How my sexual health searches ended up in the hands of the world's biggest tech companies

Updated

When I searched through the vast amount of data my phone and laptop shared in a week, there was one thing that really weirded me out: how my health information was being unexpectedly sent to multiple companies.

And it wasn't just search engines sharing my health-related web browsing — I even found a Victorian Government website delivering data directly to two of the world's biggest tech companies. And when I asked them about it, they re-wrote large chunks of their privacy policy overnight.

Here's what happened

Earlier this month I did a little research into vasectomies. For, ahem, the obvious reason.

Sorry if this is a little TMI for you, but it provides a clear example of how something you think of as private can be scooped up by advertising companies.

Using my favourite privacy-focused search engine, DuckDuckGo, I did a few searches over the course of about an hour. And I was a little bit surprised to find keywords associated with those searches had found their way to several of the largest tracking services (and a couple of smaller ones too).

It seems that while searching for information on vasectomies, I had, without realising, clicked on a sponsored search result. It's something I try to avoid doing, but it's pretty easy to miss the labelling sometimes.

Bing, Microsoft's search engine and one of DuckDuckGo's advertising partners, recorded that I'd clicked on their ad and shared related keywords with the advertiser.

From there, more trackers — most of them embedded in the advertiser's website — were notified of the keywords.

In the end, from just one search, 14 separate servers run by a variety of companies, including Google, Microsoft and Adobe, received data revealing my interest in information about a vasectomy.

Want to keep up to date?

Sign up to keep track of this project, and to hear about interactives, visualisations and good reads from the ABC News Story Lab team. (No more than one email a week, we promise.) to keep track of this project, and to hear about interactives, visualisations and good reads from the ABC News Story Lab team. (No more than one email a week, we promise.)

Government health website sharing browsing data

As well as looking at the surgical solution, I did some searches on the efficacy of other contraceptive options (the numbers, BTW, are a little alarming). This led me to the Victorian Government-run Better Health website.

When I visited that site, I didn't expect details of my browsing behaviour related to sexual and reproductive health would be shared, without consent or notice, with third-party marketing companies.

But they were. Every page I visited on the Better Health website was shared — along with an identifier intended to uniquely identify my device, so it can be linked to other browsing activity — with a company called AddThis, a subsidiary of Oracle, one of the world's largest technology companies.

From there it was also shared with Facebook, along with an identifier, which is likely capable of identifying me personally — although Facebook says it does not use it in that way.

Until we put questions to the Victorian Department of Health and Human Services, this data sharing was not disclosed by Better Health's privacy statement.

In a response to our questions, a department spokesperson said: "We have updated the privacy notice to clarify the use of data disclosed to all third parties."

Indeed, large sections of the site's privacy policy were updated overnight.

However, there does not appear to have been any change to the functionality of the website itself. Browsing the Better Health site will still result in details about the conditions you look up being shared with AddThis and Facebook.

How often does this happen?

Timothy Libert, a privacy engineering researcher at Carnegie Mellon University, says this kind of tracking is most commonly used for advertising purposes.

"If they think you're interested in vasectomies, maybe they want to … sell you ice packs, for example," he said.

Want to help?

Is there something you'd like to know about the data being shared by your devices? Let me know

Let's chat on Twitter where I will be tweeting about what I find using the #DataLife hashtag

You can email me on datalife@abc.net.au

In a 2015 study, Dr Libert examined the first 50 search results for about 2,000 medical issues. Then he examined the trackers on about 80,000 pages.

While examining government health pages and commercial portals such as WebMD, he found a disturbing trend. The URL — for example, www.example.com/cancer — was a data point trackers often picked up.

"When I looked at the page addresses, I found about 70 per cent of page addresses also included the names of the disease or symptoms or treatment," he said.

This allowed third-party trackers to either inadvertently or purposefully collect people's health interests. Maybe the URL contained the word "herpes" or "hot flushes".

Dr Libert said he was particularly concerned about the security of third-party trackers, and whether they would be able to keep such sensitive data safe.

"I think it will inevitably happen … there will be some kind of large-scale leak of people's medical interests. Maybe their medical history."

Is the data linked back to individuals?

Often these tracking services and the websites they're embedded in claim they're not tracking specific people and the data they collect isn't linked to anyone's actual identity.

Indeed, this is exactly what the Better Health website's privacy policy states.

"This information is not used to identify individual users. Rather, the information helps us better understand and plan for the ongoing improvement of the service," their spokesperson said in response to our enquiries.

However, privacy researchers are concerned about this supposedly anonymous data.

"Such histories, linked with 'anonymous identifiers' can be easily linked back to the individuals to whom they belong," write researchers from Cliqz, a German company which runs Who Tracks Me, a project to track the trackers.

One of the bits of data sent to Facebook along with the pages I'd visited on the Better Health website was an identifier known as 'datr', a practice Facebook has been arguing with European regulators about. Whether they intend to or not, Facebook almost certainly can link my identity to those pages I visited.

Could your health data be used to discriminate against you?

There is also growing concern about the use of health data to discriminate against people when applying for jobs, bank loans or insurance.

In the United States, for example, Dr Libert pointed out medical bills were a leading cause of bankruptcy.

If someone's search history on health websites resembled that of other people who had previously gone bankrupt, it could be used as an excuse to treat them differently.

"You have a shadow form of discrimination," he said.

And it's not just search data. Munmun De Choudhury leads Georgia Tech's Social Dynamics and Wellbeing Lab. Her work looks at what social media data can indicate about a person's wellbeing.

In one study, Dr De Choudhury found someone with depression or at risk of it tended to post at night on Twitter, and use distinctive grammar, among other indicators.

While she is interested in exploring how these insights could be used to support mental health treatment, Dr De Choudhury has concerns about where such data could end up.

"The secondary uses of these inferences is what really concerns me," she said. "What happens downstream — where does that data go? Does that data go to advertisers, does that data go to insurance companies or even to the government?," she said.

If employers use tools that predict a prospective hire's mental state from their social media, for instance, the potential for discrimination is immense."

For those concerned about such tracking, Dr Libert suggested using the TOR browser.

Topics: internet-culture, health

First posted