By Jasmine Mithani, The 19th
This article was originally published on The 19th.
In November, a study revealed how easily foreign governments could use companies known as data brokers to purchase personal information about U.S. military personnel. In some cases, researchers paid less than a quarter per record for information that included home addresses, cell phone numbers, and sensitive health data.
Congress reacted quickly; the House passed legislation this year that seeks to restrict the sale of “personally identifiable sensitive data” of American residents to North Korea, China, Russia, or Iran, or any businesses or individuals in any of those countries. The Protecting Americans’ Data from Foreign Adversaries Act of 2024 is now with the Senate’s committee on Commerce, Science, and Transportation.
Data brokers are analytics companies that compile dossiers about all of us, combing thousands of sources, including DMVs, licensing agencies, and social media. They then sell it to law enforcement, immigration authorities, and insurance companies. (If you’ve ever been contacted about a class-action lawsuit, your information could have been provided by a data broker.)
For many people who work at abortion providers or in the reproductive health space, the problem isn’t foreign governments buying their information. It’s fellow Americans who oppose abortion who want to target them, often to directly threaten them. And national legislation to protect digital privacy has stalled for years.
One of the most insidious forms of violence to emerge over the past decade is doxxing, or the public release of personal contact information to facilitate harassment. Part of the reason doxxing is so common is because of the ease of access to this information granted by data brokers, which often charge only a small fee.
Jessica Ensley first became aware of data brokers in 2017, when she joined Reproaction, an organization focused on increasing access to abortion and advancing reproductive justice. During her training she was advised to search herself online and remove as much information as possible.
“The first time that I did it, I was absolutely horrified at how easy it was to find all of the addresses where I had lived. You could create a very clear trail of where I was, who my family is, where I’ve been, where I went to school, where I live now,” Ensley said. “I found it very disturbing.”
Now Ensley is the senior vice president of outreach at Reproaction, and part of her duties involve leading staff security. She keeps tabs on possible threats, leads frequent privacy trainings and is always seeking outside expertise on the best ways to keep workers safe.
“I think everybody should be worried generally about their digital information, digital security, and their digital footprint. But it is very much so repro workers that are targets of a lot of harassment and doxxing threats,” Ensley said.
The 19th spoke with several workers in reproductive health and justice, but some declined to speak on the record due to concerns about becoming a target of doxxing or worsening ongoing abuse.
The post-Dobbs reality
When Sarah Philips started organizing around abortion access in college in Texas eight years ago, an older mentor at an abortion fund told her to start paying attention to her personal information online. The mentor paid for Philips to have access to DeleteMe, a subscription service that monitors data brokers for personal information and automatically requests takedowns.
“If she hadn’t said that, I would have had no idea that this is even a thing,” Philips said. That experience helped lead her to work at Fight for The Future, a nonprofit focused on protecting digital privacy and freedom of expression.
Especially in the wake of the Supreme Court decision that ended a federal right to abortion, reproductive health and justice advocates are more visible online, Philips said. “You’re fundraising online, you’re doing fund-a-thons online, you’re educating people about Supreme Court cases, you’re talking to the media. We have to do all those things because of the state of reproductive and abortion access right now.”
That digital presence is necessary to raise awareness about services and current legislation, but it can come at a cost. After Eugenia Schauerman, admin and accounting manager at Northwest Abortion Access Fund (NWAAF), was interviewed for a state newspaper, a clinic received mailed threats meant for her.
When Schauerman first started working with abortion funds, she used her home address for business filings. Now she’s much more careful. She maintains a separate phone number to catch people who call to harass her.
Sometimes people silence themselves, avoiding media appearances, out of fear of harassment or violence.
“What’s so hard is that sometimes for our clients, their story could make a difference in the world, right? Their story could be really persuasive, but it’s so unsafe for them to have that story shared publicly, and that is really hard to see,” said Sara Ainsworth, senior legal and policy director at If/When/How: Lawyering for Reproductive Justice, which offers legal services through the Repro Legal Helpline.
Some of the clients represented by the organization have been doxxed or swatted, which is when someone calls in a false threat to someone’s home that results in a raid by a SWAT team. Ainsworth noted that this kind of harassment is extremely dangerous for people of color and people who have already been targeted by the criminal legal system.
Ainsworth said she has observed “an uptick in boldness” from people seeking to harass their clients, and “more certainty from those who would target them that they have state power behind them.”
The anti-abortion movement has gotten much more aggressive, said Melissa Ryan, CEO of CARD Strategies, a consulting firm that helps nonprofit organizations deal with targeted harassment, extremism and disinformation.
“When you have someone’s personal information released online, they’re immediately under threat from a movement that is known to be violent and dangerous,” she said.
