The “Invisible Web” Undermines Health Information Privacy

“The goal of privacy is not to protect some stable self from erosion but to create boundaries where this self can emerge, mutate, and stabilize. What matters here is the framework— or the procedure— rather than the outcome or the substance. Limits and constraints, in other words, can be productive— even if the entire conceit of “the Internet” suggests otherwise.

         Evgeny Morozov in “To Save Everything, Click Here: The Folly of Technological Solutionism

 

We cherish privacy in health matters because our health has such a profound impact on how we interact with other humans. If you are diagnosed with an illness, it should be your right to decide when and with whom you share this piece of information. Perhaps you want to hold off on telling your loved ones because you are worried about how it might affect them. Maybe you do not want your employer to know about your diagnosis because it could get you fired. And if your bank finds out, they could deny you a mortgage loan. These and many other reasons have resulted in laws and regulations that protect our personal health information. Family members, employers and insurances have no access to your health data unless you specifically authorize it. Even healthcare providers from two different medical institutions cannot share your medical information unless they can document your consent.

Health Information Privacy via Shutterstock
Health Information Privacy via Shutterstock

The recent study “Privacy Implications of Health Information Seeking on the Web” conducted by Tim Libert at the Annenberg School for Communication (University of Pennsylvania) shows that we have a for more nonchalant attitude regarding health privacy when it comes to personal health information on the internet. Libert analyzed 80,142 health-related webpages that users might come across while performing online searches for common diseases. For example, if a user uses Google to search for information on HIV, the Center for Disease Control and Prevention (CDC) webpage on HIV/AIDS (http://www.cdc.gov/hiv/) is one of the top hits and users will likely click on it. The information provided by the CDC will likely provide solid advice based on scientific results but Libert was more interested in investigating whether visits to the CDC website were being tracked. He found that by visiting the CDC website, information of the visit is relayed to third-party corporate entities such as Google, Facebook and Twitter. The webpage contains “Share” or “Like” buttons which is why the URL of the visited webpage (which contains the word “HIV”) is passed on to them – even if the user does not explicitly click on the buttons.

Libert found that 91% of health-related pages relay the URL to third parties, often unbeknownst to the user, and in 70% of the cases, the URL contains sensitive information such as “HIV” or “cancer” which is sufficient to tip off these third parties that you have been searching for information related to a specific disease. Most users probably do not know that they are being tracked which is why Libert refers to this form of tracking as the “Invisible Web” which can only be unveiled when analyzing the hidden http requests between the servers. Here are some of the most common (invisible) partners which participate in the third-party exchanges:

Entity                                      Percent of health-related pages

Google                                                78

Facebook                                            31

Twitter                                               18

Amazon                                              16

Experian                                             5

What do the third parties do with your data? We do not really know because the laws and regulations are rather fuzzy here. We do know that Google, Facebook and Twitter primarily make money by advertising so they could potentially use your info and customize the ads you see. Just because you visited a page on breast cancer does not mean that the “Invisible Web” knows your name and address but they do know that you have some interest in breast cancer. It would make financial sense to send breast cancer related ads your way: books about breast cancer, new herbal miracle cures for cancer or even ads by pharmaceutical companies. It would be illegal for your physician to pass on your diagnosis or inquiry about breast cancer to an advertiser without your consent but when it comes to the “Invisible Web” there is a continuous chatter going on in the background about your health interests without your knowledge.

Some users won’t mind receiving targeted ads. “If I am interested in web pages related to breast cancer, I could benefit from a few book suggestions by Amazon,” you might say. But we do not know what else the information is being used for. The appearance of the data broker Experian on the third-party request list should serve as a red flag. Experian‘s main source of revenue is not advertising but amassing personal data for reports such as credit reports which are then sold to clients. If Experian knows that you are checking out breast cancer pages then you should not be surprised if this information will be stored in some personal data file about you.

How do we contain this sharing of personal health information? One obvious approach is to demand accountability from the third parties regarding the fate of your browsing history. We need laws that regulate how information can be used, whether it can be passed on to advertisers or data brokers and how long the information is stored.

