Letter to Apple CEO Highlights Security Gaps Posing Risks to Privacy & Safety of App Users
For Immediate Release: November 21, 2022
Office of the Attorney General
– Matthew J. Platkin, Attorney General
Division of Law
– Michael T.G. Long, Director
TRENTON –Attorney General Matthew J. Platkin today led a multistate coalition expressing concerns regarding reproductive health privacy on Apple’s App Store (the “App Store”) following the U.S. Supreme Court’s Dobbs decision overturning Roe v. Wade and urging Apple to take commonsense steps to protect consumers’ private reproductive health information.
In a letter sent today to Apple CEO Tim Cook, Attorney General Platkin led a group of 10 Attorneys General calling for privacy-enhancing measures.
As the letter explains, Apple has long promoted privacy as one of its “core values” on both the iOS platform and the App Store and has adopted a number of privacy and security measures that are consistent with its stated goals of protecting consumers’ privacy. But apps that collect private reproductive health data from consumers frequently fail to meet these same standards or to implement appropriate protections for this sensitive data, exposing consumers that seek or provide reproductive health care to potential action and harassment by law enforcement, private entities, or individuals.
This gap in Apple’s protections threatens the privacy and safety of App Store consumers, and runs directly counter to Apple’s publicly expressed commitment to protect user data.
Given the demonstrated risk that location history, search history, and adjacent health data poses to individuals seeking or providing abortions or other reproductive health care, Attorney General Platkin and the other Attorneys General urge Apple to require app developers to either certify to Apple or affirmatively represent in their privacy policies that they will take the following security measures:
- Delete data not essential for the use of the application, including location history, search history, and any other related data of consumers who may be seeking, accessing, or helping to provide reproductive health care;
- Provide clear and conspicuous notices regarding the potential for App Store applications to disclose user data related to reproductive health care, and require that applications do so only when required by a valid subpoena, search warrant, or court order; and
- Require App Store applications that collect consumers’ reproductive health data or that sync with user health data stored on Apple devices to implement at least the same privacy and security standards as Apple with regards to that data.
The proposed measures would safeguard reproductive health information from being wrongfully exploited by those who would use it to harm pregnant people or providers and are consistent with Apple’s professed promises of privacy protection on the App Store, the letter explains.
“Protecting reproductive privacy in the wake of the Dobbs decision is paramount. Despite promoting privacy as one of its ‘core values’ Apple simply has not done enough to ensure that private reproductive health data collected and stored by apps will not be used to track, harass, or criminalize those seeking to exercise their reproductive freedoms,” said Attorney General Platkin. “With this letter, we are putting Apple executives on notice that New Jersey is prepared to use all its authority to impel them to protect the privacy of those accessing or providing legal reproductive health services”
Today’s letter details several reasons why it is necessary for Apple to pursue each of these data-protection measures in the wake of the Dobbs decision.
The letter explains that deleting data related to reproductive health care is the first line of defense to protect consumers who, often unknowingly, leave digital trails of their actions to obtain or provide reproductive health care. At the same time, the letter highlights that what data apps do retain and share is often obscured by vague and unclear privacy policies—making it impossible for consumers to make informed decisions about who to trust with their sensitive reproductive health data. This makes it critical for Apple to ensure that apps provide clear and conspicuous notices regarding third-party access to reproductive health data, the letter explains.
Finally, the letter makes it clear that it’s not enough that Apple protects the reproductive health data it collects and stores. Apple’s purported commitment to privacy and consumer protection demands that the company require the same vigilance on the part of third-party apps that sync with Apple Health, as well as apps that collect reproductive health data from consumers.
Specifically, the letter urges Apple to implement a clear process to audit third-party apps’ compliance with Apple’s privacy and security standards. At a minimum, Apple should require apps on the App Store to meet certain threshold security requirements, such as encryption of biometric and other sensitive health data stored on applications, use of end-to-end encryption when transmitting said data, and compliance with Apple’s user opt-out controls. Compliance with these measures should be represented in the privacy policies of App Store apps. Long-term, Apple should conduct periodic audits and remove or refuse to list third-party apps in violation of these standards.
The letter sent today is the latest step New Jersey has taken to protect reproductive rights in the aftermath of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned nearly half a century of settled precedent and held that the U.S. Constitution does not protect the right to an abortion.
One week after the Dobbs decision was handed down, Governor Phil Murphy signed legislation establishing protections for patients and providers. For patients, the legislation helps ensure that those who seek reproductive health care in New Jersey can access confidential care. For providers, the legislation prohibits New Jersey’s professional licensing boards from taking disciplinary action against healthcare practitioners who provide reproductive health care that is legal in New Jersey.
On July 11, 2022, to further support access to abortion care in New Jersey, Attorney General Platkin announced the creation of a Reproductive Rights Strike Force (“Strike Force”), comprised of officials across the Department of Law & Public Safety. The role of the Strike Force is to recommend civil and criminal enforcement actions and develop other strategic initiatives to protect access to reproductive health care for New Jersey residents and residents of other states who travel to New Jersey to access such care.
Joining Attorney General Platkin in signing the letter are the attorneys general of California, Connecticut, the District of Columbia, Illinois, Massachusetts, North Carolina, Oregon, Vermont, and Washington.
A copy of the comment letter is available here.