By Grace Oldham and Dhruv Mehrotra / Reveal
This story is a collaboration with The Markup.
Facebook is collecting ultra-sensitive personal data about abortion seekers and enabling anti-abortion organizations to use that data as a tool to target and influence people online, in violation of its own policies and promises.
In the wake of a leaked Supreme Court opinion signaling the likely end of nationwide abortion protections, privacy experts are sounding alarms about all the ways people’s data trails could be used against them if some states criminalize abortion.
A joint investigation by Reveal from The Center for Investigative Reporting and The Markup found that the world’s largest social media platform is already collecting data about people who visit the websites of hundreds of crisis pregnancy centers, which are quasi-health clinics, mostly run by religiously aligned organizations whose mission is to persuade people to choose an option other than abortion.
Meta, Facebook’s parent company, prohibits websites and apps that use Facebook’s advertising technology from sending Facebook “sexual and reproductive health” data. After investigations by The Wall Street Journal in 2019 and New York state regulators in 2021, the social media giant created a machine-learning system to help detect sensitive health data and blocked data that contained any of 70,000 health-related terms.
But Reveal and The Markup have found Facebook’s code on the websites of hundreds of anti-abortion clinics. Using Blacklight, a Markup tool that detects cookies, keyloggers and other types of user-tracking technology on websites, Reveal analyzed the sites of nearly 2,500 crisis pregnancy centers – with data provided by the University of Georgia – and found that at least 294 shared visitor information with Facebook. In many cases, the information was extremely sensitive – for example, whether a person was considering abortion or looking to get a pregnancy test or emergency contraceptives.
In a statement to Reveal and The Markup, Facebook spokesperson Dale Hogan said: “It is against our policies for websites and apps to send sensitive information about people through our Business Tools,” which includes its advertising technology. “Our system is designed to filter out potentially sensitive data it detects, and we work to educate advertisers on how to properly set up our Business Tools.” Facebook declined to answer detailed questions about its filtering systems and policies on data from crisis pregnancy centers. It’s unknown whether the filters caught any of the data, but our investigation showed a significant amount made its way to Facebook.
More than a third of the websites sent data to Facebook when someone made an appointment for an “abortion consultation” or “pre-termination screening.” And at least 39 sites sent Facebook details such as the person’s name, email address or phone number.
Facebook takes in data from crisis pregnancy centers through a tracking tool called the Meta Pixel that works whether or not a person is logged in to their Facebook account. The Pixel is largely an advertising tool that allows businesses to do things like buy Facebook ads targeted to people who have visited their website or to people who share similar interests or demographics with their site’s other visitors. This is a mostly automated process in which the business does not have access to information about the specific users being targeted. It’s not clear how this data is later used.
Crisis pregnancy centers and other businesses can choose whether to install Pixel on their websites, though many website builders and third-party services automatically embed trackers. In 2020, The Markup found that 30% of the 80,000 most popular sites use the ad tracker, and Facebook has said millions of Pixels are on websites across the internet. Facebook says Pixel data can be stored for years.
That personal data can be used in a number of ways. The centers can deliver targeted advertising, on Facebook or elsewhere, aimed at deterring an individual from getting an abortion. It can be used to build anti-abortion ad campaigns – and spread misinformation about reproductive health – targeted at people with similar demographics and interests. And, in the worst-case scenario now contemplated by privacy experts, that digital trail might even be used as evidence against abortion seekers in states where the procedure is outlawed.
“I think this is going to be a wake-up call for millions of Americans about how much danger this tracking puts them in when laws change and people can weaponize these systems in ways that once seemed impossible,” said Albert Fox Cahn, founder and executive director of the New York-based Surveillance Technology Oversight Project.
Facebook and crisis pregnancy centers “are operating with virtually no rules,” he said.
Facebook has policies and filters that are supposed to block sensitive personal data. But the platform’s filters have often proven to be porous against the vast amount of information they take in every day. Essentially, that means the company is putting the onus on its advertising clients to monitor themselves.
And Facebook does not have an incentive to crack down on violations of its advertising policies, said Serge Egelman, research director of the Usable Security & Privacy Group at UC Berkeley’s International Computer Science Institute. “That costs them money to do. As long as they’re not legally obligated to do so, why would they expend any resources to fix this?”
Using Data to Make Abortion ‘Unthinkable’
Crisis pregnancy centers market themselves as being in the “pregnancy resource” business, offering a range of free or low-cost services from pregnancy tests to baby clothing and “options consultations.” But their mission, articulated by Heartbeat International, the largest crisis pregnancy center network in the world, is far more sweeping: “to make abortion unwanted today and unthinkable for future generations.”