 

Here is the Privacy Policy Summary for WebMD, a commonly visited health information portal:

   We may use information we collect about you to:

 ·         Administer your account;

·         Provide you with access to particular tools and services;

·         Respond to your inquiries and send you administrative communications;

·         Obtain your feedback on our sites and our offerings;

·         Statistically analyze user behavior and activity;

·         Provide you and people with similar demographic characteristics and interests with more relevant content and advertisements;

·         Conduct research and measurement activities;

·         Send you personalized emails or secure electronic messages pertaining to your health interests, including news, announcements, reminders and opportunities from WebMD; or

·         Send you relevant offers and informational materials on behalf of our sponsors pertaining to your health interests.

 

Users are provided with instructions for how they can opt out of the tracking and receiving information from the (undisclosed) sponsors but it is unlikely that the majority of users read the privacy policy pages of the various health-related websites. It is even less likely that users will go through the cumbersome process of requesting that all their information be kept private and not passed on to corporate sponsors.

Perhaps one of the most effective solutions would be to make the “Invisible Web” more visible. If health-related pages were mandated to disclose all third-party requests in real-time such as pop-ups (“Information about your visit to this page is now being sent to Amazon“) and ask for consent in each case, users would be far more aware of the threat to personal privacy posed by health-related pages. Such awareness of health privacy and potential threats to privacy are routinely addressed in the real world and there is no reason why this awareness should not be extended to online information.

 

 

 

Note: An earlier version of this article was first published on the 3Quarksdaily Blog.

Reference:

Libert, Tim. “Privacy implications of health information seeking on the Web” Communications of the ACM, Vol. 58 No. 3, Pages 68-77, March 2015, doi: 10.1145/2658983 (PDF)

 

ResearchBlogging.org

Libert, T. (2015). Privacy implications of health information seeking on the web Communications of the ACM, 58 (3), 68-77 DOI: 10.1145/2658983

Advertisements

How Does Your Facebook News Feed Affect You?

Researchers at Facebook, Inc., the University of California, San Francisco (UCSF) and Cornell University teamed up to study whether manipulating the News Feeds of Facebook users would affect the emotional content of the users’ status updates or postings. They recently published their findings in the PNAS paper “Experimental evidence of massive-scale emotional contagion through social networks”  and suggest that they have found evidence of an “emotional contagion”, i.e. the idea that emotions can spread via Facebook.

Facebook

The size of the study is quite impressive: The researchers analyzed the postings of 689,003 Facebook users (randomly selected based on their user ID) during the week of January 11-18, 2012! This probably makes it the largest study of its kind in which social media feeds of individual users were manipulated. Other large-scale social media research studies have relied on observing correlations but have not used actual interventions on such a massive scale. The users’ postings (over three million of them) were directly analyzed by a software which evaluated the emotional content of each posting. The researchers did not see the actual postings of the Facebook users, which is why they felt that their research was covered by Facebook’s Data Use Policy and did not require individual informed consent. This means that the individual Facebook users were probably unaware of the fact that their News Feeds were manipulated and that their postings were being analyzed for emotional content.

 

The researchers selectively removed items with either “positive” or “negative” emotional content from the News Feeds of individual users. The emotional content of News Feed items was categorized using the LIWC software, which defines words such as “ugly” or “hurt” as negative and “nice” or “”sweet” as positive. Each emotional post had a 10%-90% chance (assigned based on their User ID) of being removed from the News Feed. Since removal of News Feed items could have a non-specific, general effect on users being exposed to lesser updates, the researchers also ensured that they studied control groups in whom the same number of News Feed items were randomly removed, independent of their emotional content.

 

Importantly, 22.4% of posts contained “negative” words, whereas 46.8% of posts contained “positive” words, suggesting that there is roughly a 2:1 ratio of “positive” to “negative” posts on Facebook. This bias towards positivity is compatible with prior research which has shown that sharing of “negative” emotions via Facebook is not always welcome. The difference in total number of “positive” and “negative” posts forced the researchers to use two distinct control groups. For example, users for whom 20% of News Feed posts containing “positive” content were removed required a control group in which 20% of 46.8% (i.e., 9.36%) of News Feed items were randomly removed (regardless of the emotional content). On the other hand, users for whom 20% of News Feed items containing “negative” content were removed had to be matched with control groups in which 20% of 22.4% (i.e., 4.48%) of posts were randomly removed. The researchers only manipulated the News Feeds but did not remove any posts from the timeline or “wall” of any Facebook user.

