Health App shares your concerns with advertisers. HIPAA cannot stop it.
From ‘depression’ to ‘HIV’, popular health apps share potential health concerns and user identifiers with dozens of advertising companies, finds
Facebook was found to receive patient information from hospital websites via tracker tools. Google saves health-related Internet searches. Mental health apps leave room in their privacy policies to share data with unlisted third parties. Our research shows that there are few user protections under the Health Insurance Portability and Accountability Act (HIPAA) when it comes to digital data, with popular health apps sharing information with a wide range of advertisers. doing.
Most of the data shared does not directly identify us. For example, apps may share a string of numbers called an “identifier” associated with a phone rather than a name. Not all recipients of this data are associated with the advertising business. Some even provide developers with analytics that show how users navigate through the app. The company also claims that sharing pages you visit, such as pages titled “Depression,” is not the same as revealing sensitive health concerns.
But privacy experts say sending user IDs along with keywords for content they visit exposes consumers to unnecessary risk. Big data collectors such as brokers and advertising companies can use multiple pieces of information and identifiers to piece together someone’s actions and concerns. So “depression” could be another data point that helps companies target and profile us.
To get a sense of the data sharing going on behind the scenes, The Washington Post enlisted the help of several privacy experts and companies, including researchers at DuckDuckGo, who create various online privacy tools. rice field. After their findings were shared with us, we independently verified their claims using a tool called mitmproxy. This allowed us to view the content of the web traffic.
What we learned is that several popular Android health apps, such as Drugs.com Medication Guide, WebMD: Symptom Checker, and Period Calendar provided the information necessary to market to a group of individuals.
For example, the Drugs.com Android app sent data to over 100 external entities, including advertising companies, DuckDuckGo said. Terms within these data transfers included “herpes”, “HIV”, “Adderall” (a drug to treat attention-deficit/hyperactivity disorder), “diabetes”, and “pregnancy”. These keywords were used along with device identifiers that raise questions about privacy and targeting.
Drugs.com says it does not transmit data that it considers “sensitive personal information” and that its ads relate to the content of the page and not the individual viewing the page. . When The Post pointed out that there were cases where Drugs.com appeared to send users’ first and last names (a pseudonym DuckDuckGo used for testing) to an outside company, users entered their names into their “profiles”. said it was not intended to name field and to stop sending the contents of that field.
According to DuckDuckGo, the terms WebMD shared with the advertising company along with the user ID included “addiction” and “depression.” WebMD declined to comment.
Our research found that period calendars shared information, including identifiers, with dozens of external companies, including advertisers. The developer did not respond to a request for comment.
What’s going on with the advertising companies themselves is often a mystery. But ad tech company ID5, which received data from WebMD, said its job is to generate user IDs that help apps make ads “more valuable.”
“Our job is to identify the customer, not to know who the customer is,” said Mathieu Roche, co-founder and CEO of ID5. .
Jean-Christophe Peube, vice president of ad tech company Smart, which acquired two other ad tech companies and rebranded to Equativ, uses data received from Drugs.com to identify consumers as “interesting”. can be categorized into categories.
In a statement shared with The Post, Peube said interest-based ad targeting is better for privacy than using technologies like cookies to target individuals. However, some consumers may not want their health concerns used in advertising at all.
Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group, says advertisers target people with specific health concerns and conditions, even if they know you by number or interest group rather than by name. He says he can’t stop doing it.
How to protect your health information
By agreeing to these apps’ privacy policies, you agree to their privacy practices. But Andrew Crawford, senior adviser to the Center for Democracy and Technology, says few people have the time to read through legal jargon.
“We click right through and accept ‘agreement’ without really pondering the potential trade-offs downstream,” he said.
According to privacy experts, these trade-offs come in several forms, including our information being passed into the hands of data sellers, employers, insurance companies, real estate agents, credit providers, or law enforcement agencies. may take
Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a privacy group, says even small pieces of information can be combined to infer big things about our lives. These tidbits of information are called proxy data, and more than a decade ago, they helped Target identify pregnant customers by looking at users who purchased unscented lotions.
“With enough data, it’s very easy to identify a person,” says Tien. “A lot of the time, companies say, ‘Yes, but no one has all the data.’ We don’t really know how much data a company has. ”
Some lawmakers are trying to curb the sharing of health data. California legislator Rebecca Bauer-Kahan said in February that she introduced a bill that would redefine “medical information” in the state’s medical privacy law to include data collected by mental health apps. Did. Among other things, this prohibits apps from using “a consumer’s inferred or diagnosed mental health or substance use disorder” for purposes other than providing care.
The Center for Democracy and Technology, along with industry group eHealth Initiative, have proposed a voluntary framework for health apps to protect information about their users. We do not limit our definition of “health data” to lists of professional services or protected conditions, but include data that help advertisers learn or infer about an individual’s health concerns. It also requires companies to publicly and conspicuously promise not to associate “de-identified” data with individuals or devices, and to require their contractors to do the same.
So what can you do? There are several ways to limit information health app sharing, such as not linking the app to your Facebook or Google account when you sign in. If you’re using an iPhone, when prompted[アプリに追跡しないように依頼する]Choose. If you’re using Android, reset your Android advertising ID often. Enhance your phone’s privacy settings whether you have an iPhone or an Android.
Answer no if the app asks for additional data sharing permissions. If you have concerns about data you have already provided, please try submitting a data deletion request. Under state privacy laws, businesses aren’t obligated to honor your request unless you live in California, but some companies say they will delete anyone’s data.