overcoming such barriers and will always find creative ways to bypass user
intent. Thus, on one hand we have users who are poorly equipped to defend
themselves with available technical
measures, and on the other, highly motivated and well-funded corporations
with cutting-edge technologies.
In order to effectively tackle the issue of tracking on health-related pages, attention toward the underlying
social dynamics is needed. Government and corporate policies formalize
these dynamics. By addressing policy
issues directly, rather than combating obscure tracking techniques, we
may produce durable solutions that
outlast today’s technology cycle. Unfortunately, extant polices are few in
number and weak in effect.
Extant policies and protections.
Health information is one of the few
types of personal information that has
been granted special protections. The
Health Insurance Portability and Accountability Act (HIPAA) 31 is a U.S. law
that stipulates how medical information may be handled, stored, and accessed. HIPAA is not meant to police
business practices in general; rather
it is tailored to those providing health-specific services such as doctors, hospitals, and insurance claims processors.
Yet, even within this realm, HIPAA provides incomplete protections. Contrary
to popular perceptions, HIPAA permits
the disclosure of patient information
between health providers and insurance claims processors without patient
notification or consent. HIPAA generally does not allow patients to restrict the
flow of their sensitive data; therefore,
extending HIPAA in the online domain
does not present an effective approach
to privacy protection.
Nevertheless, the U.S. Federal Trade
Commission (FTC) has established a
Health Breach Notification Rule that
requires entities holding personally
identifiable health records to notify us-
ers if such records have been stolen. 32
However, merely providing health in-
formation (rather than storing doctor’s
notes or prescription records) does
not place a business under the juris-
diction of HIPAA or associated rules.
Many businesses that handle health
information are subject to virtually no
oversight and the main source of policy
through advertising mechanisms on-
line. Discrimination against the ill may
also be replicated through the collec-
tion and use of browsing behavior.
Data-mining techniques often
rely on an eclectic approach to data
analysis. In the same way a stew is the
result of many varied ingredients being mixed in the same pot, behavioral
advertising is the result of many types
of browsing behavior being mixed together in order to detect trends. As
with ingredients in a stew, no single
piece of data has an overly deterministic impact on the outcome, but
each has some impact. Adding a visit
to a weather site in the data stew will
have an outcome on the offers a user
receives, but not in a particularly nefarious way. However, once health
information is added to the mix, it
becomes inevitable it will have some
impact on the outcome. As medical expenses leave many with less to
spend on luxuries, these users may be
segregated into data silos28 of undesirables who are then excluded from favorable offers and prices. This forms
a subtle, but real, form of discrimination against those perceived to be ill.
Risk assessment. Having collected
data on how much tracking is taking
place, how it occurs, and who is doing
it, it is necessary to explicate how this
constitutes a risk to users. As noted earlier, there are two main types of harm:
identification and blind discrimination. Table 2 shows a breakdown of
how data collection by 12 companies
(top 10 and data brokers) impacts the
two types of risk. The two data brokers
most obviously entail a personal identification risk as their entire business
model is devoted to selling personal information. It is unlikely they are selling
raw Web tracking data directly, but it
may be used as part of aggregate measures that are sold.
Despite the fact that Google does not
sell user data, they do possess enough
anonymous data to identify many users
by name. Google offers a number of ser-
vices that collect detailed personal infor-
mation such as a user’s personal email
(Gmail), work email (Apps for Business),
and physical location (Google Maps). For
those who use Google’s social media
offering, Google+, a real name is
forcefully encouraged. By combining
the many types of information held by
Google services, it would be fairly trivial
for the company to match real identities
to anonymous Web browsing data. Like-
wise, Facebook requires the use of real
names for users, and as noted before,
collects data on 31% of pages; there-
fore, Facebook’s collection of browsing
data may also result in personal identi-
fication. In contrast, Twitter allows for
pseudonyms as well as opting-out of
tracking occurring off-site.
The potential for blind discrimination is most pronounced among advertisers. As noted here, online advertisers
use complex data models that combine
many pieces of unrelated information
to draw conclusions about anonymous
individuals. Any advertiser collecting
and processing health-browsing data
will use it in some way unless it is filtered and disposed of.
Policy Implications
The privacy issues raised by this research are of a technical nature and
invite technical solutions. These solutions often come in the form of add-on
software users may install in their Web
browsers. Such browser add-ons have
proven effective at blocking certain
types of behavioral tracking. 19, 25
However, this type of solution places a burden on users and has not been broadly
effective. As measurement research
has shown, tracking has only increased
over the past decade despite technical
efforts to rein it in.
Purely technical solutions are problematic, as they require a relatively
high level of knowledge and technical
expertise on the part of the user. The
user must first understand the complex nature of information flows online in order to seek out technical rem-edies. Next, the user must be proficient
enough to install and configure the appropriate browser additions. This may
seem trivial for the well educated, but
many who use the Internet have little
education or training in computing.
Despite this, these users deserve to
have their health privacy protected.
Furthermore, add-ons are often
unavailable on the default browsers
of smartphones and tablets, making
it difficult for even the highly skilled
to protect their privacy. A final reason
that browser add-ons provide insufficient remedy is the fact that advertisers devote significant resources to