Health searches: Be careful who you tell about those cold sores

If you think of the Internet, and specifically search engines, and even more specifically, Google, as one big online confessional because it knows what we’re all thinking by the questions we ask it, then you won’t be a bit surprised by a new report that says those private searches you’ve been doing on personal health concerns aren’t really private at all.

In a blog on Vice’s Motherboard site, author Brian Merchant tells us that we ought to be careful next time we type in something like “symptoms of herpes?” or “where can i get an abortion in my hometown?”

According to the Pew Internet Project, 72 percent of US internet users look up health-related information online. But an astonishing number of the pages we visit to learn about private health concerns—confidentially, we assume—are tracking our queries, sending the sensitive data to third party corporations, even shipping the information directly to the same brokers who monitor our credit scores. It’s happening for profit, for an “improved user experience,” and because developers have flocked to “free” plugins and tools provided by data-vacuuming companies.

Merchant’s blog post lays out the whole story, starting with a Pennsylvania scientist  who started poking around the whole business of health-related web searches.

In April 2014, Tim Libert, a researcher at the University of Pennsylvania, custom-built software called webXray to analyze the top 50 search results for nearly 2,000 common diseases (over 80,000 pages total). He found the results startling: a full 91 percent of the pages made what are known as third-party requests to outside companies. That means when you search for “cold sores,” for instance, and click the highly ranked “Cold Sores Topic Overview WebMD” link, the website is passing your request for information about the disease along to one or more (and often many, many more) other corporations.

According to Libert’s research, which is published in the the Communications of the ACM, about 70 percent of the time, the data transmitted “contained information exposing specific conditions, treatments, and diseases.” That, he says, is “potentially putting user privacy at risk.” And it means you’ll probably want to think twice before looking up medical information on the internet.

“WebMD is basically calling up everybody in town and telling them that’s what you’re looking at”

Let’s walk through it together: You enter, say, “genital herpes”  into the Google search bar, thinking this is a confidential transaction between you and, well, some expert on the other end of the search. And let’s say Google sends you right to the Centers for Disease Control, which after all is a leading expert on all kinds of health matters. So far, so good. But wait: when you click on the CDC link, you are making what  Merchants calls a “first party request.”

That request goes to the CDC’s servers, and it returns the HTML file with the page you’re looking for. In this case, it’s “Genital Herpes – CDC Factsheet,” which is perhaps the page on the internet you’d least want anyone to know you’re looking at. But because the CDC has installed Google Analytics to measure its traffic stats, and has, for some reason, included AddThis code which allows Facebook and Twitter sharing (beckoning the question of who socializes disease pages), the CDC also sends a third party request to each of those companies. That request looks something like this—http://www.cdc.gov/std/herpes/STDFact-Herpes.htm—and makes explicit to those third party corporations in its HTTP referrer string that your search was about herpes.

Thus, Libert has discovered that the vast majority of health sites, from the for-profit WebMD.com to the government-run CDC.gov, are loaded with tracking elements that are sending records of your health inquiries to the likes of web giants like Google, Facebook, and Pinterest, and data brokers like Experian and Acxiom.

Merchant says that “from there, it becomes relatively easy for the companies receiving the requests, many of which are collecting other kinds of data (in cookies, say) about your browsing as well, to identify you and your illness. That URL, or URI, which very clearly contains the disease being searched for, is broadcast to Google, Twitter, and Facebook, along with your computer’s IP address and other identifying information.”

And that’s the end of your “private, personal search effort.”

So what’s wrong with having everybody, especially governments and private corporations know your business?

What can happen when Google starts vacuuming up your health data? An incident that occurred in one Canadian’s inbox offers a clue.

In January of 2014, Canada’s privacy commission ruled that Google had violated the nation’s privacy laws after a user discovered he was being targeted by ads for devices that claimed to treat sleep apnea. He had previously used the search engine to learn about the condition and to search for similar devices, but had never volunteered consent. The Office of Canada’s Privacy Commissioner was able to replicate the experience, and ruled Google had broken the law.

Credit: AFP/Getty Images

 

Tags: , , , ,

 

Share this Post



 
 
 
  • Michele Engel

    Unfortunately, this article may be misleading; some might even call it alarmist. You say, “Merchant says that “from there, it becomes relatively easy for the companies receiving the requests, many of which are collecting other kinds of data (in cookies, say) about your browsing as well, to identify you and your illness. That URL, or URI, which very clearly contains the disease being searched for, is broadcast to Google, Twitter, and Facebook, along with your computer’s IP address and other identifying information.” What, exactly is that “other identifying information”? One’s name, telephone number, email address, mailing address, social security number, credit card information, or other private information? None of the above can be acquired from the cookie on Google Analytics. Actually, the website can only report that SOMEONE from a particular IP address arrived on the site, which browser was used (Firefox, IE, Safari, etc), whether it was via desktop or mobile, the country associated with the IP address (which is not necessarily accurate, by the way), etc. The info being gathered really only collects information about the COMPUTER’s address, not the individual using the computer. You could be using a public computer at a library or school, for example. Or a friend or family member’s computer. Or on your own computer but on behalf of someone else.

    Now, there may be software that can match up enough information from enough different sources tied to your IP address that some sort of accurate identification profile could be culled, but it would not be easy, especially when one computer is being used by more than one individual.

    As for advertising “re-targeting,” which is what happens when you visit a website and then find that their products are being shown to you on other, non-related websites that you visit, the above summary still holds. The advertiser can only find your computer; s/he does not know WHO you are. And you can pretty much count on this practice continuing because companies have found, consistently, that it does work. It increases sales.

    If you are especially sensitive about the issue of privacy on the internet–if the reporting of even the modicum of information described above makes you nervous–then I recommend that you do as little as possible online. It’s not for everyone.

  • Kimball Lavi

    I was tested positive for herpes type 2 around 6 years back, when I was in college and had a stupid onenight stand. I think a lot of women will say this but I swear I never did that sort of thing. I jus made mistake that one time and, suddenly, it seemed like I was going to have to live with the consequences for the rest of my life.

    The awful part was thinking I would never date men again. After all, who wants to go out with a person who has blisters around her you-know-what?

    But after someone showed me this website https://tr.im/HERPESCure2015S8 , everything has changed. Not only was I able to eliminate all traces of the herpes virus from my system in less than three weeks, but I was also able to start dating again. I even met my soulmate and I’m so happy to say that just last week, in fornt of everyone in a crowded restaurant, he got down on one knee and proposed to me! This program offered me the chance to be happy again, and to experience true love.

 
 
css.php