Jul 022022
 
 July 2, 2022  Posted by  Breaches, Business, Healthcare

Online Abortion Pill Provider Hey Jane Used Tracking Tools That Sent Visitor Data to Meta, Google, and Others

Personal information from reviewers was also exposed until The Markup’s inquiry

By: Jon Keegan and Dara Kerr

Originally published on themarkup.org

Hey Jane, an online abortion pill provider, performs a service that pro-choice advocates say has become critically important since the U.S. Supreme Court overturned Roe v. Wade last week.

“Get fast, safe and affordable abortion pills shipped to your home,” reads Hey Jane’s homepage. “Consult with a medical provider within 24 hours. Medications are shipped daily.” Hey Jane, which only operates in states where abortion is legal and says it has served nearly 10,000 patients, promises customers “discreet care on your schedule.”

But an analysis of Hey Jane’s website with The Markup’s Blacklight privacy inspector tool showed the site employed a series of online trackers that follow users across the internet. The trackers notified Google, Facebook’s parent company Meta, payments processor Stripe, and four analytics firms when users visited its site.

The Markup also found personally identifying information of customers in the data powering Hey Jane’s reviews section, including one reviewer’s Instagram handle and the hometowns of others. The reviews were served by a third-party service called Reviews.io.

Shortly after The Markup notified Hey Jane of our findings, all user reviews were removed from the main site. Reviews were still visible on a Hey Jane Google search results ad landing page and on Reviews.io’s Hey Jane page, but the sensitive data did not appear to be public in these reviews.

Hey Jane also removed Meta’s tracking code and four analytics trackers. Kiki Freedman, CEO of Hey Jane, told The Markup in an emailed statement, “As the regulatory environment has become increasingly hostile, we have chosen to remove the Meta Pixel from the site as we determine how to best mitigate potential risks to our patients and providers.”

Freedman said, “Patients can rest assured that Hey Jane provides safe, private, legal, and compassionate care. We take data security and our patients’ safety and privacy incredibly seriously.”

Reviews.io did not respond to a request for comment.

Online tracking is legal and a widespread e-commerce practice. Companies may include third-party trackers to measure website traffic and the effectiveness of ads on social media platforms. These tools are free to use, and the companies that build the trackers, like Google and Meta, keep the data. But in the case of people seeking abortions—which are so far illegal in seven states following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization—tracking and sharing personally identifying information could become a critical privacy issue.

Privacy advocates say there could be unanticipated consequences in allowing personal data of people who’ve sought abortions to flow from medical providers, like Hey Jane, to ad tracking companies and social media platforms. Police and anti-abortion groups could feasibly subpoena or buy that data and then use it to target people—even those who live in states where abortion is still legal.

“Sexual and reproductive health and abortion pills makes it feel like [tracking] should be more private. But, legally, it’s no different than your potato chip preference or what shoes you like to buy,” said India McKinney, director of federal affairs for the Electronic Frontier Foundation. “There is nothing that they are doing that is illegal. That is the problem.”

Other companies and nonprofits that provide reproductive health care and assistance have also tracked users. For example, period-tracking apps have been found collecting, storing, and sharing data with third parties. And last October, The Markup discovered that Planned Parenthood had 28 ad trackers and 40 third-party cookies tracking visitors to its website. It currently still has 26 ad trackers and has increased its third-party cookies to 58, according to our Blacklight tool.

Planned Parenthood told The Washington Post on Thursday that it plans to remove ad trackers on its search pages related to abortion. The health care provider did not immediately respond to a request for comment when asked by The Markup for specificity on which trackers are to be removed and the timeline for removal.

Now, in a newly fractured landscape with diminished access to abortion providers across the U.S., reproductive health advocates say abortion pills such as the FDA-approved drugs misoprostol and mifepristone could offer private and safe abortion care. And being able to order the medications online and have them delivered through the mail could offer access in states where abortion is now illegal.

Hey Jane says on its website that it’s “putting the power back in people’s hands” and describes itself as a “virtual clinic.” The startup was founded in 2019 by Gaby Izarra and Freedman, both of whom have worked at Silicon Valley companies like Uber, Webflow, and Autodesk.

Based in New York, Hey Jane has raised $3.6 million in venture capital funding and is seeking to raise more from investors and expand its offering by providing customers with birth control pills.

