Health Websites 'illegally' sharing sensitive data with advertisers

via Flickr © Sergio Santos (CC BY 2.0)

via Flickr © Sergio Santos (CC BY 2.0)

  • WebMD, Babycentre, Bupa among those enabling third parties to track visitors without consent
  • Usual suspects Google, Amazon, Facebook, Microsoft all popular destinations for user data
  • Google's Project Nightingale push into medical AI gathers sensitive data on millions of patients

Health Websites have become the latest inductees into our informal Hall of Shame, after several big names were reportedly found to have passed on sensitive user data to online ad giants, including Google, Amazon, Facebook and Microsoft.

The Financial Times reports that 79 of the 100 health Websites it investigated – including popular destinations like WebMD, Babycentre and Bupa – placed cookies on visitors' devices without their consent, enabling third parties to keep tabs on them when they visited other Wesbites. Consent is a legal requirement in the UK.

Malignant

A deeper dive into 10 of those health Websites found that even when consent was granted, the sites' privacy policies were unclear about what data would be shared with third parties and how that data would be used.

This is troubling, because the FT subsequently found, for example, that drug names entered into Drugs.com were shared with Google-owned DoubleClick. It gets worse: symptoms entered into WebMD's symptom checker, plus the resulting diagnoses, and terms including 'drug overdose' were shared with Facebook. In eight cases, unique identifiers that could tally information with a specific individual were shared with third parties.

Under GDPR, it is against the law to share information about someone's health and sexual orientation without first obtaining their explicit consent, and without explaining exactly who it is shared with and what they will use that data for.

None of the Websites checked out by the FT requested this type of explicit consent.

Natural defences

Unsurprisingly, big online advertisers have been quick to defend themselves, although some did a better job than others.

Facebook and Amazon didn't say in the report what they do with the sensitive information they receive. Facebook, which seemingly struggles to grasp the very concept of privacy, said it was conducting an investigation because sharing such sensitive information with it constitutes a violation of its rules. Amazon said it doesn't use information from publisher Websites to segment its advertising audience.

They also laid the blame for sharing user data with the Websites themselves.

The award for best attempt at being beyond reproach goes to Google, which said in the report that it doesn't use medical information to profile users, and has policies that prevent advertisers from using sensitive data to target ads. It also flags health Websites as "sensitive", so user information received from them is not used for personalised ads.

Florence and the machine

It's not like Google holds no interest in people's medical ailments, of course.

As the Wall Street Journal reported earlier this week, Google's Project Nightingale is going straight to the source.

The Internet giant has partnered with US healthcare provider Ascension, enabling it to gather information including but not limited to lab results, diagnoses, hospitalisation records, patient names and dates of birth for millions of people across 21 states, without their knowledge or the knowledge of their doctors.

Google says the data gathering will be used by its AI and machine learning technology to suggest treatments and changes in care for individual patients in a bid to improve outcomes.

According to the WSJ, Project Nightingale falls within the scope of Federal Law; nonetheless, plenty of people will feel uncomfortable with a company like Google having access to the most intimate details of their lives.

It's almost as if Silicon Valley giants hold the general public in contempt, and have little to fear when they get caught doing anything that can be considered ethically questionable.

It's almost as if these companies have perhaps gotten a little too big. If only there was something that could be done about it.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.