AACs Currently Face no Federal Regulation and Oversight.

AACs’ possession of personal health information is situated in the broader context of data exploitation. Period-tracking apps, some of which are funded by anti-abortion organizations, funnel data to Facebook. Anti-abortion operatives send targeted ads to people in geo-fenced locations, even as they are sitting inside abortion clinics. Major tech companies are fulfilling geofencing and keyword warrant requests from law enforcement to prosecute people seeking health care. Digital footprints documenting searches for abortion clinics or medication abortion – which can easily be accessed by law enforcement by legally requesting or buying data from private companies – are being used against those trying to navigate their options. Even bringing a cell phone along to the doctor’s office with location services turned on can be used to prosecute pregnant people seeking abortion care. 

America’s consumer data protection laws are embarrassingly inadequate. The U.S. does not have a comprehensive privacy law to govern how data is collected, used, or sold. Neither does it have a federal data protection agency; the job of this would-be agency is left to the FTC and other federal agencies. As a result, these agencies, as well as state legislatures such as California and Colorado, implement patchwork compliance and protections. No matter how aggressive these laws are, efforts should be supported by a robust federal consumer data protection law. Abysmal data protection, coupled with America’s surveillance state and lack of tech sector regulation, make it virtually impossible to keep one’s digital activity safe from exploitation. Plus, tech companies typically make matters worse by not taking the public health and privacy threat of AACs seriously, even giving AAC networks free advertising money via ad grants. The result is an incredibly dangerous situation for pregnant people in the United States. As Privacy International said in their research on anti-abortion actors’ exploitation of data, “[i]n countries where there is opposition to reproductive rights as well as limited data privacy laws, there is a significant risk of people’s data being exploited in an attempt to restrain reproductive rights.”

Data governance of AACs is already very weak, which becomes even more dangerous in this post-Dobbs era. Because AACs are unbound by federal data protections and are often affiliated with national or global AAC networks like Obria, Human Coalition, Care Net, Heartbeat International, and Real Alternatives (all entities that solely exist to advance an anti-abortion agenda), AACs are well set up to violate their clients’ privacy. AACs do not qualify as “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the federal law that protects patient health information (PHI) from being disclosed without the patient’s consent, because they are not actual licensed health care providers and do not offer billable medical services. Unsurprisingly, AACs are rife for privacy abuses because they are not covered by the privacy and security rules of HIPAA. There is no obligation to keep a client’s medical information confidential, including information about abortion decisions. To make things more complicated, most AACs are non-profits, making them immune to the FTC Act. So, not only are AACs unqualified and unlicensed, but they also skirt federal health information privacy laws.

When this lack of federal protections and regulations is pointed out, AACs point to their in-house privacy policies that are self-imposed and can be rewritten or interpreted however they please. For example, AAC giant Care Net’s operating principles, adopted from the Leadership Alliance of Pregnancy Care Organizations’ (LAPCO) list of AAC standards first introduced in 2009 in an attempt to boost AACs’ legitimacy, explicitly says “client information is only disclosed as required by law and when necessary to protect the client or others against imminent harm.” But with their forced-birth ethic, why should anyone believe Care Net wouldn’t happily disclose personal information however they see fit, especially under state abortion bans as required by law? 

When U.S. Senators Elizabeth Warren, Mazie Hirono, Cory Booker, Bernie Sanders, Ron Wyden, Edward J. Markey, and Richard Blumenthal sent a letter to major AAC network Heartbeat International in September inquiring about what it’s doing with pregnant people’s sensitive data, Heartbeat International responded by calling the congressional inquiry “fraught with bizarre accusations'' and thanked the Senators for the “PR opportunity.” AACs are evading accountability and opposing regulation from all angles. 

An Interlocking, Centralized Operation: How AACs Use Their Own Database and Software Systems to Exploit People’s Data.

The network of AACs, their suite of software and technologies, and their affiliates is messy and confusing by design. AACs are working with their own client management systems, such as Next Level Center Management Solution (Next Level CMS), where among its suite of products is a “client intake and information” feature, so AACs can “always know the latest on each client.” They use their own software to run client management, such as eKYROS, WayCool, and Compass Care’s Optimize. WayCool even boasts a feature called CoolFocus that provides real-time data accessible on any device with an internet connection, allowing for “data entry to be recorded whenever or wherever connections are made, and opportunities present themselves.” eKYROS offers an “At Risk Timeline” so AAC staff can view “a snapshot of the client’s” so-called “abortion-vulnerability.” 

