With Roe v. Wade on the cusp of being overturned, discussions about the privacy of sensitive data have gained new momentum. We’ve become used to Googling our medical questions, booking appointments online, and tracking menstrual cycles via convenient mobile apps, but all of that could change.

“In the world that we may be seeing quite soon, people seeking reproductive care are going to need to pay attention to what digital trail they’re leaving,” says Corynne McSherry, legal director of digital rights group Electronic Frontier Foundation. “There are many, many, many ways in which we leave that trail without thinking about it.” 

Last year, period tracking app Flo received a sanctioning from the Federal Trade Commission for sharing data with tech companies, as the Wall Street Journal reported it did with Facebook in 2019. While apps sharing sensitive user data with third parties have always been a public concern, their sometimes questionable privacy practices have come under renewed scrutiny since the Supreme Court’s draft opinion leaked earlier this month. 

But McSherry says period trackers are just the tip of the iceberg. 

What actually happens to your data

The first thing to think about is what kind of data you might be sharing, and with whom.

“There’s so many ways people are handing over all kinds of information about their daily lives to third parties and not realizing it at all,” says McSherry. Law enforcement and government agencies have used internet user data to surveil citizens in the past. Earlier this month, VICE reported that the CDC purchased location tracking data via a data broker of millions of phones to see if Americans complied with pandemic lockdown policies, among other uses.

Some data brokers and apps that deal with them claim that the collected information is “de-identified.” But, as McSherry noted, there are other direct threats to privacy: law enforcement, which has a history of working with Internet Service Providers, can get a so-called “keyword warrant” and subpoena your actual search history. “People aren’t used to the idea that someone might actually get a warrant for your search history,” McSherry says. “But that’s the potential future we’re looking at.” 

In 2018, one woman’s online searches for ‘buy abortion pills’ led to a second degree murder indictment for an at-home pregnancy loss. After vigorous legal efforts, those charges were later dropped. But as more states move towards criminalizing abortion, people seeking care face dangers and uncertainty.

“We’re searching for knowledge and information online and that can be used against us,” says Andrea Downing, a security and privacy researcher focused on patient privacy. Neither period-tracking apps—which use voluntarily given information without the involvement of doctors—nor search engines are protected by HIPAA

What can people do to protect themselves?

Kat Green, managing director of Abortion Access Front, advises people to use a browser that doesn’t keep your search history in it, like DuckDuckGo. “The safest thing you could be doing is a combination of something like DuckDuckGo with a VPN on your phone, so that it’s not tracking your location and your IP address,” she says. 

The Digital Defense Fund issued a guide on how to stay safe while managing an abortion, which includes tips like disabling your mobile ad ID (here’s how to do that on iOS and Android), turning off location sharing, using encrypted messaging services like Signal, and browsing the web in an incognito window (or the aforementioned DuckDuckGo browser). There’s also the Electronic Frontier Foundation’s detailed Surveillance Self-Defense guide, but Green notes that for most people, especially those making weighty health decisions, the reality is that being careful to only search via VPN is not something they’re likely to do.

“It seems so simple, but don’t tell on yourself in writing,” Green adds. “Don’t ask about illegal things openly on the internet. Be cautious with what you say online and what you text.” 

Who else should be concerned about this?

It isn’t just people in states where abortion is banned that need to be cautious. “What we’re likely to see in a post-Roe world is a confusing jurisdictional mess,” says McSherry. “I would not be at all surprised to see prosecutors in a state that is more restrictive about abortion going after folks in other states who might be helping people in their jurisdiction access reproductive care.”

For the last few decades, people in need of abortions have often crossed state lines for it. They’ve gone to more liberal states to access care, they’ve gone to states where the cost of abortions are more affordable, and they’ve gone to states where supportive family members or friends live, who might be able to care for them, after the procedure. 

“If you are in any way a person who is trying to facilitate access to abortion for somebody else, you might want to pay attention to what digital trail you’re leaving,” says McSherry. “It’s about protecting your community, thinking ‘Am I doing my part to keep everyone’s data private?’”

Some abortion clinics are already encouraging patients to leave their phones at home. Plan C, a site that provides resources for finding an abortion, updated its FAQ section last week, encouraging people to use VPNs and incognito mode when booking appointments.

So what about period-tracking apps?

In Europe, where online privacy is viewed as a right, the EU General Data Protection Regulation (GDPR) severely limits tech companies’ ability to collect or process user data, requiring user consent. The United States doesn’t have anything close to that, leaving our data to be sold to data brokers.

Popular Science reached out to several period-tracking apps to ask them about their policies regarding sharing user data. Here’s what they said. 

Clue: The company wanted to “reassure our users that their sensitive health data, particularly any data tracked in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe. We do not sell it, and we never share it with ad networks. As a European company, Clue is obligated under European law (the General Data Protection Regulation, GDPR) to apply special protections to our users’ reproductive health data. We will not disclose it.” Clue has publicly stated they wouldn’t comply with a subpoena for user data. According to the GDPR, they do not have to comply with a US subpoena unless there is a treaty between governments to share information.

Flo: In a statement, the company said that it “does not share personal health data with any third party.” Flo claims that an “external, independent privacy audit” in March 2022 confirmed that their practices are consistent with their public privacy policy and that, according to the audit, from “both a governance and operational perspective, Flo was able to demonstrate a commitment to the privacy and security of its users’ data and has devoted appropriate resources and personnel to ensuring it maintains those commitments.” If a commitment is not enough of a reassurance, a Flo user can refuse to share some data. As Flo also states, “Flo will never require a user to log an abortion or offer details that they feel should be kept private. Should a user express concern about data submitted, Flo’s customer support team will delete all historical data which will completely remove all data from Flo’s servers.”

Apple: The company says that when it comes to the Apple Health app, health data on the device is encrypted locally, and data that is also backed up to iCloud is end-to-end encrypted, so long as two-factor authentication is enabled. That means Apple lacks the key to decrypt the data and thus can’t read it.

So how concerned should people be about period-tracking apps? Experts still don’t know what the future might look like, but they are urging caution. Two key issues to keep in mind are the abortion laws in your state and the specific privacy policies of the apps you’re using. Unless you can invest time into a careful review, it’s best to opt out and, as always, be very aware of your complete digital trail.