Health Sites Let Ads Track Visitors Without Telling Them

Credit to Author: Lily Hay Newman| Date: Sun, 06 Feb 2022 12:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

All too often, digital ads wind up improperly targeting the most vulnerable people online, including  abuse victims and kids. Add to that list the customers of several digital-medicine and genetic-testing companies, whose sites used ad-tracking tools that could have exposed information about people's health status.

In a recent study from researchers at Duke University and the patient privacy-focused group the Light Collective, 10 patient advocates who are active in the hereditary cancer community and cancer support groups on Facebook—including three who are Facebook group admins—downloaded and analyzed their data from the platform's “Off Facebook Activity” feature in September and October. The tool shows what information third parties are sharing with Facebook, and its parent company Meta, about your activity on other apps and websites. Along with the retail and media sites that typically show up in these reports, the researchers found that several genetic-testing and digital-medicine companies had shared customer information with the social media giant for ad targeting.

Further analysis of those websites—using tracker identification tools like the Electronic Frontier Foundation's Privacy Badger and The Markup's Blacklight—revealed which ad tech modules the companies had embedded on their sites. The researchers then checked the companies' privacy policies to see whether they permitted and disclosed this type of cross-site tracking and the flow of data to Facebook that can result. In three of the five cases, the companies' policies did not have clear language about third-party tools that might be used to retarget or reidentify users across the web for marketing.

“My reaction was shock at realizing the big missing pieces in these policies,” says Andrea Downing, a coauthor of the study, independent security researcher, and president of the Light Collective. “And when we talked to some of these companies it really seemed like they just didn't fully understand the ad tech they were using. So this needs to be an awakening.”

“The more data companies collect and store, the more likely—or rather, inevitable—it is that some of that data will leak in some way.”

Evan Greer, Fight for the Future

Downing and study coauthor Eric Perakslis, chief science and digital officer at Duke University's Clinical Research Institute, emphasize that while targeted advertising is a broadly opaque ecosystem, the tracking can have particular implications for patient populations. In the process of reidentifying users across multiple sites, for example, a third-party tracking tool could gather together information about a user's health status while also building a broader profile of their interests, profession, device fingerprints, and geographic region. And the interconnectedness of the ad ecosystem means that this composite picture can potentially pull in information from all sorts of web browsing, including activity on sites like Facebook. One classic example is the invasive targeted ads pregnant people and others consistently face based on marketer assumptions about their health status.

“The question in this experiment was ‘Can patients believe the terms and conditions they agree to on health-related sites? And if they can’t, do the companies even know that they can’t?’” Perakslis says. “And many of the companies we looked at aren't HIPAA-covered entities, so this health-related data exists in an almost wholly unregulated space. Research has consistently shown that the flow of such information for advertising can disproportionately harm vulnerable populations.”

The vast majority of users, of course, click through terms of service and privacy policies without actually reading them. But the researchers say that this is all the more reason to shed light on how digital ad targeting, lead generation, and cross-site tracking can erode user privacy.

“It’s entirely expected from my perspective that findings like this keep coming up for the category that I call 'health-ish' data that does not cleanly fall under the limited privacy protections that currently exist in US laws,” says Andrea Matwyshyn, a professor and researcher at Penn State Law and a former FTC advisor. “The evolution of terms of use when combined with privacy policies has created a murky picture for users, and when you try to analyze the data flows, you end up in this often endless spiral.”

The United States Federal Trade Commission established a Health Breach Notification Rule in 2009 that applies to health-related organizations not covered by the Health Insurance Portability and Accountability Act but has never taken an enforcement action under it. The agency gives examples of situations that could trigger enforcement, though, including one where a digital medicine company shares users’ medical information and mobile identifiers with an ad network without user consent. 

