Privacy, Application security, Data Security, Endpoint/Device Security

Apple urged to address privacy gaps to protect reproductive health data

A smartphone user navigates a health and wellness app.
Attorneys general from 10 states are urging Apple to address privacy gaps in its products after the U.S. Supreme Court ruled that states can ban abortion. (Air Force)

Ten state attorneys general are urging Apple to address possible gaps in the tech giant’s privacy protections to ensure consumers’ reproductive health data is secure from possible law enforcement or individual action, in the wake of the U.S. Supreme Court’s abortion ruling.

The letter to Apple CEO Tim Cook is signed by attorneys general from California, Connecticut, the District of Columbia, Illinois, Massachusetts, New Jersey, North Carolina, Oregon, Vermont, and Washington, and follows earlier actions from lawmakers to Google, Apple, and other tech giants to protect the location data of users seeking abortions and other reproductive services.

Google has previously taken action to block location tracking, although a number of congressional members have called on the Federal Trade Commission to investigate the mobile tracking policies used by Google and Apple, as well.

The concern is that prosecutors in states where abortion becomes illegal will be able to “obtain warrants for location information about anyone who has visited an abortion provider. Private actors will also be incentivized by state bounty laws to hunt down women who have obtained or are seeking an abortion,” according to an earlier congressional letter to the FTC.

The latest state-led effort centers on Apple’s “long-promoted” privacy policies, which are touted as the company’s core values on iOS devices and its app store. The state attorneys general believe that Apple has indeed adopted consistent privacy and security measures to meet consumer data privacy goals. 

However, “apps that collect private reproductive health data from consumers frequently fail to meet these same standards or to implement appropriate protections for this sensitive data, exposing consumers that seek or provide reproductive health care to potential action and harassment by law enforcement, private entities, or individuals,” the state leaders wrote.

Indeed, studies over the years have consistently found that health and mental health apps routinely share user data with third parties — often without transparency into those practices.

The state leaders are concerned that these “gaps” in Apple’s privacy protections inevitably threaten not only users' privacy, but their safety. What’s more, these alleged gaps run “directly counter to Apple’s publicly expressed commitment to protect user data.”

“When it comes to app data related to reproductive health, however, Apple has not done enough,” the leaders wrote. Their concern centers on protections for location and search histories, as well as adjacent health data that could related to “the past, present, or future reproductive or sexual health of an individual.”

This data poses a significant risk to anyone seeking or providing abortions, birth control, and other reproductive care.

Attorneys general ask Apple to clarify privacy policies for consumers

In response, the state attorneys general urge “Apple to require app developers to either certify to Apple or affirmatively represent in their privacy policies” that they delete non-essential data like location and search histories and provide greater transparency into potential third-party disclosures “and require that applications do so only when required by a valid subpoena.”

The attorneys general note that many users are unaware of data-sharing practices of apps they routinely use and the risk they pose, with many apps that collect reproductive health data using “boilerplate statements that do not clearly identify the conditions under which the app shares data with law enforcement.”

“Consumers who are not appropriately apprised of the potential for their interactions with an app to be documented and produced to others — including law enforcement — are thus unable to provide informed consent for the apps’ collection and sharing of their information,” they wrote. This is especially true of younger users that don’t have experience with these data complexities.

Apple should also require any app store applications that routinely collect the reproductive health data of users or sync with user health data on iOS devices to implement the same privacy and security standards used by Apple for that data, at a minimum.

Specifically, the tech giant should implement an auditing process for third-party apps’ to ensure compliance with Apple’s standards, including biometric and data encryption, use of end-to-end encryption for data transmission, and overall compliance with Apple’s user opt-out controls.  

“Long-term, Apple should conduct periodic audits and remove or refuse to list third-party apps in violation of these standards,” the attorneys wrote. In doing so, Apple could ensure reproductive health information is protected “from being wrongfully exploited by those who would use it to harm pregnant people or providers,” while simultaneously raising the bar on privacy protections of these user apps.

“Protecting reproductive privacy in the wake of the Dobbs decision is paramount,” New Jersey Attorney General Matthew J. Platkin said in a statement. This letter is meant to put “Apple executives on notice that New Jersey is prepared to use all its authority to impel them to protect the privacy of those accessing or providing legal reproductive health services.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.