The Trackers

Hey Jane’s stated policy is that it provides services to patients who are at least 18 years old, up to 10 weeks pregnant, and otherwise medically eligible, and who reside in California, Colorado, Illinois, New Mexico, New York, or Washington—some of the states where abortion continues to be legal. It also offers financial assistance through partners to help with the $249 price tag for the two-drug regimen.

The company says in its privacy policy that it allows third parties to “collect information about your online activities” and then use that data for tailored advertising. It adds that it’s “not responsible for the privacy practices of these third parties.”

Using Blacklight, The Markup detected five ad trackers on Hey Jane’s website, including Meta’s tracking pixel, which was removed after we emailed the company with our findings. The number of trackers is lower than the average found on websites that we measured using Blacklight. The purpose of the requests to Meta’s servers was to track page views. Such tracking data can be used by other websites to target Hey Jane’s visitors with ads on Facebook and to measure the effectiveness of ads on the platform. Freedman confirmed the company had used the Meta Pixel for running ads on Facebook and Instagram.

Meta’s policies prohibit businesses from sending sensitive health data to Meta’s servers, and in response to scrutiny from multiple investigations in 2019, the company created a tool it said automatically identifies and filters out incoming sensitive health data. However, a recent investigation from The Markup and Reveal showed how Meta’s tracking tools are still collecting information from abortion seekers visiting websites with Meta’s pixel code.

In response to a request for comment, Meta spokesperson Dale Hogan sent us a link to the company’s sensitive health policy.

Tracking requests from Hey Jane were also sent to Alphabet’s Google Analytics servers for page views. Freedman said, “The vast majority of Hey Jane patients discover our service through Google ads” and that the company follows Google’s recommended best practices to protect personally identifiable information, such as anonymizing users’ IP addresses.

Google did not respond to a request for comment.

Tracking page views is a common way to measure and understand website traffic, but the type of website a person clicks on could reveal personal details. In the case of Hey Jane, when someone visits webpages like “How to get an abortion” and clicks on button texts like “Get Started,” it could reflect an interest in having an abortion—and, with trackers, that visitor information can be sent to Meta and Google.

Using Mozilla’s Pixel Hunt project (a collaboration between Mozilla Rally and The Markup that tracks data sent to Facebook for use in ad targeting), we found that Meta collected this type of information from a visitor to Hey Jane’s website in March. A user in our anonymous panel clicked on Hey Jane’s homepage, which is titled “Abortion Pill Delivery | Hey Jane | Online Abortion Clinic,” and Meta’s tracker reported the data from that visit to its servers for potential ad targeting.

Shortly after we contacted Hey Jane, tracking scripts from Meta and four analytics firms were removed from its site, though Alphabet’s Google Analytics and a tracking script from payment processor Stripe remained. Stripe uses a technique called canvas fingerprinting, which can evade third-party cookie blockers.

Freedman said Hey Jane’s use of Stripe is part of Stripe’s fraud prevention effort and that the website has a business agreement with the payments provider to ensure HIPAA compliance and that any data collected cannot be shared with third parties.

Stripe spokesperson Stephen Carter confirmed that this use of its tracker was for fraud protection.

Freedman said Hey Jane has also removed user reviews from its main site to “further mitigate the potential risks for our patients and providers.” But she defended the use of reviews as a method to allow patients to share their experiences.

“The reviews reassure patients that they’re not alone—others have shared their same experience. They can opt out of the review altogether, or remain anonymous at the tap of a button. But for many, providing a name humanizes the story—it’s a small way for our patients to demonstrate that they’re not ashamed of their choice, if they want,” Freedman said.

This appeared to be the case for the Hey Jane customer we found in the reviewer data. The Markup reached out to her using the Instagram profile we found, and she said she hoped sharing her name and identifying information would allow others to reach out to her with questions about the process.

Freedman in her statement called for big tech companies such as Alphabet and Meta to “… publicly commit to responsible use of this data, given the essential nature of their platforms in spreading critical information to patients who need it.”

When people see that sensitive information has been shared, “they say, ‘oh my god, this is really creepy and really scary.’ But it doesn’t have to be that way,” EFF’s McKinney said, adding that she believes federal privacy laws could fix a lot of these issues. “Privacy is a fundamental human right. And it’s critically important to have federal legislation to protect that right.”

This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

Sorry, the comment form is closed at this time.