If you think of the Internet, and specifically search engines, and even more specifically, Google, as one big online confessional because it knows what we’re all thinking by the questions we ask it, then you won’t be a bit surprised by a new report that says those private searches you’ve been doing on personal health concerns aren’t really private at all.
In a blog on Vice’s Motherboard site, author Brian Merchant tells us that we ought to be careful next time we type in something like “symptoms of herpes?” or “where can i get an abortion in my hometown?”
According to the Pew Internet Project, 72 percent of US internet users look up health-related information online. But an astonishing number of the pages we visit to learn about private health concerns—confidentially, we assume—are tracking our queries, sending the sensitive data to third party corporations, even shipping the information directly to the same brokers who monitor our credit scores. It’s happening for profit, for an “improved user experience,” and because developers have flocked to “free” plugins and tools provided by data-vacuuming companies.
Merchant’s blog post lays out the whole story, starting with a Pennsylvania scientist who started poking around the whole business of health-related web searches.
In April 2014, Tim Libert, a researcher at the University of Pennsylvania, custom-built software called webXray to analyze the top 50 search results for nearly 2,000 common diseases (over 80,000 pages total). He found the results startling: a full 91 percent of the pages made what are known as third-party requests to outside companies. That means when you search for “cold sores,” for instance, and click the highly ranked “Cold Sores Topic Overview WebMD” link, the website is passing your request for information about the disease along to one or more (and often many, many more) other corporations.
According to Libert’s research, which is published in the the Communications of the ACM, about 70 percent of the time, the data transmitted “contained information exposing specific conditions, treatments, and diseases.” That, he says, is “potentially putting user privacy at risk.” And it means you’ll probably want to think twice before looking up medical information on the internet.
“WebMD is basically calling up everybody in town and telling them that’s what you’re looking at”
Let’s walk through it together: You enter, say, “genital herpes” into the Google search bar, thinking this is a confidential transaction between you and, well, some expert on the other end of the search. And let’s say Google sends you right to the Centers for Disease Control, which after all is a leading expert on all kinds of health matters. So far, so good. But wait: when you click on the CDC link, you are making what Merchants calls a “first party request.”
That request goes to the CDC’s servers, and it returns the HTML file with the page you’re looking for. In this case, it’s “Genital Herpes – CDC Factsheet,” which is perhaps the page on the internet you’d least want anyone to know you’re looking at. But because the CDC has installed Google Analytics to measure its traffic stats, and has, for some reason, included AddThis code which allows Facebook and Twitter sharing (beckoning the question of who socializes disease pages), the CDC also sends a third party request to each of those companies. That request looks something like this—http://www.cdc.gov/std/herpes/STDFact-Herpes.htm—and makes explicit to those third party corporations in its HTTP referrer string that your search was about herpes.
Thus, Libert has discovered that the vast majority of health sites, from the for-profit WebMD.com to the government-run CDC.gov, are loaded with tracking elements that are sending records of your health inquiries to the likes of web giants like Google, Facebook, and Pinterest, and data brokers like Experian and Acxiom.
Merchant says that “from there, it becomes relatively easy for the companies receiving the requests, many of which are collecting other kinds of data (in cookies, say) about your browsing as well, to identify you and your illness. That URL, or URI, which very clearly contains the disease being searched for, is broadcast to Google, Twitter, and Facebook, along with your computer’s IP address and other identifying information.”
And that’s the end of your “private, personal search effort.”
So what’s wrong with having everybody, especially governments and private corporations know your business?
What can happen when Google starts vacuuming up your health data? An incident that occurred in one Canadian’s inbox offers a clue.
In January of 2014, Canada’s privacy commission ruled that Google had violated the nation’s privacy laws after a user discovered he was being targeted by ads for devices that claimed to treat sleep apnea. He had previously used the search engine to learn about the condition and to search for similar devices, but had never volunteered consent. The Office of Canada’s Privacy Commissioner was able to replicate the experience, and ruled Google had broken the law.
Credit: AFP/Getty Images