ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
Online pharmacies that sell abortion pills are sharing sensitive data with Google and other third parties, which may allow law enforcement to prosecute those who use the medications to end their pregnancies, a ProPublica analysis has found.
Using a tool created by the Markup, a nonprofit tech-journalism newsroom, ProPublica ran checks on 11 online pharmacies that sell abortion medication to reveal the web tracking technology they use. Late last year and in early January, ProPublica found web trackers on the sites of at least nine online pharmacies that provide pills by mail: Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy and Online Abortion Pill Rx.
These third-party trackers, including a Google Analytics tool and advertising technologies, collect a host of details about users and feed them to tech behemoth Google, its parent company, Alphabet, and other third parties, such as the online chat provider LiveChat. Those details include the web addresses the users visited, what they clicked on, the search terms they used to find a website, the previous site they visited, their general location and information about the devices they used, such as whether they were on a computer or phone. This information helps websites function and helps tech companies personalize ads.
But the nine sites are also sending data to Google that can potentially identify users, ProPublica’s analysis found, including a random number that is unique to a user’s browser, which can then be linked to other collected data.
“Why in the world would you do that as a pharmacy website?” said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute at the University of California, Berkeley. “Ultimately, it’s a pretty dumb thing to do.”
Representatives for the nine sites did not respond to requests for comment. All were recommended on the popular website Plan C, which provides information about how to get abortion pills by mail, including in states where abortion is illegal. Plan C acknowledged that it does not have control over these sites or their privacy practices.
While many people may assume their health information is legally protected, U.S. privacy law does little to constrain the kind or amount of data that companies such as Google and Facebook can collect from individuals. Tech companies are generally not bound by the Health Insurance Portability and Accountability Act, known as HIPAA, which limits when certain health care providers and health plans can share a patient’s medical information. Nor does federal law set many limits on how companies can use this data.
Law enforcement can obtain people’s data from tech companies such as Google, whose privacy policies say the companies reserve the right to share users’ data with law enforcement. Google requires a court order or search warrant, which law enforcement can obtain with probable cause to believe a search is justified. The company received more than 87,000 subpoenas and search warrants in the U.S. in 2021, the most recent year available; it does not provide a breakdown of these requests by type, such as how many involved abortion medication.
In a statement, Steve Ganem, product director of Google Analytics, said: “Any data in Google Analytics is obfuscated and aggregated in a way that prevents it from being used to identify an individual and our policies prohibit customers from sending us data that could be used to identify a user. Google has strict policies against advertising to people based on sensitive information.”
Google pledged last year that it would delete location history data related to people’s visits to abortion and fertility clinics, but the company has not announced any changes since then related to data involving abortion pill providers or how it handles government requests for data. A Google spokesperson did not respond when asked whether the company has turned over any data to law enforcement about users of online pharmacies that provide abortion medication or whether it has been asked to do so.
“This is problematic and dangerous — both the potential access that law enforcement has to figure out who is violating our new state bans and that we’ve let tech companies know so much about our private lives,” said Anya Prince, a law professor at the University of Iowa who focuses on health privacy. “It shows us how powerful this data is in scary ways.”
Using medications to induce an abortion involves taking two drugs. Mifepristone blocks the hormone progesterone, effectively stopping the growth of the pregnancy. Misoprostol, taken a day or two later, helps the uterus contract, emptying it of pregnancy tissue. This drug combination is the most commonly used method of abortion, accounting for more than half of abortions in the U.S.
Demand for the drugs is expected to grow amid reproductive health clinic closures and the enactment of a cascade of state laws banning abortion since the Supreme Court overturned Roe v. Wade last June.
At least 13 states now ban all methods of abortion, including medication abortion, though some allow exceptions for medical emergencies, rape or incest. People who are unable to shoulder the cost of traveling to states where abortion is legal are increasingly turning to online pharmacies to buy abortion pills without prescriptions. The mail-order pills can be taken at home, and they’re generally cheaper than abortion services provided in clinics — about $200 to $470 from online pharmacies, compared to about $500 for a first-trimester abortion conducted in a clinic.
Approved by the U.S. Food and Drug Administration in 2000, mifepristone — the first tablet in the two-step regimen — can be used to help end pregnancies in their first 11 weeks. The agency initially restricted the drug, requiring patients to get it from clinicians in person.
Mifepristone became more accessible during the COVID-19 pandemic, when the FDA temporarily relaxed the requirement that people visit providers in person to get the drug. The agency scrapped the requirement altogether in December 2021, allowing people to obtain abortion medication through the mail after a telemedicine appointment.
Then, on Jan. 3, the FDA published new rules allowing retail pharmacies to dispense mifepristone to people who have prescriptions, potentially expanding access to medication abortion. But those rules do not help pregnant people in more than a dozen states where abortion bans prevent pharmacies from offering the drug.
A week later, Alabama’s attorney general said that anyone using abortion pills could be prosecuted under a state law that penalizes people for taking drugs while pregnant — despite the state’s abortion ban, which excludes abortion seekers and penalizes providers instead. He then appeared to back off his statement, saying the law would be used only to target providers.
