Communications of the ACM

overcoming such barriers and will always find creative ways to bypass user intent. Thus, on one hand we have users who are poorly equipped to defend themselves with available technical measures, and on the other, highly motivated and well-funded corporations with cutting-edge technologies.

In order to effectively tackle the issue of tracking on health-related pages, attention toward the underlying social dynamics is needed. Government and corporate policies formalize these dynamics. By addressing policy issues directly, rather than combating obscure tracking techniques, we may produce durable solutions that outlast today’s technology cycle. Unfortunately, extant polices are few in number and weak in effect.

Extant policies and protections. Health information is one of the few types of personal information that has been granted special protections. The Health Insurance Portability and Accountability Act (HIPAA) 31 is a U.S. law that stipulates how medical information may be handled, stored, and accessed. HIPAA is not meant to police business practices in general; rather it is tailored to those providing health-specific services such as doctors, hospitals, and insurance claims processors. Yet, even within this realm, HIPAA provides incomplete protections. Contrary to popular perceptions, HIPAA permits the disclosure of patient information between health providers and insurance claims processors without patient notification or consent. HIPAA generally does not allow patients to restrict the flow of their sensitive data; therefore, extending HIPAA in the online domain does not present an effective approach to privacy protection.

Nevertheless, the U.S. Federal Trade
Commission (FTC) has established a
Health Breach Notification Rule that
requires entities holding personally
identifiable health records to notify us-
ers if such records have been stolen. 32
However, merely providing health in-
formation (rather than storing doctor’s
notes or prescription records) does
not place a business under the juris-
diction of HIPAA or associated rules.
Many businesses that handle health
information are subject to virtually no
oversight and the main source of policy
through advertising mechanisms on-
line. Discrimination against the ill may
also be replicated through the collec-
tion and use of browsing behavior.

Data-mining techniques often rely on an eclectic approach to data analysis. In the same way a stew is the result of many varied ingredients being mixed in the same pot, behavioral advertising is the result of many types of browsing behavior being mixed together in order to detect trends. As with ingredients in a stew, no single piece of data has an overly deterministic impact on the outcome, but each has some impact. Adding a visit to a weather site in the data stew will have an outcome on the offers a user receives, but not in a particularly nefarious way. However, once health information is added to the mix, it becomes inevitable it will have some impact on the outcome. As medical expenses leave many with less to spend on luxuries, these users may be segregated into data silos28 of undesirables who are then excluded from favorable offers and prices. This forms a subtle, but real, form of discrimination against those perceived to be ill.

Risk assessment. Having collected data on how much tracking is taking place, how it occurs, and who is doing it, it is necessary to explicate how this constitutes a risk to users. As noted earlier, there are two main types of harm: identification and blind discrimination. Table 2 shows a breakdown of how data collection by 12 companies (top 10 and data brokers) impacts the two types of risk. The two data brokers most obviously entail a personal identification risk as their entire business model is devoted to selling personal information. It is unlikely they are selling raw Web tracking data directly, but it may be used as part of aggregate measures that are sold.

Despite the fact that Google does not
sell user data, they do possess enough
anonymous data to identify many users
by name. Google offers a number of ser-
vices that collect detailed personal infor-
mation such as a user’s personal email
(Gmail), work email (Apps for Business),
and physical location (Google Maps). For
those who use Google’s social media
offering, Google+, a real name is
forcefully encouraged. By combining
the many types of information held by
Google services, it would be fairly trivial
for the company to match real identities
to anonymous Web browsing data. Like-
wise, Facebook requires the use of real
names for users, and as noted before,
collects data on 31% of pages; there-
fore, Facebook’s collection of browsing
data may also result in personal identi-
fication. In contrast, Twitter allows for
pseudonyms as well as opting-out of
tracking occurring off-site.

The potential for blind discrimination is most pronounced among advertisers. As noted here, online advertisers use complex data models that combine many pieces of unrelated information to draw conclusions about anonymous individuals. Any advertiser collecting and processing health-browsing data will use it in some way unless it is filtered and disposed of.

Policy Implications

The privacy issues raised by this research are of a technical nature and invite technical solutions. These solutions often come in the form of add-on software users may install in their Web browsers. Such browser add-ons have proven effective at blocking certain types of behavioral tracking. 19, 25 However, this type of solution places a burden on users and has not been broadly effective. As measurement research has shown, tracking has only increased over the past decade despite technical efforts to rein it in.

Purely technical solutions are problematic, as they require a relatively high level of knowledge and technical expertise on the part of the user. The user must first understand the complex nature of information flows online in order to seek out technical rem-edies. Next, the user must be proficient enough to install and configure the appropriate browser additions. This may seem trivial for the well educated, but many who use the Internet have little education or training in computing. Despite this, these users deserve to have their health privacy protected.

Furthermore, add-ons are often unavailable on the default browsers of smartphones and tablets, making it difficult for even the highly skilled to protect their privacy. A final reason that browser add-ons provide insufficient remedy is the fact that advertisers devote significant resources to