Private online health-related searches aren't so private
A new study has found that about nine out of every 10 health-related online searches reveal potentially sensitive information to third parties, such as data brokers and online advertisers.
The study by Timothy Libert, a PhD candidate at the University of Pennsylvania’s Annenberg School for Communication, was published in the March issue of Communication of the ACM. Libert devised a software tool that analyzes Hypertext Transfer Protocol (HTTP) requests that are initiated to third-party advertisers and brokers and he found that 91 percent of health-related web pages initiate HTTP requests to third parties.
According to Libert’s study, most of these requests go to just a few advertisers. For example, Google collects user information from 78 percent of pages, while Facebook collects 31 percent. Data brokers Experian and Acxiom were also found on thousands of pages.
Why is that a potential privacy and security problem?
Libert pointed out that if a user types a URL into an address bar it will often include the name of a disease, symptom or treatment. For example, users visiting the Centers for Disease Control and Prevention web page for HIV/AIDS will have their user information sent to both Google and AddThis, allowing these companies to see that users visiting the site have an interest in HIV.
It could also put consumers at risk. For instance, companies could potentially discriminate against consumers based on their medical searches. Given that 62 percent of bankruptcies are the result of medical expenses, Libert said, it is likely that many people won’t be offered certain promotions or offers simply because they visited health-related websites.
While the Health Insurance Portability and Accountability Act is designed to protect the confidentiality and security of healthcare information, Libert noted that it wasn’t meant to cover business practices pursued by these third-party advertisers and data brokers.
“Proving privacy harms is always a difficult task. However, this study demonstrates that data on online health information seeking is being collected by entities not subject to regulation oversight," wrote Libert. “This information can be inadvertently misused, sold, or even stolen. Clearly there is a need for discussion with respect to legislation, policies, and oversight to address health privacy in the age of the internet.”
Libert suggested a number of courses of action should be pursued. First, lawmakers can take steps to regulate this activity. Second, nonprofit, educational and government websites can audit their code and remove anything that leaks user information. Finally, programmers that work for advertisers should inspect their algorithms and make sure that any kind of discriminatory behavior is not occurring by accident.