 

The tweaking of the users’ News Feeds had a statistically significant impact on what the users posted. Removing “positive” items from the News Feed decreased the “positive” word usage in the users’ own postings from roughly 5.25% to 5.1%. Similarly, removal of “negative” News Feed items resulted in a reduction of “negative” word usage in the posts of the negativity-deprived users.The overall effects were statistically significant but still minuscule (changes of merely 0.05% to 0.15% in the various groups). However, one has to bear in mind that the interventions were also rather subtle: Some of the positivity- or negativity-deprived subjects only had 10% of their positive News Feed items removed. Perhaps the results would have been more impressive if the researchers had focused on severe deprivation of “positivity” or “negativity” (i.e. 90% or even 100% removal of “negative”/”positive” items).

 

The study shows that emotions expressed by others on Facebook can indeed influence our own emotions. However, in light of the small effect size, it is probably premature to call the observed effect a “massive-scale emotional contagion”, as the title of the PNAS paper claims. The study also raises important questions about the ethics of conducting such large-scale analysis of postings without informing individual users and obtaining their individual consent. The fact that the researchers relied on the general Facebook Data Use Policy as sufficient permission to conduct this research (manipulating News Feeds and analyzing emotional content) should serve as a reminder that when we sign up for “free” accounts with Facebook or other social media platforms, we give corporate social media providers access to highly personal data.
ResearchBlogging.org
Kramer, A., Guillory, J., & Hancock, J. (2014). Experimental evidence of massive-scale emotional contagion through social networks Proceedings of the National Academy of Sciences DOI: 10.1073/pnas.1320040111

Should Doctors ‘Google’ Their Patients?

Here is an excerpt from my latest post on the 3Quarksdaily blog:

 

Beware of what you share. Employers now routinely utilize internet search engines or social network searches to obtain information about job applicants. A survey of 2,184 hiring managers and human resource professionals conducted by the online employment website CareerBuilder.com revealed that 39% use social networking sites to research job candidates. Of the group who used social networks to evaluate job applicants, 43% found content on a social networking site that caused them to not hire a candidate, whereas only 19% found information that that has caused them to hire a candidate. The top reasons for rejecting a candidate based on information gleaned from social networking sites were provocative or inappropriate photos/information, including information about the job applicants’ history of substance abuse. This should not come as a surprise to job applicants in the US. After all, it is not uncommon for employers to invade the privacy of job applicants by conducting extensive background searches, ranging from the applicant’s employment history and credit rating to checking up on any history of lawsuits or run-ins with law enforcement agencies. Some employers also require drug testing of job applicants. The internet and social networking websites merely offer employers an additional array of tools to scrutinize their applicants. But how do we feel about digital sleuthing when it comes to relationship that is very different than the employer-applicant relationship – one which is characterized by profound trust, intimacy and respect, such as the relationship between healthcare providers and their patients?


The Hastings Center Report is a peer-reviewed academic bioethics journal which discusses the ethics of “Googling a Patient” in its most recent issue. It first describes a specific case of a twenty-six year old patient who sees a surgeon and requests a prophylactic mastectomy of both breasts. She says that she does not have breast cancer yet, but that her family is at very high risk for cancer. Her mother, sister, aunts, and a cousin have all had breast cancer; a teenage cousin had ovarian cancer at the age of nineteen; and that her brother was treated for esophageal cancer at the age of fifteen. She also says that she herself has suffered from a form of skin cancer (melanoma) at the age of twenty-five and that she wants to undergo the removal of her breasts without further workup because she wants to avoid developing breast cancer. She says that her prior mammogram had already shown abnormalities and she had been told by another surgeon that she needed the mastectomy.

