Hypochondriacs beware: That Google search for “STD symptoms” could go into your digital dossier.
A new study has found that health-related web pages often leak information about you and the information you access to third parties, raising concerns about online privacy.
To conduct the study, University of Pennsylvania PhD student Timothy Libert analyzed the top 50 search results for 1,986 common diseases, some 80,000 web pages. He found that on 91% of the pages, third parties like social networks, advertisers, and data brokers could access information about who was viewing the page, like the user’s IP address. On 70% of the pages, those third parties could see information about specific “conditions, treatments and diseases” viewed.
Altogether, 78% of the health-related web pages sent information about you to Google, 31% sent information to Facebook, and 5% sent information to Experian, a credit bureau and data broker.
What’s the big deal? Libert has two major concerns about these practices. The first is that the third parties could match you with your medical search results, a problem he calls “personal identification.” This isn’t a totally imaginary scenario—data brokers routinely collect information about you from your online activity, shopping habits, and public records, then turn around and sell that information to advertisers. That already includes sensitive medical information: One data broker was caught hawking lists of “rape sufferers,” “domestic abuse victims” and “HIV/AIDS patients.”
Second, advertisers could discriminate against you based on your medical searches, regardless of whether your search results are ever connected to you personally. That’s called “blind discrimination.” In other words, advertisers could serve you certain ads and offer you certain promotions based on the websites you read. Again, this practice can be innocuous, but it can also have a dark side. “It’s like any other form of discrimination,” Libert says. “If you’re going to extend a favorable offer to somebody, your best client probably isn’t somebody with terminal cancer.”
The tech-savvy might think their searches are private because they delete cookies or use a private browser, like Google Chrome’s “incognito mode.” Sorry, but no.
That’s because of the way websites work. Libert explains that a web page is like a recipe. The code says, “display an image from this file” or “play this video from Youtube.” To pull in content from another website’s server—like a video from Youtube—your server makes a “request” to that third-party server, and reveals information about you in the process. For example, the third party can see the name of the webpage you’re visiting, which may sound harmless, but can reveal a lot. You might not, for example, want advertisers and data brokers to know that you recently read “www.cdc.gov/hiv”.
“Even if you’re using incognito mode or something, the HTTP requests, at the very basic level, are still being made,” Libert says.
And you usually don’t even know it’s happening. While you can see evidence of some third-party requests, like Youtube videos and Facebook “like” buttons, Libert says most requests are bits of code invisible to the non-programmer’s eye.
Legally, this is all aboveboard. The HIPAA law protecting medical privacy only applies to medical services like insurance claims, not other businesses.
“They don’t catch everything, but they catch a lot,” Libert says.