Although many centers resemble medical clinics, the majority are not licensed medical facilities. Thus, most are not required to follow most privacy protections against the sharing of personal health information, including the federal Health Insurance Portability and Accountability Act, or HIPAA.
In recent years, crisis pregnancy centers have become increasingly savvy about targeting people using sophisticated digital tools and infrastructure. Heartbeat International, for example, has developed suites of products to help individual centers improve their online presence, digital advertising and data management. These online tools enable the centers to amass highly personal information, including medical histories, details about prior pregnancies and even ultrasound photos, and store and share that information with networks of anti-abortion partners.
As Heartbeat International says on its webpage marketing its data management system: “Big data is revolutionizing all sorts of industries. Why shouldn’t it do the same for a critical ministry like ours?”
When asked about Heartbeat International’s data-sharing practices, spokesperson Andrea Trudden said, “Heartbeat International encourages all pregnancy help organizations to utilize a variety of marketing to reach those seeking pregnancy help.” But, she said, “we do not require affiliates to provide such details to us.”
Crisis pregnancy centers also have been documented as spreading false or misleading information about abortion, contraceptives and other reproductive health topics, including on Facebook. In 2021, the Center for Countering Digital Hate found that Facebook showed ads promoting an unproven medical procedure known as abortion pill reversal as many as 18.4 million times. Many of those advertisements were linked to Heartbeat International’s Abortion Pill Rescue Network project, which did not respond to a request for comment.
How We Tracked the Data
To test how Facebook and crisis pregnancy centers have been using the data the Pixel collects, Reveal reporter Grace Oldham created a new Facebook profile in late April solely for this investigation. Then, while logged in to Facebook, she visited the 294 crisis pregnancy center websites that Blacklight found to have a Pixel, clicking through each website and, when available, filling out appointment request forms. Oldham conducted the research in a clean browser with a cleared cache.
In early May, she and Reveal data reporter Dhruv Mehrotra used Meta’s Privacy Center to download and review the data of the clean Facebook account. They found that Facebook retained data about Oldham’s interactions with 88% of those crisis pregnancy center websites, linking her behavior to her Facebook profile. For instance, Facebook knew Oldham had scheduled an appointment with the Pregnancy Resource Center of Owasso, Oklahoma. That state’s Republican governor, Kevin Stitt, signed a law in late May that bans virtually all abortions from the point of fertilization and took effect immediately. The Owasso center did not respond to a request for comment, but after we reached out, Facebook’s tracking Pixel was removed from every page on the center’s website.
Our analysis found that in states that will ban most or all abortions if Roe v. Wade is overturned, at least 120 crisis pregnancy centers sent data to Facebook about their website visitors. In Tennessee, for example, where the Human Life Protection Act is poised to outlaw abortion statewide, Facebook retained data from Oldham’s interactions with 11 centers. Next Steps Resources in Dunlap sent data to Facebook about every single page Oldham visited on its site. Facebook stored that data and knew that Oldham had submitted an appointment request with the center. Next Steps’ executive director, Debbie Chandler, told Reveal and The Markup that the people she hired to manage her website and marketing disagreed that “any private information was being sent to Facebook.”
We also found that anti-abortion marketing companies gained access to some of Oldham’s Pixel data, even though she never interacted with their websites. These included Choose Life Marketing, whose website claims to help crisis pregnancy centers develop digital strategies to “reach more abortion-minded women,” and Stories Marketing, a social media marketing company for “pregnancy centers and life-affirming organizations.” Those organizations also added Oldham’s Facebook profile to custom audience groups capable of targeting her and people like her with ads for their services, as well as anti-abortion messaging. Choose Life Marketing and Stories Marketing did not respond to requests for comment.
In their online materials, the marketing companies explain why Facebook plays such an important role in their digital strategies. “Facebook ads have the highest return on investment (ROI) of any type of online marketing – even twice the ROI of Google Ads,” Stories Marketing says, adding: “Facebook ads can also be placed on Instagram and other apps for free, extending your reach at no extra cost.” According to Choose Life: “Retargeting is an effective method of keeping your center at the forefront of their minds. … This digital marketing method can also help build credibility and trust as women go through the decision-making process because your center’s name becomes familiar to them.”
We first ran our analysis in February and repeated it using the same methodology in early May. The results of both analyses were similar. As of Tuesday, Facebook still had data about Oldham’s interactions on crisis pregnancy center websites.