Perpetrators also know there will not be strong consequences.
Removing information costs time and money
The most common way to prevent doxxing is to periodically remove your information from individual data broker sites. Organizations like the Digital Defense Fund, which provides cybersecurity training and grants for the abortion rights movement and was cited by many people interviewed for this article, compile guides on how to submit removal requests.
One resource shared by DDF recommends 24 data brokers to audit for your personal information. Another lists 220. More than double that number were registered in California in 2023. In Vermont, triple.
One of the most daunting aspects is that data brokers constantly are scanning for public information. Ensley said her coworkers find it shocking that they need to repeat the information removal process over and over. She recommends reviewing data brokers for personal information each quarter. But the process isn’t easy and is often intentionally difficult to complete.
“There is no set standard among data brokers’ sites as to how to get your information removed,” Ensley said. “It’s often very tricky to find.”
Ensley said she has even seen some data brokers require someone to watch ads as part of the process of trying to request information removal.
The convoluted, time-intensive process has an alternative: paying for a service to do it. One of the most popular is DeleteMe, which costs $129 per person for a year-long subscription. Since new data brokers are always popping up and more established ones recompile personal information, someone concerned about doxxing needs to subscribe indefinitely.
The expense can be difficult for both individuals and their employers. Some organizations do pay for personal information deletion services, but even then, if an employee leaves, the protection doesn’t follow them.
Lower-level workers can be more vulnerable to harassment.
“Folks who are higher up in an organization are going to naturally have more protection most of the time, because organizations are built to protect people with power, versus someone who was an associate level staffer or an intern,” Ryan said.
The threats against Schauerman marked a turning point for the employees at NWAAF, who increased pressure on the board of directors to provide stronger safety protections for workers, said Jade Pfaefflin Bounds, the former volunteer and training coordinator. The staff sent a list of demands about pay equity and safety concerns to the board in 2022, less than a month after the Dobbs decision.
When the abortion fund decided to pay for a personal information removal service for employees, it felt like a blanket solution to a complex problem. Pfaefflin Bounds had a lot of questions about how the service worked and what sorts of information needed to be scrubbed. He was unsure how it would cover him as a trans person who changed his name. Did he also need to purchase a subscription for his husband, in case the two of them could be linked?
This confusion about data brokers is common. The general public has never heard of most data brokers, and neither have many lawmakers, said Sarah Lamdan, a professor at CUNY Law School and author of “Data Cartels: The Companies That Control and Monopolize Our Information,” even as there’s more data about us than ever before.
Signing away the right to data privacy is a common condition of many apps such as Grindr and DoorDash, and companies like Meta track people who don’t even have registered accounts.
“There are all sorts of places where we don’t have much choice about submitting data. It’s not like the choice to stay on or off social media or to have a public-facing web page for your business,” Lamdan said.
Cell phones, identification cards and marriage licenses are all potential sources of intimate information that are unavoidable in today’s world.
Attempts to regulate data brokers have been met with intense lobbying. Law enforcement is a large user of data brokers, Lamdan said, and the industry uses that connection to leverage pushback to highlight their importance to national security.
California, Oregon, Texas, and Vermont have all passed laws that require data brokers to register with the state. In Oregon, Texas, and Vermont, the companies need to say whether they allow people to opt out of having their data collected and explain the process as part of the public registry.
The 2018 law passed in California told data brokers that they needed to allow residents to opt-out of collection. An amendment was passed last year requiring a central portal for Californians to delete their information from all data brokers, to be released by January 1, 2026.
The DELETE Act, introduced to the House for the second time this Congress, would set up a central repository for Americans to delete their information from data brokers. Fight for The Future, where Philips and Pfaefflin Bounds work as organizers, released a public petition urging the creation of a centralized opt-out system last month.
Earlier this month, senators shared a draft of the American Privacy Rights Act of 2024, the first bipartisan federal data privacy law to gain traction in years. However, its current form lacks the central opt-out authority envisioned by the DELETE Act.
More comprehensive privacy legislation could help prevent information being collected in the first place, but digital security advocates say that permanent data broker opt-outs, like those proposed in the DELETE Act, have the highest potential for impact.
Philips is vocal on multiple issues that make her a target for doxxing, like Palestinian liberation and human rights abuses in India. After posting on those topics or publishing an op-ed about abortion, she usually gets a flurry of harassment and people trying to intimidate her by sharing personal information.
If she could, Philips would pay for deletion services for members of her family too because she doesn’t want them to be targeted because of her career. But it would cost hundreds of dollars a year to cover only her immediate family.
“It makes me feel really guilty about the work that I do, because it could expand risk onto other people,” Philips said.
Campaign Action