Tuesday, July 9, 2013

Health Data Searcher Beware!

Patients who search on free health-related websites for information related to a medical condition may have the health information they provide leaked to third party tracking entities through code on those websites, according to a research letter by Marco D. Huesch, M.B.B.S., Ph.D., of the University of Southern California, Los Angeles. The research letter was recently published in JAMA Internal Medicine entitled "Privacy Threats When Seeking Online Health Information" and looked at how 20 health-related websites track visitors, ranging from the sites of the National Institutes of Health to the health news section of The New York Times online. Thirteen of the sites had at least one potentially worrisome tracker, according to the analysis performed by Dr. Huesch.

He also found evidence that health search terms he tried — herpes, cancer and depression — were shared by seven sites with outside companies. According to the paper:
"A patient who searches on a “free” health-related website for information related to “herpes” should be able to assume that the inquiry is anonymous. If not anonymous, the information knowingly or unknowingly disclosed by the patient should not be divulged to others.
Unfortunately, neither assumption may be true. Anonymity is threatened by the visible Internet address of the patient’s computer or the often unique configuration of the patient’s web browser. Confidentiality is threatened by the leakage of information to third parties through code on websites (eg, iframes, conversion pixels, social media plug-ins) or implanted on patients’ computers (eg, cookies, beacons)."
Dr. Huesch says that he was inspired to investigate this area by the archive of coverage on the topic by The Wall Street Journal on how the technology and market for your online information work. The most recent piece in this series is on Facebook privacy settings and some of the risks associated with "Graph Search." This entire series is very good and worth the read.

The research paper states:
"My findings suggest that patients and physicians who are concerned about the privacy of information about their health-related searches may prefer to search through government websites or those of professional societies. Alternatively, individuals can use privacy tools that are available free of charge when searching and browsing online. Examples are DoNotTrackMe and Ghostery. Use of these tools created some inconveniences but generally did not affect the functionality of the websites I examined."
The tool Dr. Huesch used for his research Ghostery has been noted to have some problems however. The MIT Technology Review posted an article last month which points out that Ghostery is owned by a company that uses the data it collects from its users to help advertisers target their ads better. It seems that few of those who advocate Ghostery, including Dr. Huesch, as a way to avoid the online ad industry realize that the company behind it, Evidon, is in fact part of that industry. Evidon helps companies that want to improve their use of tracking code by selling them data collected from the 8 million Ghostery users who have enabled the tool's data sharing feature.

The paper states:
"Many third parties use the information they collect only to target advertising (eg, DoubleClick). However, nearly 300 third parties use the information to track consumers, delivering advertising related more directly to the user’s known or inferred interests, demographics, and prior online behavior.
These weaknesses in privacy practices have been detailed in the news media. The Federal Trade Commission has called for consumer privacy legislation. Online privacy guidelines for searches on health topics have been published. 6 But privacy threats are poorly understood because of the technical nature of online data collection and aggregation."
The paper does not suggest any direct damage from the tracking but does note the potential: "The ramifications could span embarrassment, discrimination in the labor market, or the deliberate decision by marketers not to offer or advertise particular goods and services to an individual, based solely on the companies’ privately gathered knowledge."

Tracking of Searches at 20 Health-Related Websites

The paper concludes that "failure to address these concerns may diminish trust in health-related websites and reduce the willingness of some people to access health-related information online. Until strong consumer privacy legislation is enacted, individuals should take care how much trust they place in their anonymity and the confidentiality of their information when online."