Sometimes, the Web Site Is Watching You Right Back
As consumers become better informed about their own health, they’re turning increasingly to the Internet as a trusted source of information.
But while many popular health Web sites promise confidentiality as they offer diagnoses, sell products or conduct detailed health surveys, a check of 21 leading sites found that some third parties, such as online marketers, are casting an invisible eye on visitors’ cyberspace travels. Visitors to these sites unknowingly help the companies compile personal profiles.
Janlori Goldman, director of the Health Privacy Project at Georgetown University in Washington, D.C., warns that without better privacy protections, employers, health insurers and others could one day obtain very personal information without your consent.
The California HealthCare Foundation, an Oakland-based health-care philanthropy, last week released “Privacy: Report on the Privacy Policies and Practices of Health Web Sites,” written by Goldman and Richard M. Smith, an Internet security consultant in Brookline, Mass. Goldman discussed concerns about privacy policies in an interview.
Question: We know personal health information is sensitive. What did you learn in your research about Internet privacy policies?
Answer: While many health Web sites have privacy policies, those policies don’t match up with the sites’ actual practices. In many cases, sites do not tell users how their information is collected, by whom and how it may be used.
***
Q: Your report refers to the peril of third-party companies tracking users’ Internet activities for marketing purposes. Can you explain that?
A: Right now, the Web allows for many different entities to sit on one site. For instance, the advertisements that appear at the top of many sites, known as banner ads, are placed there by companies that collect information about what users are looking at and what they’re doing on a site without the user ever having to actually click on [the ad]. [The information collected] may not [identify an individual], but it may become identifiable if the user voluntarily gives information. When you register at a site, buy a product or fill out a health survey, you’re voluntarily giving information. The people who run the banner ads can look back at all the aggregate information they have on you [from other sites you’ve visited]. Their goal is to try to combine [all that information]. Users are not being told this is happening.
***
Q: On Thursday, the Internet’s largest advertising company, DoubleClick Inc., responded to criticism from privacy advocates by saying that it doesn’t monitor the movements of health Web site visitors. Are you still concerned?
A: I don’t think it’s enough for the public to be verbally assured by DoubleClick that it is not going to do anything with health information. We need written, enforceable privacy policies at health Web sites that give people assurance that their personal information will not be used or disclosed without their knowledge and permission.
***
Q: The technology seems to be confusing even some of the companies offering online health information and services. How much of the privacy gap is due to a lack of information within the industry?
A: I think that while the technology is complex and the Web is a different place than your traditional offline health care environment, that’s no excuse. If you want to move health-care activities to the Internet, you have to put privacy first. You cannot put people at risk and say, “We did not understand how the technology works.”
***
Q: Do you foresee threats to privacy in employment and health insurance?
A: We have been looking at medical privacy for many years, and we know that employers, insurers, co-workers, neighbors and family members all have gotten access to information they didn’t need to have. We know there are tremendous pressures to make health information available and use it for a variety of purposes. We know it makes people anxious and worried about how they seek health care. [Another recent survey by the California HealthCare Foundation] showed people are very anxious about using the Internet for health information, for buying prescriptions, for every activity you can imagine. Eighty percent said they’d be more willing to engage in online activities if there was a privacy policy that gave them real control over their information.
***
Q: What kind of policy are you asking companies for?
A: First, they should evaluate their existing privacy policy and make sure it’s consistent with their actual practices. Second, they should allow people to be as anonymous as possible at health Web sites. And third, we’re asking the Internet health community to come together and develop some kind of standard, clear, enforceable privacy policy so that people don’t have to wonder, “What does this privacy policy mean and is it different from this other Web site’s?” and “Who does it bind?”
Privacy policies have got to bind everyone that they do business with--the third-party ad network, anyone else that’s doing work on or comes on their site. If the industry comes up with a strong policy . . . and the policy is meaningful, that will go a long way toward fostering trust and confidence.
***
Q: Some companies in your study already are making changes: Onhealth.com (https://www.onhealth.com) says it will inform consumers its health surveys are actually handled by WellMed. What other responses do you anticipate?
A: We just heard from Yahoo that [Web site staffers] need to change [their] privacy policy so that it’s clearer. I think health Web sites are going to start to look at their privacy policies and their practices. It seems that Internet health leaders have been thinking about this because they came together in Washington at the beginning of this week to develop a code of ethics. They’re concerned. . . . Many of them seem committed to addressing it. The question is, will they address it strongly enough?
***
Q: Who in Washington is involved in this issue?
A: Both the Federal Trade Commission and Congress are aware. Members of Congress [including Reps. John Dingell (D-Mich.), Henry Waxman (D-Los Angeles), and Gary Condit (D-Ceres, Calif.)] sent a letter to the commission asking them to open an investigation immediately into the practices of medical Web sites because they’re concerned about potentially “unfair and deceptive practices.” The FTC is looking generally at profiling on the Internet and privacy on the Internet.
*
The Internet privacy study is available at the California HealthCare Foundation Web site at https://www.chcf.org. For more information on medical privacy, visit the Health Privacy Project Web site at https://www.healthprivacy.org.
