Lawmakers target cell phone tracking data in abortion fight

MASSACHUSETTS LEGISLATORS are taking a run at improving cell phone data privacy through a timely side door. The current political climate around abortion access leaves people seeking to end a pregnancy, or those who help them to do so, vulnerable to harassment and even legal action. So, maybe, the cell phone in your pocket shouldn’t tell your neighbor you visited a clinic.

“Location data can make known whether a person has visited an abortion provider, how long they stay, and even identify where they came from,” said Sen. Cynthia Creem, the Senate majority leader and sponsor of a bill that would ban selling, leasing, trading, or renting cell phone location data. “Notably, this information can follow the travel paths of individuals coming to Massachusetts for reproductive health care.”

Apps that collect location data to perform their basic functions, like weather apps, ride-hailing services, or social media sites, are allowed to sell that data to third parties. 

“We all accept the fact that the weather app needs to know our location so it can tell us that it’s going to rain this afternoon, but few people realize that some apps sell our location information – not to the highest bidder; that would be bad enough – but to anyone, including your inappropriate neighbor, your employer, or worse, in the case of the LGBTQ community, to extremists who believe that our very existence is a scourge on the universe,” testified Arline Isaacson, co-chair of the Massachusetts Gay & Lesbian Political Caucus, at a hearing of the joint committee on Consumer Protection and Professional Licensure.

It has been one year since the US Supreme Court struck down Roe v. Wade, which sent Bay State politicians and advocates scrambling to codify reproductive health protections into Massachusetts law. Creem and Rep. Kate Lipper-Garabedian, who filed the Location Shield Act in the House, pitched the effort as another response to the erosion of abortion access and spikes in hate crimes. The bill would cover any person in Massachusetts, which has a shield law protecting patients and providers from legal action, even if they travel in from Texas, which has imposed strict abortion laws and empowered individuals to enforce them.

Reproductive rights groups, children’s rights organizations, domestic violence groups, civil rights organizations, and data security advocacy groups said current law imperils those who come to Massachusetts to seek reproductive care prohibited by their home state. 

“The ability for anyone with a credit card to purchase cell phone location information puts me, my staff, and my patients at risk,” said Dr. Laurent Delli-Bovi, medical director and founder of Women’s Health Services in Brookline.

And while most who offered testimony in favor of the Location Shield Act cited fear about people seeking abortion in Massachusetts being susceptible to tracking by other states, a number offered a much broader note of caution: almost everyone is left startlingly vulnerable by the current system.

Committee chair Rep. Tackey Chan, of Quincy, compared it to “a data breach situation where somebody steals your credit card numbers and just keeps rotating through buyers.”

This complicated chain can leave consumers in the dark about how to find out who has their information and how to go about trying to request its removal or return.

“Once personal information is transferred to a third party, it’s very hard to track further secondary uses or secondary transfers of that personal information,” said Caitlin Chin, a fellow at the Center for Strategic and International Studies who focuses on technology regulation in the United States and abroad. “And that’s the problem with allowing companies to transfer information to data brokers with very few limitations. It’s just very hard to control how that information is used after that initial transaction, and there’s very little transparency as well into this very intricate web of databases.”

This leaves users susceptible to monitoring by not only politically or personally motivated organizations and individuals, but foreign governments.  “Unchecked location tracking poses clear national security concerns,” Chin said.

United States-based data brokers can compromise military or other law enforcement information by sale to foreign operatives. Chin cited a serious data breach in 2016 where a defense contractor analytics firm realized it could track US military operations through the data generated by the apps on soldiers’ mobile phones. 

It isn’t any rosier closer to home. Geolocation data leaves vulnerable groups open to targeted swatting – harassment using false reports of crimes to prompt law enforcement responses – and doxing – revealing personal identifying information. 

In 2019, New York Times journalists were able to track people visiting major sites like the White House. US government entities can purchase information to track people using apps serving Muslims, noted Nasser Eledroos, policy counsel for technology policy and economic justice issues at the Black advocacy organization Color of Change. 

“While the need for protective legislation is clear for the privileged, it’s especially crucial for the marginalized,” Eledroos said. “There’s a valid concern about the misuse of this data, especially for those marginalized by police, or reliant on government support, or when they act explicitly seeking health care that they have every right to seek. This data can be used without consent to influence decisions about their lives or even prompt unwanted interventions, including but not limited to threats on their life.”

Opposition came from Andrew Kingman, president of Mariner Strategies LLC, representing the State Privacy & Security Coalition. The coalition of 32 companies and six trade organizations includes corporations like Adobe, Amazon, Apple, Facebook, Mastercard, Microsoft, Netflix, Nike, Verizon, Visa, Walgreens, and Walmart, according to a letter submitted in 2020 opposing a proposed data breach notification bill. 

Like many tech trade groups, the State Privacy & Security Coalition is pushing for uniform federal security laws and objecting to the patchwork of state-by-state legislation. Kingman said the group supports heightened protections but would prefer to see a data privacy bill like the one Connecticut enacted last year to ensure regional consistency.

“We want to make sure that all industries are regulated similarly,” Kingman told the committee. “The framework that we would advance would establish heightened protections for that sensitive data that would require opt-in consent from the consumer before it’s even collected, and would require data protection assessments by the companies to consider the types of risks and benefits that would flow from that information, to document those, to retain those, and then to mitigate those risks when necessary.”

He did not directly answer a question from the committee about what potential benefits accrue to consumers who have their data sold without their knowledge, instead arguing that the definition of “sale” is “extremely broad” and could impose limits on sites passing information to vendors.

All who spoke at the hearing expressed a sense of urgency. People of color and Jewish organizations are particularly concerned about exposure to targeted hate crimes, testified Cindy Rowe, executive director of Jewish Alliance for Law and Social Action.

“Imagine a White supremacist group buying location data for those who enter a synagogue or a mosque, a predominantly Black church or in any other place of worship that serves a community that could be targeted by those who are looking to target violent acts,” she said. ”Failure to address this via the Location Shield Act when we have the means to protect people is irresponsible and could lead to tragedy.”