AACs run their deceptive advertising through marketing agencies such as Liliana Grace Media, Stories Marketing, Cornerstone Marketing Strategies, Vitae Foundation, Choose Life Marketing, RankMonsters, and Extend Web Services (Extend Web Services has attracted attention for the despicable tagline used for its advanced SEO services: “She’s searching for help. Be sure she finds YOU!”). 

AACs also work with donor management platforms such as Stewardship Technology, whose “Pregnancy Management Solutions” webpage features an infographic on how Stewardship explicitly works in tandem with eKYROS, WayCool, iRapture.com (which advises AACs on how to acquire Google Ads grants), K-Data Systems, RankMonsters, Cornerstone Marketing Strategies, and Stories Marketing. Not to mention TruthWorks and its BriteWorks Pregnancy System service, which “has allowed government programs to flourish and be good stewards of taxpayer dollars,” fueling multiple Alternatives to Abortion (A2A) programs. These organizations, and others, are working together to lure, surveil, and exploit.

Whether in person at brick-and-mortar AACs or online via chat software, these centers can obtain the personal health information of people (who are likely unaware of AACs’ unethical intentions) trying to access essential health care. Per the HIPAA guide, types of PHI covered under the federal law include names or part of names, geographic identifiers, phone numbers, email addresses, medical record numbers, account details, vehicle license plate details, Social Security details, IP address details, and any other unique identifying characteristics. So, what data do AACs have? According to research done by Privacy International, Next Level CMS – a centralized database system developed by major network Heartbeat International as part of their suite of anti-abortion technology products – collects many of these same categories of information. Next Level CMS’s centralized database houses names, physical and email addresses, race and ethnicity, marital status, living arrangements, education background, sources of income, alcohol and drug use, medications and medical history (including STD/STI history), referral information, pregnancy symptoms and history, medical testing information, and labeled ultrasound photos. A particularly despicable quote from Next Level CMS has been widely circulated amid post-Dobbs data privacy exposés: “Big data is revolutionizing all sorts of industries. Why shouldn’t it do the same for a critical ministry like ours?”

Another Heartbeat International trap is Option Line, the online call and message line using LiveChat software (which is jointly operated with Care Net). Option Line requires site visitors to input their name, demographic information, location information, as well as if they are considering an abortion before receiving unlicensed, biased anti-abortion counseling. An old copy of Option Line’s terms of use retained by Privacy International stated that “‘all remarks’ sent through the website – other than information directly requested – can be used by Option Line ‘for any and all purposes’ that it believes ‘to be appropriate to the mission and vision of Option Line.’” Not only are AACs wasting people’s time by not providing real medical care – they are also grabbing people’s personal information to use for their own dishonest purposes. Heartbeat International president Jor El-Godsey told Privacy International that its keeping of personal information is fine because all data is “de-identified”; however, this is a common tactic to placate consumer concerns. Anonymized and aggregated data can easily be reidentified.

While AACs and their tech peer organizations often boast voluntary HIPAA compliance, this is a lie: as attorney Kim Clark of the Legal Voice told the Women’s Media Center, AACs are “claiming to be HIPAA compliant, when they’re actually not,” as this compliance would directly contradict their purposely muddled privacy policies. Because there are no legal protections for the private information they have access to, AACs are free to share with third parties for any purpose.

Personal health data is unsafe in the hands of AACs because anti-abortion centers solely exist to operate as public engagement tools of the anti-abortion movement. According to an investigation from Reveal and the Markup using their Blacklight tool, at least 294 of nearly 2,500 AACs analyzed shared visitor information with Facebook. Among this information was whether someone wanted an abortion or emergency contraception. Even more terrifying, at least 120 crisis pregnancy centers in states with post-Roe trigger bans sent data to Facebook about their website visitors. Imagine how this personal information can be exploited, especially since we know major tech companies (including Meta) regularly comply with data access requests from local, state, and federal law enforcement agencies. This is particularly concerning as social media platforms, such as Facebook, have received a steady increase of requests for information from law enforcement. 

Eager To Exploit: Why AACs Can’t Be Trusted.

It is crucial that anti-abortion centers’ ability to access and house our data is stopped. Luckily, there is guidance on how to do this by following the advice of SRHRJ leaders and privacy experts. AACs are a public health and privacy threat, and these propaganda machines should never have been able to gain access to this personal data in the first place.

In a forthcoming blog in this series, EF will further discuss the ways AACs are set up to surveil and aid criminalization through: heightened surveillance of those accessing abortion care, the continuing criminalization of people for their pregnancy outcomes, the increased proliferation of AACs, the unregulated marketing that funnels people into having their data exploited, states compelling people to interact with AACs through Alternatives to Abortion (A2A) programs, and AACs refusing to comply with necessary regulation and evading accountability.

For more information on AACs, please check out our related research: