Searcher Beware: Some Websites May Leak Your Hunt For 'Herpes'
"Ho hum," you'll be saying if you're a technorati type. "Any third-grader knows that the Internet is full of cookies that follow you around like pesky puppies and help ad-buyers target you with pitches for tennis balls and shoes the day after you order a racket. Facebook does it. Google does it. This is our online world."
But if you're less tech-aware, a paper just out in the journal JAMA Internal Medicine may open your eyes a bit to the potential aftermath of your searches on some health Websites. In Privacy Threats When Seeking Online Health Information, Marco D. Huesch of the University of Southern California reports using privacy software to detect whether his forays onto 20 popular health Websites resulted in leaks of the medical information he entered.
A patient who searches on a “free” health-related website for information related to “herpes” should be able to assume that the inquiry is anonymous. If not anonymous, the information knowingly or unknowingly disclosed by the patient should not be divulged to others.
Unfortunately, neither assumption may be true. Anonymity is threatened by the visible Internet address of the patient’s computer or the often unique configuration of the patient’s web browser. Confidentiality is threatened by the leakage of information to third parties through code on websites (eg, iframes, conversion pixels, social media plug-ins) or implanted on patients’ computers (eg, cookies, beacons).
Many third parties use the information they collect only to target advertising (eg, DoubleClick). However, nearly 300 third parties use the information to track consumers, delivering advertising related more directly to the user’s known or inferred interests, demographics, and prior online behavior.
These weaknesses in privacy practices have been detailed in the news media. The Federal Trade Commission has called for consumer privacy legislation. Online privacy guidelines for searches on health topics have been published. But privacy threats are poorly understood because of the technical nature of online data collection and aggregation.
So what did Huesch actually find? From the press release:
Huesch found that all 20 sites had at least one third-party element, with the average being six or seven. Thirteen of the 20 websites had one or more tracking element. No tracking elements were found on physician-oriented sites closely tied to professional groups. Five of the 13 sites that had tracker elements had also enabled social media button tracking. Using the interception tool, searches were leaked to third-party tracking entities by seven websites. Search terms were not leaked to third-party tracking sites when done on U.S. government sites or four of the five physician-oriented sites, according to the study results.
Now, Huesch's paper does not suggest any direct damage from the tracking — but he notes the potential: "The ramifications could span embarrassment, discrimination in the labor market, or the deliberate decision by marketers not to offer or advertise particular goods and services to an individual, based solely on the companies’ privately gathered knowledge."
And wouldn't you agree there's a bit of a yuck factor here? If you had unsafe sex recently (not that you ever would) and search online for what it could mean that now you feel burning during urination, do you really want little gonorrhea cookies following you around afterward?
My findings suggest that patients and physicians who are concerned about the privacy of information about their health-related searches may prefer to search through government websites or those of professional societies. Alternatively, individuals can use privacy tools that are available free of charge when searching and browsing online. Examples are DoNotTrackMe and Ghostery. Use of these tools created some inconveniences but generally did not affect the functionality of the websites I examined.
I asked WBUR software developer and alpha geek Will F. Smith for his tips, and he replied:
Some browsers now block third party cookies by default. Firefox started blocking them recently and Safari for Mac has been doing it for a while
Another great feature in most modern web browsers is "privacy mode" which is something I would encourage everyone to use if they are concerned about the privacy of their session.
Available from the options menu in Safari, Firefox, Chrome and IE, it is referred to by different names (inPrivate, Privacy Mode, Incognito, etc) but the behavior is mostly the same: No cookies (1st or 3rd), files or browser history are saved during the session.
Its not complete privacy: Your company, ISP or any software running on your computer (virus or malware) can continue to track the websites you visit. In addition, Adobe Flash has something they call "local shared objects" which are commonly referred to as "flash cookies" that do not necessarily respect your browser settings (if you have turned off cookies in your browser, don't expect the flash plug-in to stop using its own cookies).
Thank you, Will. Readers, any other tips or thoughts?
This program aired on July 9, 2013. The audio for this program is not available.