A new study shows how websites and apps gather people’s sensitive health-related information, sometimes without consent, and channel it to the social media giant to generate business. . .
A new study shows how websites and apps gather people’s sensitive health-related information, sometimes without consent, and channel it to the social media giant to generate business.
Digital health companies are funneling sensitive data that patients have shared with them to Facebook to help target advertisements, according to a new study from research group the Light Collective. In some cases this sharing is running afoul of the companies’ own privacy policies and raising concerns about HIPAA violations.
The peer-reviewed study, published Monday in Patterns, a data science journal, examines the way data from individuals’ health-related activity online is tracked across websites or platforms and then used for advertising purposes on Facebook. The researchers studied the online activities of 10 participants active in the online cancer community who had used digital health tools from five different companies: Color Genomics, Myriad Genetics, Invitae, Health Union and Ciitizen. They found that third-party ad trackers used by those companies followed the patients online and marketed to them based on those activities. Three of the companies went against their own privacy policies in the process.
The authors said that after disclosing their findings to the five companies, only Ciitizen and Invitae responded, saying they were investigating the privacy issues with the tracking tools. None of the five companies had responded to requests for comment from Forbes at the time of publication.
Dale Hogan, a spokesperson for Facebook's parent, Meta, said that these companies should not be sharing personal health information with the social media platform in the first place because that violates Meta's rules. "Advertisers should not send sensitive information about people through our Business Tools as doing so is against our policies," he wrote in an emailed statement. "We educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Andrea Downing, cofounder of the Light Collective, which is focused on privacy issues in the online world, said “data gathering and predictive algorithms that are used for advertising and other purposes are one of the biggest threats to online patient communities.” It puts them at greater risk of discrimination and online scams, the authors wrote, adding that tracking software can make cancer-patient populations in particular more vulnerable to medical misinformation and privacy breaches.
Despite the small scale of the study, it is indicative of larger data-sharing trends across digital health and social media. An investigation published earlier this summer by The Markup, for example, revealed how hospital websites use trackers to gather and share sensitive patient information with Facebook for marketing, in possible violation of the Health Insurance Portability and Accountability Act, or HIPAA.
Lengthy, ambiguous privacy policies for these apps often leave users unclear on how their data will be collected, shared and used. Some platforms also engage in risky data practices without individuals’ consent. The new research, co-authored by Eric Perakslis, chief science and digital officer at the Duke Clinical Research Institute, is intended to raise awareness around both.
“Health privacy is a basic requirement in digital medicine for reducing the abuse of power and supporting patient autonomy,” the authors write.
“While the digital medicine ecosystem relies on social media to recruit and build their businesses” through ads and marketing, they add, “these practices sometimes contradict their own stated privacy policies and promises to users.”
The peer-reviewed study, published Monday in Patterns, a data science journal, examines the way data from individuals’ health-related activity online is tracked across websites or platforms and then used for advertising purposes on Facebook. The researchers studied the online activities of 10 participants active in the online cancer community who had used digital health tools from five different companies: Color Genomics, Myriad Genetics, Invitae, Health Union and Ciitizen. They found that third-party ad trackers used by those companies followed the patients online and marketed to them based on those activities. Three of the companies went against their own privacy policies in the process.
Keywords
Data science maturity
Introduction
Results
- Step 1: User signs up for digital medicine app or genetic testing and agrees to the company’s (i.e., the vendor’s) terms of service.
- Step 1a: Separately, the user creates an account on Facebook or already has an established account.
- Step 2: Vendors embed third-party tracker in a vendor’s website.
- Step 3: Multiple third-party trackers share Off-Facebook Activity.
- Step 4: Off-Facebook Activity from the vendor updates user “ad interests” algorithms on Facebook.
- Step 5: Facebook’s predictive algorithms begin to promote health-related ads to the user based on health interests.
- Step 6: The vendor targets ads to users with specific health interests and, in some cases, uses quizzes or sign-up forms to enrich their lead data. Lead data are passed from Facebook to the vendor’s customer relationship management (CRM) system.
Example #1: Color Genomics
Example #2: MySupport360 and HereditaryCancerQuiz.com
- •Date of birth
- •Sex
- •Are you of Ashkenazi Jewish ancestry?
Example #3: Invitae
Example #4: Health Union
Example #5: Ciitizen
Legal and policy analysis
- 1.The business or service must “offer or maintain a personal health record.”
- 2.The PHR vendor’s terms of service and privacy disclosures must disclose sharing of personally identifiable information with third parties.
- 3.If unauthorized access to PHR identifiable health information occurs, the PHR vendor must notify users of a breach.
Discussion
Experimental procedures
Resource availability
Lead contact
Materials availability
Cross-site-tracking tools
- 1.Download the full archive history of “My Facebook Information.”
- 2.For each of their archives, we asked participants to specifically review the audit log of your_off-facebook_activity.json.
- 3.Within this JSON file, we asked participants to provide the list of health apps that appeared in their history.
- 4.We then took this list to check each vendor’s website for third-party ad trackers. This can be done with any basic tool such as Electronic Frontier Foundation’s Privacy Badger (https://privacybadger.org) or The Markup’s Black Light Tool (https://themarkup.org/blacklight).,
- 5.If third-party ad trackers were found, we checked the privacy policy to see what was disclosed to users and whether that matched what we found.
- 6.We checked Facebook’s disclosures to users about how PHI is shared and how it is used.
- 7.As a final step, we checked Facebook’s Ad Library to check each advertising history and the types of ads posted (Figure 3).
