Wherever you are, we wish you a happy Friday from beautiful Portsmouth, New Hampshire.

Deanonymizing data sets is not new to the privacy community. However, the prospect of deanonymizing period tracking application data has renewed privacy concerns in a post-Roe v. Wade America.

For context, the leaked draft opinion in Dobbs v. Jackson Women’s Health Organization indicated conservative justices are poised to revoke the constitutional right to an abortion first articulated in Roe v. Wade nearly 50 years ago. And while votes and the final wording of opinions frequently change before the final draft is released, the 6-3 conservative majority signals that overturning Roe is all but inevitable. A reversal could lead to further limits to or an outright ban to abortion in a number of states, home to roughly half of U.S. women.

Outlawing abortion in these states — including Louisiana, where lawmakers advanced a bill to classify abortion as a homicide — has raised concerns that law enforcement could use aggregated data sets to identify women who receive treatment in violation of state law. In Texas, for example, lawmakers recently enacted a controversial law which bans abortion after roughly six weeks. The law empowers private citizens to enforce the ban through payments of roughly $10,000 for anyone who sues an abortion provider.

Vice recently published a series of articles in which it purchased aggregated smartphone data sets from data brokers of users of period tracking apps and location data of visitors to clinics that provide abortions. While the data sets did not directly identify visitors, researchers have demonstrated that even in aggregated data sets, it is often possible to pinpoint a person’s identity by triangulating information from different data sources. This reality ushers in what Zeynep Tufekci described in her New York Times column this week as “a terrifying rabbit hole of privacy abuse.”

At least one data broker, SafeGraph, has been receptive to these calls for concern. In a blog post earlier this month, SafeGraph CEO Auren Hoffman wrote, “In light of potential federal changes in family planning access, we're removing Patterns data for locations classified as NAICS code 621410 (‘Family Planning Centers’) from our self-serve ‘shop’ and API to curtail any potential misuse of its data.” But SafeGraph is one of many brokers, others are still trading in these kinds of highly sensitive data.  

It remains to be seen the overall impact and outcome of Dobbs and its effect on privacy, but that hasn’t stopped lawmakers from trying to intervene. Congresswoman Suzan DelBene, D-Wash., wrote, “because our tech laws are so behind, the personal information of millions of women is currently at risk. This includes data from internet searches about reproductive health care including abortions, menstrual tracking and other women’s health apps, and which medical facilities a woman has visited.” DelBene’s press release also points to her 2021 National Transparency and Personal Data Control Act, which would regulate, among other things, consumer health app data to decrease the chances for abuse.

Keep up to date with IAPP’s Daily Dashboard for breaking stories on health privacy, and be sure to check out IAPP Editorial Director, Jedidiah Bracy's, CIPP, article examining the right-to-privacy concerns post-Roe.