The researchers focused on five consumer health-related companies: Color Genomics, Myriad Genetics, Health Union, Invitae, and Ciitizen. Invitae acquired Ciitizen in September, and the researchers found that the two companies went the farthest in their privacy policies to detail how they might use tracking technologies, including cookies and web beacons, that feed data to third-party services. Downing notes that both Invitae and Ciitizen could have gone into more detail about some of the specifics of their schemes, but overall they were clear that users could be subject to ad tracking on their sites.

Nonetheless, Invitae and Ciitizen are taking additional action as a result of the researchers' findings. “We are now in the process of suspending all of our ads on Facebook and removing trackers related to Facebook from our website in order to give the team time to fully understand, confirm, and eliminate any uses of data that could conflict with Invitae and Ciitizen policies or commitments,” Ciitizen's data stewardship and data-sharing lead, Deven McGraw, told WIRED in a statement.

Lauren Lawhon, Health Union’s president and chief operating officer, told WIRED in a statement that the company did not receive the researchers' disclosure about potential privacy issues until after their paper was published. She says that the company coincidentally conducted a major overhaul of its privacy policies throughout 2021, culminating in significant updates in December. When someone visits Health Union for the first time, they now see a pop-up to accept or reject data collection cookies and other tracking. Lawhon also notes that users can opt in or out of data sharing at any time, and the bottom of every Health Union community page now includes a “DO NOT SELL MY INFORMATION” link to surface these controls. Lawhon added that these changes came alongside "some improvements to how privacy management occurs.”

Myriad Genetics did not detail specific review or changes to its policies as a result of the findings, but it said that “no personal health information” from its quiz products is used to target individuals and that it complies with Facebook's health care advertising policies. Color Genomics says that it hasn't actively used two of the cross-site trackers (Leadfeeder and Nanigans) the researchers detected on its site in almost a year, and that it's continuing to look through the research findings. 

For its part, Meta forbids organizations that use its activity trackers and other advertising and marketing tools from sharing health data with the social network. “We don’t want websites or apps sending us sensitive information about people,” the company writes on a resource page about sensitive health data. The company says it deploys automated tools designed to filter out any such data before it gets applied to serving ads.

Still, Meta's business model hinges on personalized advertising. In November, the company announced a “difficult decision” to remove thousands of sensitive ad-targeting categories related to topics like political beliefs, sexual orientation, religion, and race. The move also included removal of health-related categories like “Lung cancer awareness" and "Chemotherapy."

In its announcement about removing sensitive "Detailed Targeting" categories, Meta articulated the problem Downing and Perakslis examined in their research. 

“The interest targeting options we are removing are not based on people’s physical characteristics or personal attributes, but instead on things like people’s interactions with content on our platform,” Meta explained. “We’ve heard concerns from experts that targeting options like these could be used in ways that lead to negative experiences for people in underrepresented groups.”

Downing and Perakslis consulted with the CERT Coordination Center at Carnegie Mellon University about the process for disclosing their findings. The group works with researchers to catalog software vulnerabilities and coordinate their public disclosure. But Art Manion, a CERT vulnerability analysis technical manager, points out that CERT and other organizations are only really set up to coordinate disclosure of specific software vulnerabilities and typically don't have structures in place to assess pervasive data leakages and notify relevant organizations about structural privacy issues. Instead, privacy researchers are often left to attempt an ad hoc disclosure process and then rely on companies across the digital ad ecosystem to have good intentions and make real changes.  

“Right now there are almost no limits in place for what kinds of data companies can use to target their advertising, so that incentivizes them to collect as much as they possibly can," says Evan Greer, deputy director of the digital rights group Fight for the Future. “But the more data companies collect and store, the more likely—or rather, inevitable—it is that some of that data will leak in some way. Entities like the FTC should wildly scale up enforcement related to surveillance-based advertising.”

And while systemic privacy problems have persisted across the targeted ad industry, Downing and Perakslis emphasize that when it comes to vulnerable communities like patients and community organizers, there's a pressing need for clear policies and controls.

https://www.wired.com/category/security/feed/

Leave a Reply