USC Price School of Public Policy

Health:

Popular health sites passing on search information to third parties

July 30, 2013

By Matthew Kredell

What’s the first thing anyone does in this day and age when feeling an ache, noticing a skin irritation or any other ailment? Usually, it’s a quick search on the Internet to peruse medical websites for a preliminary self-diagnosis. Doctor’s appointments take time to set up, but the worldwide web is right at our fingertips.

These searches on often sensitive health issues might not be as anonymous as people think, according to Marco Huesch, assistant professor at the USC Price School of Public Policy and faculty member at the Leonard D. Schaeffer Center for Health Policy and Economics.

marco.huesch

Huesch sampled 20 popular health-related websites for a research letter published in JAMA Internal Medicine this month. Using freely available privacy tools to detect third parties and commercial interception software to record hidden traffic from his computer to the websites of third parties, Huesch searched each site for content related to depression, herpes and cancer.

Huesch found that all 20 sites had at least one third-party element, with the average being six or seven. Thirteen of the 20 websites had one or more tracking element. Five of the 13 sites that had tracker elements had also enabled social media button tracking. No tracking elements were found on physician-oriented sites closely tied to professional groups.

More alarmingly, he found using the interception tool that searches were leaked to third-party tracking entities by seven websites. These sites include www.nhs.uk, www.drugs.com, www.menshealth.com, www.health.com, www.foxnews.com/health and www.nytimes.com/health. In contrast, search terms were not leaked to third-party tracking sites when done on U.S. government sites or four of the five physician-oriented sites.

“Failure to address these concerns may diminish trust in health-related websites and reduce the willingness of some people to access health-related information online,” Huesch wrote in the letter.

Huesch, who has a background as a physician, said he decided to undertake this study during the winter break last December and January in the interest of transparency in the health field.

“I’m not practicing any longer, but as a physician you want to help people, you want to be an advocate for your patients and for them to know the truth of what’s going on,” Huesch said. “That’s what I try to bring into my research.”

Huesch could not determine whether leaked information was misused by third parties, but he found the leakage of search terms to tracking entities to be worrisome.

Some people may not think it’s a big deal that their health searches are being tracked. The tracking entities don’t have their name, social security number or date of birth — the traditional factors of anonymity. They are tracking computers, and through the fingerprinting of browsers they can tell that this is the same computer that previously visited the site and compile a list of search terms used over time.

Tracking companies likely aren’t using this information with nefarious intent. Data accumulation is for marketing purposes, and is a normal and important part of online commerce. It’s how they shape advertisements to fit an individual’s interests, and many websites would fail without the income generated from these online display ads.
Marco Huesch, assistant professor at the USC Price School of Public Policy

“The reason these findings feel a little creepy to me and other people is that it’s like someone at CVS standing right behind you trying to listen to the prescription you got at the pharmacy,” Huesch said. “Or someone at the doctor trying to listen to some confidential health issue. That’s the analogy in my mind.”

It’s likely that tracking companies aren’t doing anything with this information. The data hits their server, but they aren’t interested in people who search for herpes so the data gets discarded. However, it is not inconceivable that this information could be used in a harmful manner. Huesch is wary of a future where the buying and selling of data involves employers rejecting job applicants based on searches related to depression or a dating service screening members for searches on sexually transmitted diseases.

The study generated worldwide attention. In the several weeks following its publication, the research was mentioned in more than 230 media outlets — including The Wall Street Journal, Reuters, Politico and a New York Times blog posting — and Huesch participated in four radio interviews, including one with NPR.

“The methodology employed by Dr. Huesch in analyzing health-related websites is both elegantly simple and revealing,” said Beth Givens, director of the San Diego-based nonprofit Privacy Rights Clearinghouse. “His research clearly shows the risks individuals face when using some of the more popular medical websites.”

Huesch suggested that patients and physicians who are concerned about the privacy of their health-related searches either use websites from governments and professional societies or download free privacy tools, such as DoNotTrackMe and Ghostery, two he used in the study.

He would like to see his research influence public policy, where he thinks a baseline set of laws on online privacy are needed.

“Hippocratic law is still very much in the 20th century,” Huesch said. “It does a great job protecting information you tell your physician, but it doesn’t fit for the 21st century where a marketer can compile a list of very sensitive information about me and it’s fine as long as it’s not linked to a name, only a computer. It’s a total loophole in 21st-century law.”

The JAMA article already is making an impact in Illinois, where Attorney General Lisa Madigan has opened an investigation into the data-mining practices of websites named in the study. Huesch plans to support policymakers with advice and information on this issue in the future with the hope of creating change.