Coordinated disclosure and timeline
- •November 15, 2021: Attempted to locate points of contact for disclosure at each company but realized that direct coordination would not be possible. (Disclosure was not possible for some parties if their websites did not provide a coordinated disclosure policy or a security point of contact. Further, this study only analyzed a small sampling of 5 companies, where impacted health vendors using these practices number in the thousands.)
- •November 24, 2021: Disclosure to BioISAC.
- •December 1, 2021: Disclosure to Cert.org.
- •December 10, 2021: Disclosure to Ciitizen and Invitae.
- •December 13, 2021: Disclosure to Color Genomics.
- •December 16, 2021: Submitted report to FTC.
- •December 17th: Disclosure to Cert.org to request help with multi-party disclosure.
- •December 31st: One of 5 vendors (Health Union) updated their privacy policies.
- •January 2022: Invitae and Ciitizen responded to disclosure, initiating investigation into third-party tracking tools.
- •January 2022: Facebook removes all sensitive health ad targeting endpoints.
- •February 6, 2022: Preprint of our study covered in Wired.
- •March 8: Disclosure to Myriad Genetics when invited to join case created by Cert.org.
- •May 6, 2022: As of this date, third-party middleware for each company in our analysis had either been removed by all companies or privacy policies have been updated by companies in this study.
Data and code availability
Acknowledgments
Author contributions
Declaration of interests
Inclusion and diversity
References
- Gaps in public awareness about BRCA and genetic testing in prostate cancer: social media landscape analysis.JMIR Cancer. 2021; 7 (PMID: 34542414; PMCID: PMC8550715): e27063https://doi.org/10.2196/27063
Facebook. “Off-Facebook Activity: Control Your Information.” (2021) Facebook, https://www.facebook.com/off-facebook-activity.
- Complying With The Ftc's Health Breach Notification Rule.Complying with the FTC's Health Breach Notification Rule. 2010 (Retrieved)
- Trying to Avoid a Crisis of Confidence in Healthcare Cybersecurity.” Cyber Cure, Season Cyberweek 2018.2018 (CyberCure)
- “Privacy Zuckering.” Types of Dark Patterns.
- Dark patterns at scale: findings from a crawl of 11K shopping websites.Proceedings of the ACM on Human-Computer Interaction 3. CSCW, 2019: 1-32https://doi.org/10.1145/3359183
- A taxonomy of cyber-harms: defining the impacts of cyber-attacks and understanding how they propagate.J. Cybersecur. 2018; 4: tyy006https://doi.org/10.1093/cybsec/tyy006
- HIPAA and the leak of “deidentified” EHR data.N. Engl. J. Med. 2021; 384 (Epub (2021 Jun 5). PMID: 34110112): 2171-2173https://doi.org/10.1056/NEJMp2102616
- Why Facebook Is Filled with Pharmaceutical Ads.The Washington Post, 2020
- How Big Pharma Finds Sick Users on Facebook – the Markup.the Markup, 2021
Tangari G, Ikram M, Ijaz K, Kaafar M A, Berkovsky S. Mobile health and privacy: cross sectional study (2021); 373 :n1248 doi:10.1136/bmj.n1248
Code of Federal Regulations. “42 CFR Part 493 -- Laboratory Requirements.” 42 CFR Part 493, (2021) https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-493.
United States Department of Health and Human Services. “HIPAA Administrative Simplification.” 45 CFR Parts 160, 162, and 164, HHS, https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.
- Dangerous Terms: A User's Guide to EULAs.Electronic Frontier Foundation, 2005
“Buy the Best B2B Lead Generation Software.” (2022) Leadfeeder, https://www.leadfeeder.com/lead-generation-software/.
Nanigans, (2022) https://www.nanigans.com.
- Sprinklr Acquires Nanigans' Social Advertising Business.Sprinklr. 2019;
What is Unified-CXM?” (2022) Sprinklr, https://www.sprinklr.com/unified-cxm/.
M. For Developers. “Fbp and Fbc Parameters - Conversions API.” Facebook for Developers, (2022) https://developers.facebook.com/docs/marketing-api/conversions-api/parameters/fbp-and-fbc.
- Ciitizen raises $17 million to give cancer patients better control over their health records.TechCrunch. 2019;
Invitae to Acquire Ciitizen to Strengthen its Patient-Consented Health Data Platform to Improve Personal Outcomes and Global Research.” PR Newswire, 2021, https://www.prnewswire.com/news-releases/invitae-to-acquire-ciitizen-to-strengthen-its-patient-consented-health-data-platform-to-improve-personal-outcomes-and-global-research-301369974.html.
M. For Business, and Graham M.. “Removing Certain Ad Targeting Options and Expanding Our Ad Controls.” (2022) Facebook, https://www.facebook.com/business/news/removing-certain-ad-targeting-options-and-expanding-our-ad-controls?_rdc=2&_rdr.
- FTC Finalizes Order with Flo Health, a Fertility-Tracking App that Shared Sensitive Health Data with Facebook, Google, and Others.Press Releases, 2021
- How social media machinery pulled mainstream parenting communities closer to extremes and their misinformation during covid-19.IEEE Access. 2022; 10: 2330-2344https://doi.org/10.1109/ACCESS.2021.3138982
E. Frontier Foundation. “What Is Privacy Badger.” Privacy Badger, https://privacybadger.org/#What-is-Privacy-Badger. [Accessed 22 December 2021].
- Blacklight – the Markup.” the Markup.2020
“The CERT Division | Software Engineering Institute.” (2021) Software Engineering Institute, Carnegie Mellon University, https://www.sei.cmu.edu/about/divisions/cert/index.cfm.
No comments:
Post a Comment