Nineteen states already ban the prescription of abortion drugs through telehealth, meaning people in those states must see a clinician in person or find abortion medication online on their own. Many appear ready to do the latter. After a draft of the Supreme Court’s abortion decision leaked last May, internet search traffic for medication abortion surged. Dozens of people have posted descriptions online of their experiences getting abortion pills, some in restrictive states. One Reddit user recounted their ordeal on an abortion subgroup in October: “I’m in TX so i ordered through abortion RX. It said it’ll be here soon like 5-6 days. I’m extremely nervous I’m doing this by myself, but I’ve looked and don’t have a lot of time to make a decision. This is the fastest way.”
A New Legal Era
Just two states — Nevada and South Carolina — explicitly outlaw self-managed abortion. But that hasn’t stopped prosecutors in other states from charging people for taking abortion drugs.
Prosecutors have cited online orders of abortion pills as evidence in cases charging people with illegal abortions in several states, including Georgia, Idaho and Indiana. And in at least 61 cases from 2000 through 2020 spread across more than half the states in the country, prosecutors investigated people or ordered their arrest for allegedly self-managing abortions or helping someone else to do so, according to a report by If/When/How, a reproductive justice advocacy organization. In most of these cases, people had used medication for their abortions.
Those prosecutors interested in criminalizing abortion are aided by state and private surveillance.
“This is an entirely new era,” said Ari Waldman, a professor of law and computer science at Northeastern University. “We’re moving to a modern surveillance state where every website we visit is tracked. We have yet to conceptualize the entire body of laws that could be used to criminalize people getting abortions.”
Law enforcement can use people’s behavior when visiting websites that sell abortion pills as evidence to build cases against those suspected of having abortions. Investigations and charges in these cases overwhelmingly stem from reports to law enforcement by health care providers, trusted contacts or the discovery of fetal remains, legal experts say. Once authorities launch an investigation, they can use online searches for abortion pills as part of the evidence.
“This information can tell a district attorney that you went to an abortion website and you bought something,” Waldman said. “That might be enough to get a judge to get a warrant to take someone’s computer to search for any evidence related to whatever abortion-related crime they’re being charged with.”
This was true even under the more limited abortion restrictions under Roe. For example, in 2017, prosecutors in Mississippi charged Latice Fisher with second-degree murder after she lost her pregnancy at 36 weeks. Prosecutors used her online search history — including a search for how to buy abortion pills online — as evidence. Fisher’s murder charge was eventually dismissed.
“We have a private surveillance apparatus that is wide and is largely unregulated,” said Corynne McSherry, legal director at the Electronic Frontier Foundation, a nonprofit that promotes digital rights. “Now Google knows what you’re searching. This is a real threat. If any third party has your information, it means your data is no longer in your control and it could be sought by law enforcement. This is 100% a worry.”
Many people aren’t aware of how to opt out of sharing their data. Part of the problem is that when users visit online pharmacies that share users’ information with third parties such as Google, their information can then be shared with law enforcement if allowed by the privacy policies of those third parties.
Users can install a web browser, such as Brave or Firefox, that offers privacy protections. They can also install browser extensions to block third-party trackers and adjust the privacy settings on their browsers. But these steps aren’t always foolproof. Tech companies can still subvert them using hidden tools that users cannot see, and they likely retain vast troves of data that are beyond users’ control.
“Individuals are not going to solve this problem; technical solutions aren’t going to solve this problem,” said Chris Kanich, associate professor of computer science at the University of Illinois at Chicago. “These trillion-dollar companies of the economy aren’t going anywhere. So we need policy solutions.”
Congressional lawmakers have spent years discussing a national data privacy standard. The bill that has made the most progress is the American Data Privacy and Protection Act. Introduced last June by a bipartisan group of lawmakers who intended to strengthen consumer data protections, the bill limited companies from using any sensitive data, including precise geolocation information or browsing histories, for targeted advertising or other purposes. Companies would have been required to get consumers’ express consent before sharing sensitive data with third parties. The legislation passed out of its assigned House committee in July.
Another bill, the My Body, My Data Act, also introduced last summer, would limit the reproductive health data that companies are allowed to collect, keep and disclose.
But neither bill has passed. The My Body, My Data Act had few, if any, Republican supporters. Plus, legislators couldn’t reach an agreement over whether the American Data Privacy and Protection Act should supersede state privacy laws such as the California Consumer Privacy Act of 2018, which provides data privacy protections for consumers in the state.
Privacy experts say the most effective way to protect users’ data is for online pharmacies that sell abortion medication to stop collecting and sharing health-related data.
Companies selling abortion pills should immediately stop sharing data with Google, said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation.
“Web developers may not have thought they were putting their users at risk by using Google Analytics and other third-party trackers,” Quintin said. “But with the current political climate, all websites, but especially websites with at-risk users, need to consider that helping Google, Facebook and others build up records of user behavior could have a potentially horrific outcome. You can’t keep acting like Roe is still the law of the land.”