My “beat” here at FDL over the past few months has mostly concerned surveillance and tracking in its many forms. I am by no means an expert, but I am fairly well informed on the subject…but the extent of health information tracking surprised even jaded, “we have no privacy” me.
Many of us hit the internet looking for more information on a symptom, a disease, or a prescribed medicine. And lots of companies collect information on us when we research medical information online. Some of the websites that use these collection tools are not using them deliberately for nefarious purposes, and may not even be aware that the tools are collecting and sharing our health information.
An article at Motherboard describes what’s happening when we go online to research medical matters.
[A]n astonishing number of the pages we visit to learn about private health concerns—confidentially, we assume—are tracking our queries, sending the sensitive data to third party corporations, even shipping the information directly to the same brokers who monitor our credit scores. It’s happening for profit, for an “improved user experience,” and because developers have flocked to “free” plugins and tools provided by data-vacuuming companies.
Using his custom webXray tool to analyze the top 50 search results for nearly 2,000 common diseases, Tim Libert, from the University of Pennsylvania, discovered that 91% of the pages made third-party requests to outside companies. For example, when I Googled “cataract surgery” recently, and clicked the highly ranked WebMD link to “Cataract Surgery Procedure: Safety, Recovery, Effects,” the website passed my request for information to one or (many) more other companies. Did I want everyone to know I needed cataract surgery? Probably no big deal. What if I’d researched “herpes” or “alcoholism”?
The majority of health information websites, from WebMD.com (a for-profit company!) to the government-run CDC.gov, are loaded with tracking components that send records of our health inquiries to companies such as Google or Facebook, and also to data brokers like Experian and Acxiom. I thought Experian just kept my credit info…silly me!
It is relatively simple for companies receiving the requests (which also collect other kinds of data, such as cookies) to use our browsing to identify us — and our illnesses. The URL identifier, which very clearly contains the disease we searched for, then is broadcast to Google, Twitter, and Facebook, along with other identifying information such as our computer’s IP address. This data gathering is common not only on commercial sites that want profits, but organizations we would normally trust, such as government entities, non-profits, even universities.
When you’re looking up a disease, Libert says, “WebMD is basically calling up everybody in town and telling them that’s what you’re looking at.” WebMD is the 106th most-visited website in the US, according to Alexa, and ranks highly in search results for most commonly searched diseases. WebMD sends third party requests to 34 separate domains, including data brokers Experian and Acxiom.
According to the Motherboard article,
The same is true for other sites we may use for health info, like About.com (which ships your requests to comScore, Experian, Google, and Microsoft, among others), and Health.com (which sends your data to over a dozen different third party corporations). If you’re visiting a for-profit health website, you can essentially guarantee you’re being tracked, and that your requests are ending up in the hands of not just firms that earn revenue from advertising (which is why Facebook and Google collect this kind of data) but from selling data explicitly (as Experian and Acxiom do).
Even trusted, nonprofit public websites are tracking us. For example, the Mayo Clinic and Planned Parenthood websites send our data to third parties, because they’ve installed convenient free software.
EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.
Why are these sites circulating our confidential, potentially embarrassing, and possibly damaging health information to corporations? With nonprofit sites like the CDC and the Mayo Clinic, it’s likely that web developers are installing “free” tools like Google Analytics and Facebook “share” or “like” buttons on their sites without thinking about the privacy implications, or why exactly the tools are free. Companies provide these tools to make money from user data.
Google is the biggest offender, because it owns the most tracking elements. Google sucks up our information through hosted services and domain names, from Google Analytics, which measures website traffic, to DoubleClick, its advertising subsidiary, to YouTube, its video platform.
We can try to protect ourselves from such tracking, by installing ad blockers like Privacy Badger. Or we could stop visiting for-profit health websites altogether — if we know which ones those are. For the record, Wikipedia is one of the only sites that provides health information and sends no third party requests to corporations.
Millions of us are exposing our personal health profiles to internet advertisers and data brokers, just when we’re making the most confidential inquiries we don’t want to share.