How data brokers sell your health information online

The next time you visit WebMD to look up a mysterious and troubling medical symptom, consider this: You’ve probably just sent information about yourself to data brokers, who will in turn sell it to credit bureaus, advertisers, and other parties. It’s all completely legal because it’s a highly profitable industry. In part, we can thank our obsession with free website add-ons and applications, including those that run in the background, for that—and we can also credit lack of consumer awareness.

Here’s how it works: Any website you visit has embedded applications and tools, installed for a variety of purposes. One of the most common is a hit counter, which looks at the number of hits on any given page and also monitors their referrers—like search terms or other sites. Many sites also run advertisements and maintain applications like social sharing buttons to make it easy for visitors to share information on Facebook, Twitter, and elsewhere. These tools are readily available and they’re free, making them highly appealing to everyone from the New York Times to the CDC.

It’s all completely legal because it’s a highly profitable industry.

But they come at a hidden cost: With each user engagement, they also send back third-party data to their owners. That includes a packet of information about the user, and while a single piece of data might not seem like a big deal, it’s part of a bigger picture. Data brokers can track you as you read about schizophrenia on the Los Angeles Times, jump to Scientific American to learn more about the neurology of mental illness, and then search for a local psychiatrist. The websites that host these third party products don’t have control over where that data goes and how it’s used, and you have no idea that it’s being collected and sent.

There’s a reason companies provide these tools free of charge, and it’s not out of the goodness of their hearts. Data is a highly profitable industry, and such firms can sell their user information at a high price to credit bureaus, marketing firms, insurers, and the like. Some companies, like those that provide hit counting and web analytics tools, exist almost solely for the purpose of collecting precious third party data—their applications are just the tools they use to get invited through the back door.

The potential implications, of course, are huge. If you’re a feminist activist writing online, for example, all that juicy third party data about you can end up with search firms and people-finding companies—a would-be doxer can pay a relatively small fee to access personal information including your street address and that of your parents, other family, and friends. Likewise, if you’re applying for life insurance, a data broker can provide your insurer with information it may consider in its risk mitigation practices to determine whether it wants to offer insurance and how much it wants to charge; if you spend a lot of time looking at fast cars, booking skydiving adventures, and researching terminal cancer, you’re in trouble.

Websites don’t have control over where data goes and how it’s used, and you have no idea that it’s being collected and sent.

Data brokers, according to a detailed ProPublica investigation, “record—and then resell—all kinds of information you post online, including your screen names, website addresses, interests, hometown and professional history, and how many friends or followers you have.”

Anyone running a website loves free online tools; they enrich user experience, and users have come to expect multimedia features that are difficult to build independently. The cost of development can be prohibitive, though, as can implementation and maintenance. In other cases, websites have to make a deal with the third-party devil to access tools like Facebook sharing buttons, and if they don’t implement them, their traffic will take a big hit. Social media is a powerful traffic driver, accounting for nearly a third of all referral traffic, so those social media buttons are the bread and butter of numerous sites.

If it means selling out their users, so be it. Websites quickly become unsustainable without tools like advertising—advertisers, too, collect and monetize personal data—and Web applications. That’s due in part to the nature of the Internet, but also to demands and expectations from users, who may not be aware of the hidden costs behind seeing a nifty slideshow on the front page of a site or being able to quickly share a cool link or pullquote on Twitter.

In a 2014 interview with 60 Minutes, digital privacy expert Ashkan Soltani told CBS’ Steve Kroft: “Almost all of [your data] is for sale, especially any personal information that you might volunteer. The more companies know about us, they say, the more efficient they can make the advertising. You are looking at one of the commercial pillars of the Internet.”

If it means selling out their users, so be it.

It becomes a vicious cycle. Users want cool toys, websites have to provide them to keep people loyal, and that means giving up user data. In the European Union, recent legislation has forced websites to be much more transparent about this. Under the so-called “Cookie Law,” sites are required to demonstrate that readers clearly understand that their use of a site will result in the collection of personal data. That’s why some sites have a banner warning about their use of cookies on their front pages and why they’re required to publish detailed cookie policies, like this one on the Independent.

Maybe you don’t mind if credit bureaus find out that you’re searching for deer-resistant plants or weighing the difference between bamboo and hardwood flooring, though it may result in being inundated in catalogs for bulbs and eco-flooring companies. But you might mind a whole lot more if data like personal health information was winding up in surprising places, where it could be shared with anyone. Nearly three quarters of the Internet uses the Web to look up health information, ranging from nutrition to treatment options for specific conditions. Nearly half is actually “access by proxy”—many people on the Internet really are just asking for a friend.

At Vice, Brian Merchant puts it succinctly: “Millions of people are exposing their personal health profiles to Internet advertisers and data brokers, right at the moment they’re making the most confidential inquiries imaginable.”

Sites like WebMD—one of the most heavily trafficked websites in the world—host advertising, links to social media, and hidden applications like traffic monitoring. A user who clicks through the site and its partners sends a host of data. It’s not just third-party requests that result in the packaging, processing, and sale of data, either. Some websites directly sell information to advertisers and other interested parties, as seen with Facebook and OkCupid.

“You are looking at one of the commercial pillars of the Internet.”

The adage that the user is the product is starkly true in these cases, with the website serving as a data collection platform for companies hungry to access as much information as possible about you. They use individual user data to develop personal profiles, but also to create broad social categories to use in targeted marketing; for example, they create detailed statistics on what 24-year-olds tend to look at online, tracking their interests by region, occupation, and more. That data in turn is incredibly valuable, and brokers know it.

Breaking the cycle of data collection and sales might rely on forcing websites to disclose the fact that third-party data collection occurs the minute a user lands on a given page. But it also requires a shift in consumer demands and Web development tactics—because we should be questioning why we want bright shiny Web tools more than user privacy.

Photo via Jer Thorp/Flickr (CC BY 2.0)

S.E. Smith

S.E. Smith

s.e. smith is a Northern California-based journalist and writer focusing on social justice issues. smith's work has appeared in publications like Esquire, the Guardian, Rolling Stone, In These Times, Bitch Magazine, and Pacific Standard.