Communications of the ACM

sensitive information was included in URI strings.

Based on a random sample of 500 URIs taken from the population of pages analyzed (N= 80,142), 70% contained information related to a specific symptom, treatment, or disease. An example of an URI containing specific symptom information is: http://www.nhs.uk/conditions/breast-lump/[...] a URI containing no such information is: http://www.ncbi.nlm.nih.gov/ pubmed/21722252

Given the former type of URI was by far the most prevalent, it may be seen that third parties are being sent a large volume of sensitive URI strings that may be analyzed for the presence of specific diseases, symptoms, and treatments. This type of leakage is a clear risk for those who wish to keep this information out of the hands of third parties who may use it for unknown ends.

Discussion

Defining privacy harms is a perennially difficult proposition. Health information, however, presents two main privacy risks that are interrelated. The first is personal identification, where an individual’s name is publicly associated with their medical history. The second is blind discrimination, where an individual’s name is not necessarily revealed, but they may be treated differently based on perceived medical conditions.

Personal identification. While most
people would probably consider de-
tails of their health lives to be of little
interest or value to others, such details
form the basis of a lucrative industry.
In 2013, the U.S. Senate Committee on
Commerce, Science and Transporta-
tion released a highly critical review of
the current state of the so-called data
broker industry. Data brokers collect,
package, and sell information about
specific individuals and households
with virtually no oversight. This data
includes demographic information
(ages, names, and addresses), financial
records, social media activity, as well
as information on those who may be
suffering from “particular ailments, in-
cluding Attention Deficit Hyperactivity
Disorder, anxiety, depression ... among
others.” 26 One company, Medbase200,
was reported as using proprietary mod-
els to generate and sell lists with classi-
fications such as rape victims, domestic
abuse victims, and HIV/AIDS patients. 6
It should also be noted that such
models are not always accurate. For ex-
ample, individuals looking for informa-
tion on the condition of a loved one may
be falsely tagged as having the condi-
tion themselves. This expands the scope
of risk beyond the patient to include
family and friends. In other cases, an
individual may be searching for health
information out of general interest and
end up on a data broker’s list of suffer-
ers or patients. Common clerical and
software errors may also tag individuals
with conditions they do not have. The
high potential for such errors also high-
lights the need for privacy protections.
Furthermore, criminals may abuse
poorly protected health information.
The retailer Target has used datamining
techniques to analyze customers’ pur-
chase history in order to predict which
women may be pregnant in order to
offer them special discounts on infant-
related products. 5 Even if shoppers and
surfers are comfortable with companies
collecting this data, that is no guarantee
it is safe from thieves. In 2013, 40 mil-
lion credit and debit card numbers were
stolen from Target. 15 While a stolen
credit card may be reissued, if Target’s
health-related data were leaked online,
it could have a devastating impact on
millions of people. Merely storing per-
sonally identifiable information on
health conditions raises the potential
for loss, theft, and abuse.
Blind discrimination. Advertisers
regularly promise their methods are
wholly anonymous and therefore be-
nign, yet identification is not always
required for discriminatory behavior
to occur. In 2013, Latanya Sweeney in-
vestigated the placement of online ad-
vertisements that implied a given name
was associated with a criminal record. 27
She found the presence of such ads
were not the result of particular names
being those of criminals, but appeared
based on the racial associations of the
name, with African-American names
more often resulting in an implication
of criminal record. In this way, extant
societal injustices may be replicated
While security
and privacy
research has
often focused on
how user privacy
is violated,
insufficient
attention
has been given to
who is collecting
user information.