Abortion Data Collection ‘Ripe for Abuse’
Cahn, of the Surveillance Technology Oversight Project, expressed concerns about how law enforcement agencies could use Facebook data to find people seeking abortions should the procedure become illegal in some states. “It’s ripe for abuse,” he said of Facebook’s data collection. “It seems indefensible to me that we are allowing companies to have so much power to expose our most intimate moments to these platforms and have them use it against us.”
In recent years, law enforcement agencies have barraged tech companies like Google and Uber with demands for user data. Often, these legal requests don’t target individual suspects but instead compel the company to divulge data about people in a particular place or searches using specific keywords. According to the most recent data available from Facebook’s Transparency Center, the company received nearly 60,000 government requests for data from July to December 2021 and complied 88% of the time.
Although crisis pregnancy centers could provide law enforcement with data about anyone who had voluntarily provided personal information, they probably don’t have the technology to disclose specific information about individuals who had merely visited their websites. But Facebook is different. Because the social media company can link activity on a crisis pregnancy center site to an individual’s profile, Facebook is in a much better position to divulge granular data about the center’s website visitors than the center itself.
Data from search engine histories played a key role in a 2018 criminal case, in which a Mississippi woman was indicted for second-degree murder after suffering a pregnancy loss at home. The evidence included internet searches the woman had allegedly conducted for how to “buy Misoprostol abortion pill online.” The charges eventually were dropped.
“There’s nothing to stop police from using Facebook ad-targeting data the same way they’ve been using Google’s data, as a mass digital dragnet,” Cahn said.
Laura Lazaro Cabrera, a legal officer at London-based Privacy International, said that even metadata, like the titles of webpages or URLs, can be revealing. “Think about what you can learn from a URL that says something about scheduling an abortion,” she said. “Facebook is in the business of developing algorithms. They know what sorts of information can act as a proxy for personal data.”
Getting Facebook to Fix the Problem
Privacy experts have been warning for years that Facebook’s laissez-faire attitude toward how clients use its advertising technology is vulnerable to exploitation. After The Wall Street Journal and New York state regulators exposed how the social media behemoth collected sensitive user data from popular health apps that chart everything from heart rates to menstrual cycles, Facebook claimed to have implemented sophisticated filtering mechanisms to detect and prevent it from taking in sensitive health data. According to the Journal, the filters were supposed to block “70,000 terms related to topics such as sexual health and medical conditions.”
But our investigation found that Facebook has continued to ingest data from webpages with obvious sexual health information – including ones with URLs that include phrases such as “post-abortion,” “i-think-im-pregnant” and “abortion-pill.”
Despite Facebook’s official policy prohibiting websites from sending it sensitive health information, it’s unclear what, if anything, the platform does to educate its advertising clients about the policy and proactively enforce it.
One way for Facebook to prevent anti-abortion organizations from misusing its ad technology would be to strengthen the filters it already has in place or to discontinue the Pixel tool entirely. But the reality, said Egelman of UC Berkeley, is that the company’s $115 billion a year in advertising revenue creates a huge financial disincentive to block user information.
“This is their business. The more data they get, the more targeted advertising they can do, and that’s the gravy train for them: targeted ads,” he said. “If they’re proactive about cutting off sites like that, it impacts their revenue in multiple ways.”
In the absence of Facebook action, Egelman says he thinks that the best fix is public pressure and tough legislation. That’s what happened last year, when critical backlash prompted Meta-owned Instagram to shelve its plans for a kids’ version of its social media software.
While no comprehensive federal data privacy legislation currently exists in the United States, a draft of a bill called the American Data Privacy and Protection Act was released in early June that, if passed, could increase the Federal Trade Commission’s power to regulate and enforce how companies can use sensitive health data. Until then, however, it remains up to state legislatures to enact consumer privacy protections.
Brandie Nonnecke, founding director of the CITRIS Policy Lab at UC Berkeley, said the European Union is creating stronger protections that would apply through the Digital Services Act. The new guidelines, which are awaiting formal approval by the European Parliament and EU Council, will require large online platforms, like Facebook, and search engines to proactively identify ways their systems could be abused and create strategies to prevent that misuse.
“We’re not in a place where there is robust enough transparency and accountability on these data ecosystems and how they’re being used,” she said, “and especially the vulnerabilities to individuals.”
Byard Duncan and Surya Mattu contributed to this story. It was edited by Nina Martin, Soo Oh, Rina Palta and Andrew Donohue and copy edited by Nikki Frick.