If you have cancer, HIV, diabetes, lupus, depression, heart disease—or you simply look up health-related information online—advertisers are watching you. A new paper on what happens when users search for health information online shows that some of our most sensitive internet searches aren’t as anonymous as we might think.
Marketers care very much about what diseases and conditions people are searching for online. Tim Libert, a doctoral student at the Annenberg School For Communication at the University of Pennsylvania and the author of the paper says that over 90% of the 80,000 health-related pages he looked at on the Internet exposed user information to third parties. These pages included health information from commercial, nonprofit, educational, and government websites. According to Pew, 72 percent of internet users in the US look up health-related information.
Site visit data by third parties isn’t just collected on for-profit sites like WebMD.com; even the Centers for Disease Control warns visitors that third-party content on their own pages includes marketing/analytics products like MotionPoint and Omniture that are used to generate targeted advertising. (Libert’s findings are published in this month’s Communications of the ACM.)
Although personal data is anonymized from these visits, they still lead to targeted advertisements showing up on user’s computers for health issues, as well as giving advertisers leads (which can be deciphered without too much trouble) that a user has certain health issues and what issues those are. And Google, which collects information from 78% of the pages Libert looked at, has disproportionate influence.
“The flip side of having so much power: If Google wants to make a serious and transparent commitment to protecting health data—going beyond the usual statements and demonstrating action—they can really move the entire industry,” Libert told Fast Company. “Also, I was really shocked to find data brokers like Experian involved. Here are the people who know every credit card balance you ever carried, and they also know your health interests? That’s pretty alarming.”
Like so many other things on the Internet, the collection of data about individuals’ medical conditions is motivated by marketing.
To give one example, visits by interested parties to the CDC’s HIV/AIDS page sends browsing information to Google and AddThis, another tracking company, denoting that the user has an apparent interest in HIV and AIDS. Facebook, Pinterest, and Twitter bookmarklets on the CDC’s page alert those three organizations about the visit as well.
A visitor to WebMD’s page on HIV/AIDS, by comparison, sends user information to a staggering 34 different online advertising companies. Visits to enough pages on HIV and AIDS, combined with a user’s web browsing history, can lead to advertisements for HIV and AIDS treatments being directly targeted toward the user—effectively outing their HIV status.
Most of this health care information goes to a handful of ad brokers. Data broker companies plant online trackers of their own or buy data from advertising companies, and keep extensive lists of customers they believe likely have certain health conditions.
In another example, a company named MedBase 200 reportedly used “proprietary models” to generate and sell marketing lists of rape victims, domestic abuse victims, and patients with hundreds of different illnesses.
Apart from the perils of advertisers gathering this data, leaks at brokers, Libert worries, could expose people’s most intimate health information to anyone with money to buy a hacked database. Stolen medical information is routinely trafficked on criminal websites, and are mainly used for Medicaid fraud and other scams. (Note: MedBase200 stopped selling many of these lists after an inquiry by the Wall Street Journal. However, dozens of companies still offer similar products.)
Or, they could lead to people being falsely labeled as disease patients. During his research, Libert spoke with a friend whose father had a specific kind of cancer. The friend spent hours researching experts in the field, reading every article on the topic he could find, and searching for hospitals online. Shortly afterwards, the friend started seeing advertisements related to that kind of cancer on the website of a major American newspaper he read. Shortly after that, the ads began “popping up all over,” indicating that advertisers began targeted him with cancer-related content.
While studies conducted by Annenberg indicate that slightly more than one in every three Americans knows that private third-parties can track their visits to health-related websites, regulation and oversight is lacking, says Libert. Health privacy is protected by the Federal Health Insurance Portability and Accountability Act (HIPPA), but the law is not meant to oversee business practices by third party commercial entities or data brokers. “Clearly there is a need for discussion with respect to legislation, policies, and oversight to address health privacy in the age of the internet,” says Libert.
To avoid the watchful eye of marketers, Libert recommends users make use of two different tools, Ghostery and Adblock Plus, which can at least partly prevent marketers from obtaining patient health information based on Internet browsing habits.