Websites selling abortion pills are sharing sensitive data with Google

Package of Mifeprestone

This story originally appeared on ProPublica.

Online pharmacies that sell abortion pills are sharing sensitive data with Google and other third parties, which may allow law enforcement to prosecute those who use the medications to end their pregnancies, a ProPublica analysis has found.

Using a tool created by the Markup, a nonprofit tech-journalism newsroom, ProPublica ran checks on 11 online pharmacies that sell abortion medication to reveal the web tracking technology they use. Late last year and in early January, ProPublica found web trackers on the sites of at least nine online pharmacies that provide pills by mail: Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy and Online Abortion Pill Rx.

These third-party trackers, including a Google Analytics tool and advertising technologies, collect a host of details about users and feed them to tech behemoth Google, its parent company, Alphabet, and other third parties, such as the online chat provider LiveChat. Those details include the web addresses the users visited, what they clicked on, the search terms they used to find a website, the previous site they visited, their general location, and information about the devices they used, such as whether they were on a computer or phone. This information helps websites function and helps tech companies personalize ads.

But the nine sites are also sending data to Google that can potentially identify users, ProPublica’s analysis found, including a random number that is unique to a user’s browser, which can then be linked to other collected data.

“Why in the world would you do that as a pharmacy website?” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute at the University of California, Berkeley. “Ultimately, it’s a pretty dumb thing to do.”

Representatives for the nine sites did not respond to requests for comment. All were recommended on the popular website Plan C, which provides information about how to get abortion pills by mail, including in states where abortion is illegal. Plan C acknowledged that it does not have control over these sites or their privacy practices.

While many people may assume their health information is legally protected, US privacy law does little to constrain the kind or amount of data that companies such as Google and Facebook can collect from individuals. Tech companies are generally not bound by the Health Insurance Portability and Accountability Act, known as HIPAA, which limits when certain health care providers and health plans can share a patient’s medical information. Nor does federal law set many limits on how companies can use this data.

Law enforcement can obtain people’s data from tech companies such as Google, whose privacy policies say the companies reserve the right to share users’ data with law enforcement. Google requires a court order or search warrant, which law enforcement can obtain with probable cause to believe a search is justified. The company received more than 87,000 subpoenas and search warrants in the US in 2021, the most recent year available; it does not provide a breakdown of these requests by type, such as how many involved abortion medication.

In a statement, Steve Ganem, product director of Google Analytics, said: “Any data in Google Analytics is obfuscated and aggregated in a way that prevents it from being used to identify an individual and our policies prohibit customers from sending us data that could be used to identify a user.”

https://arstechnica.com/?p=1911084