Tag Archives: personal health information

A new article in Communications of the ACM by Timothy Libert, a doctoral student in the Annenberg School for Communication, demonstrates that web sites – including government web sites such as CDC.gov and Healthcare.gov – pass personal health information to companies that are not subject to regulation or oversight.

• Libert, Tim. “Privacy Implications of Health Information Seeking on the Web.” Communications of the ACM 58, no. 3 (February 23, 2015): 68–77. [free copy at arxiv] [subscriber only copy at ACM doi:10.1145/2658983].

Brian Merchant provides a non-technical summary and analysis of Libert’s paper:

• Looking Up Symptoms Online? These Companies Are Tracking You, by Brian Merchant, Motherboard (February 23, 2015)

Libert says that this health information may be inadvertently misused by some companies, sold by others, or even stolen by criminals. He identified more than eighty thousand unique health-related Web pages and monitored the HTTP requests initiated on the page to third parties by companies such as Google, Facebook, Twitter, Experian, and Acxiom. Ninety-one percent of those pages make such third-party requests, putting user privacy at risk. Some 70% of those third-party requests transmit information on specific symptoms, treatments, and diseases to those companies.

Merchant explains: “[T]he CDC has installed Google Analytics to measure its traffic stats, and has, for some reason, included AddThis code which allows Facebook and Twitter sharing; … the CDC also sends a third party request to each of those companies. That request… makes explicit to those third party corporations in its HTTP referrer string [what you searched for]… From there, it becomes relatively easy for the companies receiving the requests, many of which are collecting other kinds of data (in cookies, say) about your browsing as well, to identify you and your illness. That URL, or URI, which very clearly contains the disease being searched for, is broadcast to Google, Twitter, and Facebook, along with your computer’s IP address and other identifying information.”

Libert makes clear that Government web pages are the least likely of all sites he studied to use third-party cookies, with only 21% of pages storing user data in this way, compared to 82% of dot-com sites. But fully 88% of government sites have some sort of third-party request and 86% download and execute third-party JavaScript.

Merchant notes that the use of third-party cookies and javascript and requests is not necessarily due to any insidious intent but is simply convenient “because developers are installing ‘free’ tools like Google Analytics and social media ‘share’ buttons on their sites, and most users have no idea that means information about their searches is being shared with third parties.” This potentially allows data brokers like Experian, which has information from other sources about loans and which provides credit scores, to combine health information with financial information on individuals. Merchant quotes Libert:

“Given that I found Experian tracking users on thousands of health-related web pages, it is entirely possible the company not only knows which individuals went bankrupt for medical reasons, but when they first went online to learn about their illness as well…”

Merchant also quotes Libert on alternative search engines:

“Even if you use an iPhone, DuckDuckGo, and Hotmail, the second you open your browser there is a huge chance Google gets your data.” That’s because Google is absorbing your information through a variety of hosted services and domain names, from Google Analytics, which measures site traffic, to DoubleClick, an advertising service, and YouTube, its video platform.

Wikipedia was one of the only sites that trafficked in health information that sent no third party requests to corporations.