Such prophylactic mastectomies, i.e. removal of both breasts, are indeed performed if young women are considered to be at very high risk for breast cancer based on their genetic profile and family history. The patient’s family history – her mother, sister and aunts being diagnosed with breast cancer – are indicative of a very high risk, but other aspects of the history such as her brother developing esophageal cancer at the age of fifteen are rather unusual. The surgeon confers with the patient’s primary care physician prior to performing the mastectomy and is puzzled by the fact that the primary care physician cannot confirm many of the claims made by the patient regarding her prior medical history or her family history. The physicians find no evidence of the patient ever having been diagnosed with a melanoma and they also cannot find documentation of the prior workup. The surgeon then asks a genetic counselor to meet with the patient and help resolve the discrepancies. During the evaluation process, the genetic counselor decides to ‘google’ the patient.

The genetic counselor finds two Facebook pages that are linked to the patient. One page appears to be a personal profile of the patient, stating that in addition to battling stage four melanoma (a very advanced stage of skin cancer with very low survival rates), she has recently been diagnosed with breast cancer. She also provides a link to a website soliciting donations to attend a summit for young cancer patients. The other Facebook page shows multiple pictures of the patient with a bald head, suggesting that she is undergoing chemotherapy, which is obviously not true according to what the genetic counselor and the surgeon have observed. Once this information is forwarded to the surgeon, he decides to cancel the planned surgery. It is not clear why the patient was intent on having the mastectomy and what she would gain from it, but the obtained information from the Facebook pages and the previously noted discrepancies are reason enough for the surgeon to rebuff the patient’s request for the surgery.

 

If you want to learn more about how ethics experts analyzed the situation and how common it is for psychologists enrolled in doctoral programs to use search engines or social networking sites in order to obtain more information about their patients/clients, please read the complete article at 3Quarksdaily.com.  

Silent Listeners: Privacy and Social Media

The recent study “Silent Listeners: The Evolution of Privacy and Disclosure on Facebook” conducted by researchers at Carnegie Mellon University monitored the public disclosure (information visible to all) and private disclosure (information visible to Facebook friends) of personal data by more than 5,000 Facebook users during the time period 2005-2011. The researchers identified two opposing trends. Over time, Facebook users divulged less and less personal information such as birthdates, favorite books or political information to the public. On the other hand, the researchers also noticed a trend of revealing more personal information to Facebook friends. Apparently, there was a growing awareness of how public disclosures can compromise privacy, but users were also emboldened to reveal more personal information when they deemed their audience to be trustworthy.  As the researchers correctly pointed out, these “private disclosures” are always available to Facebook itself, third-party apps and to advertisers, referred to as “silent listeners” by the researchers. This is a key point when it comes to privacy settings on social media websites. Users are able to control how much information is displayed to other individuals and future laws and regulations may protect users by curtailing disclosures to government agencies, but information disclosures to the company that provides the service itself and its corporate clients are often beyond our control.

The poll “Teens, Social Media and Privacy” conducted by the Pew Research Center confirmed this lack of concern about third-party access to personal data in a group of 632 teenagers. Overall, 60% of teenagers said that they were either not at all concerned or not too concerned about third-party access (such as advertisers or third-party apps) to their personal information. Only 9% were very concerned about it. Individual comments made by teenagers in a Pew focus group further underscore this cavalier attitude towards corporate access to personal data:

Male (age 16): “It’s mostly just bands and musicians that I ‘like’ [on Facebook], but also different companies that I ‘like’, whether they’re clothing or mostly skateboarding companies. I can see what they’re up to, whether they’re posting videos or new products… [because] a lot of times you don’t hear about it as fast, because I don’t feel the need to Google every company that I want to keep up with every day. So with the news feed, it’s all right there, and you know exactly.”

Male (age 13): “I usually just hit allow on everything [when I get a new app]. Because I feel like it would get more features. And a lot of people allow it, so it’s not like they’re going to single out my stuff. I don’t really feel worried about it.”

 

This is an excerpt from a longer essay on privacy published at 3Quarksdaily. Please click here for the complete essay.

ResearchBlogging.org
Fred Stutzman, Ralph Gross, & Alessandro Acquisti (2012). Silent Listeners: The Evolution of Privacy and Disclosure on Facebook Journal of Privacy and Confidentiality, 4 (2)