Company is a ‘paid informant’
Threads, Meta’s new microblogging platform, could be considered a clear and present danger to women in the US seeking abortions in states where abortion access has been severely restricted. At the same time, it could add to Meta’s bottom line.
It is a poorly kept secret that social media companies — even those that claim user privacy is paramount in their corporate culture — regularly provide information to law enforcement in investigating crimes without the need for court-ordered warrants. All an agency has to do is submit an Emergency Disclosure Form (EDF). That form does not require much in specifics other than the “nature of the emergency” the ID of the users, and where in the company database the information might be found.
Meta provides evidence
Nowhere has the implications of this intentional privacy breach been on display than in the case in Nebraska against a mother and her daughter for providing an abortion for her daughter after 20 weeks of gestation, false reporting, and tampering with human skeletal remains. Regardless of one’s position on abortion, the fact that the key evidence against them was provided by Meta.
Meta responded last year to the claims of their involvement and said, in this case, they were responding to a legitimate warrant but said it never mention abortion. It is possible that the Nebraska prosecutors already had other evidence and were looking for more. A ProPublica story in January revealed that online pharmacies selling abortion medication were sharing sensitive user data with Meta and Google.
Most of the investigations with social media cooperation do not involve abortion but investigating agencies do not have to specify a crime if they are using an EDF. Some states, like California, prohibit state law enforcement agencies from cooperating with investigations into abortion deemed illegal in other states, but if the crime is not specified, they have not reason to refuse.
Cooperation is profitable
What is not as widely reported is that the cooperating companies charge for this service. Meta fielded more than 450,000 of these requests in the last half of 2022, representing millions of dollars in revenue. And Threads has the potential for providing even more information.
When Threads was launched, security professionals were stunned by the amount of information Meta admitted it would be collecting as part of the user agreement. Beyond the basics of location and browsing history data, Threads also collects financial information, health and fitness data, diagnostics, and a chillingly obtuse “sensitive information.” That means if a user does a search for or discusses “abortion” “day-after pills,” of “Planned Parenthood,” that information could end up in the hands of an investigator.
Meta claims that private texts can be end-to-end encrypted, but like everything Meta, Alphabet, Twitter, and Linkedin puts out, the user has to turn on that capability in settings. It doesn’t come turned on. In the case of Threads, the lack of de facto encryption and the much broader list of data access demands for sensitive data is why Threads is not active in the European Union, as that jurisdiction has stricter privacy laws.
And it is not just women seeking abortions but anyone who helps them get medical assistance. Some states, like Nebraska and Texas, have prison penalties for friends and family that provide assistance. Even if someone in California, where abortion access is still easy, provides information, funding, housing, or transportation for abortion services can be subject to extradition on criminal charges, or sued in civil court.
Best defenses
The best defense against incriminating yourself over social media is to just not use social media, including search. As Ian Thornton-Trump, CISO for Cyjax in the UK, said, “All social media is a threat.” But in this current situation, that is an unreasonable suggestion.
If you are using social media and search, the next best thing to do is set every security feature you can, especially end-to-end encryption. Don’t assume a social media company will help you. They have an overwhelming financial expectation to collect as much data on users as possible.
Second, be more circumspect with the people you allow to follow you or connect with you. In these polarized times, one of them may turn you in based on your published opinions.
Finally, avoid FOMO (fear of missing out) when it comes to technology adoption. The collapse of Twitter has spawned dozens of competing social media platforms, most of which are not focused on your security. Threads is the obvious one and should be avoided no matter how many millions of celebrities and influencers have joined. BlueSky and Spill are gaining traction but neither have revealed what their security profile is. Mastodon, as a non-profit enterprise, lacks the financial incentive of Twitter, Meta, or Google, so sharing personal data is not an issue. For private communications, it is safer to talk on platforms that set encryption as de facto, like Signal.
Both Meta and Google were asked for input for this story but as of the publication date, no responses were offered.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.