A number of popular health-related websites in the UK are reported to be actively sharing sensitive user data with dozens of third parties, including Google and Facebook, but also various adtech firms and data brokers.
Not good. An important new investigation from the Financial Times reveals symptoms, drug names, and terms like 'abortion' are shared with hundreds of third parties.
The scariest ones in this list aren't just Google, Amazon, Facebook, Oracle, Scorecard, or OpenX, but the ones you've never heard of, who receive even less scrutiny over data privacy and security practices.
Using open-source tools to analyse 100 health websites, which include WebMD, Healthline, Babycentre and Bupa, an FT investigation found that 79 per cent of the sites dropped "cookies" — little bits of code that, when embedded in your browser, allow third-party companies to track individuals around the internet. This was done without the consent that is a legal requirement in the UK.
Google's advertising arm DoubleClick was by far the most common destination for data, showing up on 78 per cent of the sites tested, followed by Amazon, which was present in 48 per cent of cases, Facebook, Microsoft and adtech firm AppNexus.
"These findings are quite remarkable, and very concerning," said Wolfie Christl, a technologist and researcher who has been investigating the adtech industry. "From my perspective, this kind of data is clearly sensitive, has special protections under the [General Data Protection Regulation] and transmitting this data most likely violates the law."
An FT investigation has shown that people's most sensitive health data, including their medical symptoms, diagnoses and period and fertility information, are being traded with dozens of companies around the world, including Google, Amazon and Facebook https://t.co/QlqHq0qCtj pic.twitter.com/dypdo2AZHG
— Financial Times (@FinancialTimes) November 13, 2019
Ugh. Ever checked out your symptoms? Fertility? Asked questions about abortion? The toxic data swamp now has them. And knows exactly you are. The ramifications of this are huge. Important new data investigation from @ft https://t.co/1VyNxp9Q9f
— Carole Cadwalladr (@carolecadwalla) November 13, 2019
— Jo Maugham QC (@JolyonMaugham) November 13, 2019
Developers aren't taught about eprivacy law. They should be. Clients don't stipulate privacy compliance in deliverables. They should do. https://t.co/nms8UDjwgl
— Miss IG Geek ? (@MissIG_Geek) November 13, 2019
Being online is like having someone behind you all the time, writing down every single thing you say and do to sell that to whoever is willing to pay.
Would the unvirtual equivalent be deemed acceptable? https://t.co/8GIY7T6cZJ
— Facts Central (@StillDelvingH) November 13, 2019
No one should have the right to 'own' or sell your data, but here we are, you've given it away for free. Perhaps we should copy the music industry, so every time someone accesses your data you're paid a royalty. https://t.co/R7WiE4uLME
— A Welsh Doc #FBPE ??????????????? (@ukskies) November 13, 2019
When people search "drug overdose" on WebMD, the site secretly shares the data w/Facebook, which can use it to track the searcher around the internet.
— Avi Asher-Schapiro (@AASchapiro) November 13, 2019