A new article in Communications of the ACM by Timothy Libert, a doctoral student in the Annenberg School for Communication, demonstrates that web sites – including government web sites such as CDC.gov and Healthcare.gov – pass personal health information to companies that are not subject to regulation or oversight.
- Libert, Tim. “Privacy Implications of Health Information Seeking on the Web.” Communications of the ACM 58, no. 3 (February 23, 2015): 68–77. [free copy at arxiv] [subscriber only copy at ACM doi:10.1145/2658983].
Brian Merchant provides a non-technical summary and analysis of Libert’s paper:
- Looking Up Symptoms Online? These Companies Are Tracking You, by Brian Merchant, Motherboard (February 23, 2015)
Libert says that this health information may be inadvertently misused by some companies, sold by others, or even stolen by criminals. He identified more than eighty thousand unique health-related Web pages and monitored the HTTP requests initiated on the page to third parties by companies such as Google, Facebook, Twitter, Experian, and Acxiom. Ninety-one percent of those pages make such third-party requests, putting user privacy at risk. Some 70% of those third-party requests transmit information on specific symptoms, treatments, and diseases to those companies.
Merchant explains: “[T]he CDC has installed Google Analytics to measure its traffic stats, and has, for some reason, included AddThis code which allows Facebook and Twitter sharing; … the CDC also sends a third party request to each of those companies. That request… makes explicit to those third party corporations in its HTTP referrer string [what you searched for]… From there, it becomes relatively easy for the companies receiving the requests, many of which are collecting other kinds of data (in cookies, say) about your browsing as well, to identify you and your illness. That URL, or URI, which very clearly contains the disease being searched for, is broadcast to Google, Twitter, and Facebook, along with your computer’s IP address and other identifying information.”
“Given that I found Experian tracking users on thousands of health-related web pages, it is entirely possible the company not only knows which individuals went bankrupt for medical reasons, but when they first went online to learn about their illness as well…”
Merchant also quotes Libert on alternative search engines:
“Even if you use an iPhone, DuckDuckGo, and Hotmail, the second you open your browser there is a huge chance Google gets your data.” That’s because Google is absorbing your information through a variety of hosted services and domain names, from Google Analytics, which measures site traffic, to DoubleClick, an advertising service, and YouTube, its video platform.
Wikipedia was one of the only sites that trafficked in health information that sent no third party requests to corporations.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.