‘Lock it down right now’: Abortion rights advocates prepare for a new wave of digital security threats
Abortion rights groups have for years faced anti-abortion activists shutting down their websites, stealing provider and patient information and using phone location data to advertise anti-abortion materials to people who visit family planning clinics. Prosecutors have also relied on online searches and patient data to inform abortion-related arrests.
In 2017, a Mississippi woman was charged with murdering her stillborn fetus based on a Google search for abortion pills. A top health official in Missouri also said in 2019 that his office has monitored detailed information about Planned Parenthood’s patients, including the timing of their menstrual cycle, to determine if they’ve had failed abortions.
“Our lives are online, our conversations are online, and there are people with an agenda who very much want to use it,” said Erin Matson, co-founder and executive director of Reproaction, an advocacy group that educates people about self-managed abortions. “People have got to lock it down right now.”
In preparation for a possible new post-Roe world, some advocates and providers have already reassessed their internal digital security strategies. At Repro Legal Helpline, a hotline where people can call with questions about the legality of an at-home abortion using pills, run by abortion rights group If/When/How, callers have the option to send their questions through secured services like Signal and Proton Mail, said Rebecca Wang, legal support counsel at If/When/How. Wang also said callers are encouraged to use a Tor private browser, Signal, Proton Mail and other encrypted services when researching details about self-managed abortions.
Already, anti-abortion groups like Texas Right to Life have been known to set up tip lines to report people who have received abortions. Advocates worry tactics like those will escalate to full data breaches to steal identifiable patient and abortion provider information.
Texas Right to Life did not respond to a request for comment for this story, nor did a number of other anti-abortion groups, including National Right to Life and Susan B. Anthony Pro-Life America. Spokespeople for attorneys general in Texas and Oklahoma, two of the states advocates are most concerned about, also did not respond.
Resource-strapped abortion-rights groups say they’re worried if they don’t wipe all their digital footprints before the justices rule, it will be too late.
Reproaction met with their cybersecurity specialist Monday to review their strategies but said they weren’t likely to change their existing digital security policies yet as they focus on physical safety. Abortion rights groups have been flooding cybersecurity firm Cloudflare with questions about how to better secure their data on abortion providers, said Alissa Starzak, global head of public policy for Cloudflare.
“There’s a lot more interest in making sure that information is secure, that people are protected and that information won’t be disclosed publicly,” Starzak said.
Some of these threats aren’t new. Abortion providers and abortion-rights groups have been fending off website hacks and network takedowns for years, and it’s hard to predict whether the threat landscape will change that dramatically.
Prosecutors haven’t expressed a direct interest in using online data in abortion-related arrests, and anti-abortion groups could focus more on in-person protests at clinics.
But providers and abortion rights groups are still bracing for the worst.
With the number of clinics likely decreasing in states that add restrictions, anti-abortion hackers could focus in more aggressively on those that remain, for example through website takedowns or infiltrating their computer networks to steal provider and patient information.
Nationwide providers like Planned Parenthood and Whole Woman’s Health, and smaller clinics like A Preferred Women’s Health Center in North Carolina and Georgia, have faced hacking attempts on their sites dating back to 2015. POLITICO has reported that Planned Parenthood, which didn’t respond to a request for comment for this story, even reached out to the FBI to help investigate who was behind the attack and the extent of the damage. Despite having a cybersecurity specialist on their payroll, Whole Woman’s Health still continued to battle website shutdowns — some lasting roughly a month — after an initial 2017 malware attack.
Kat Green, managing director of advocacy group Abortion Access Front, knows anti-abortion activists’ attack strategy well. Last year, her organization, which educates people about abortion access through comedy shows and other media-focused initiatives, published a blog post identifying anti-abortion activists they believed were at the Capitol during the Jan. 6 insurrection.
They expected pushback. Instead, they got a different kind of threat: hackers upset with Abortion Access Front’s post who retaliated by attacking their websites. “They took down all three sites for about half a day,” she said.
Abortion Access Front installed a website plugin called Wordfence in early 2021 to prevent low-level bot attacks trying to take down their site and just “hardened our security across the board,” Green said.
They haven’t been taken offline since, but Green said that attacks have continued.
In a world without Roe v. Wade, advocates and surveillance experts warn that the currently high level of attacks hitting providers and abortion rights groups could seem entirely normal — or increase — adding another strain to already resource-strapped abortion advocates and abortion care providers.
“The reality is that everybody is so heads down in the work [and] just trying to help people as best they can while they can that they’re not thinking about their own safety,” Green said.
But the biggest risk might be not from hackers but rather from law enforcement, which can seize suspects’ phones.
“The most likely situation right now is that a person gets reported by a relative or ER nurse, and then if they are in a state like Texas, the state simply shows up and searches their phone,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.
Andrea Ritchie, a co-lead of the Interrupting Criminalization, an advocacy group, said law enforcement already relies heavily on text messages and other data collected through phone seizures in drug- and sex work-related charges. “It’s very easy to imagine how that process would continue when law enforcement has another tool available,” Ritchie said.
While many groups have had these issues top of mind since at least former President Donald Trump’s election in 2016, those that haven’t already found ways to minimize data collection for their clients and employees could find it’s too late.
“It is my experience that when things start to go wrong, they go wrong very, very quickly,” Galperin said.
Anything from text messages to location data would be trackable using seized devices — a data trove so expansive that it’s difficult for any resource-strapped group or potential patient to fully protect, said Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy, who runs the university’s data broker research efforts.
“It’s hard,” Sherman said. “You get into these scenarios where we’re putting people who are already marginalized and already dealing with so much in these horrible, ridiculous corners, and yet it’s still expected that they are the ones who need to be doing more on privacy.”
Within Reproaction, the group shies away from using easily accessible Google Docs and is mindful of when they even take notes at certain meetings, Matson said. The Abortion Access Front also uses Signal when they’re at protests, makes their social media accounts private and works with an information scrubbing service to remove home addresses and other personal details from the internet, Green said.
That said, it isn’t clear exactly what the dangers will be, or how severe. Most prosecutors and criminal investigators in the 23 states where abortion access will be immediately banned or further restricted once Roe is overturned aren’t publicly announcing their detailed plans for what data they want to rely on in abortion-related charges.
Local prosecutors in restrictive states have plenty of discretion on what cases they pick up. For example, Gocha Ramirez, a county-level district attorney in Texas, a state with one of the most restrictive laws on the books right now, dropped charges last fall against a person indicted with murder for a “self-induced abortion,” citing “prosecutorial discretion.”
Farah Diaz-Tello, legal director of If/When/How, told a small group of reporters last month that her team hasn’t seen any evidence of prosecutors using data from period-trackers or geolocation info about who’s visited clinics in the cases they’ve handled.
And anti-abortion activists are already known to seek out the personal information about abortion patients to call their families and “try to out them,” said Melissa Fowler, chief program officer at the National Abortion Federation, a professional association for abortion providers.
Starzak said most activists, at least, have been aware of these threats for years, and because of that, many are doing the things they should be doing to be prepared — turning to encrypted apps, limited user access to internal data and so on.
Abortion-rights groups “are in a better place now than they would’ve been,” Starzak said. “They recognized that they needed to up their security posture a long time ago.”
Still, since POLITICO reported on the draft Supreme Court decision that would overturn Roe in May, online harassment and other digital threats to advocates are already spiking, Green said, noting that she spent an entire day soon after the draft published helping a colleague handle the online death threats they were receiving.
“There hasn’t been a lot of room for people to make proactive moves to protect their own safety and security,” she said. “It’s coming to light now, and everybody’s really afraid of that.”