The CDC knows what ails you — and now, so do many others

Perhaps it will not come as a big surprise to learn that the highly trafficked, for-profit medical information site WebMD keeps track of your search terms and then makes some of the information available to third-party vendors. It’s kind of like what the term “for profit” means. But how about one of the other top hits for health-related searches, the Centers for Disease Control? That’s a non-profit government agency — they don’t provide information to marketing interests, right?

Wrong.

Tim Libert, a researcher at the University of Pennsylvania, analyzed the top 50 search results for a couple thousand common diseases and discovered 91 percent of the pages that popped up made so-called “third-party requests” to outside organizations. “That means when you search for ‘cold sores,’ for instance, and click the highly ranked ‘Cold Sores Topic Overview WebMD’ link, the website is passing your request for information about the disease along to one or more (and often many, many more) other corporations,” reports Brian Merchant at Motherboard.

But it also means something similar is happening when you look up something on what seem like more secure or, at least, less nakedly capitalist sites like the Mayo Clinic, Planned Parenthood or, yes, the CDC. “This isn’t because [any of those places] is intending to do anything nefarious,” writes Merchant, “it’s just because they’ve installed convenient free software.”

Motherboard explains it like this: “Let’s say you make a search for ‘herpes.’ Plugging that query into a search engine will return a list of results. Chances are, whatever site you choose to click on next will send information not just to the server of the intended site — say, the Centers for Disease Control, which maintains the top search result from Google — but to companies that own the elements installed on the page.”

Elements like Google Analytics and AddThis — which enables sharing on Facebook and Twitter (“beckoning the question,” Merchant asks, “of who socializes disease pages”) — and those companies are in the business of aggregating and selling your data.

At this third-party level, there is genuine intent. A company like Experian has elements on about 5 percent of the top health sites. Once a credit-rating agency, Experian now traffics in personal data ... big time. Google, which pretty much dwarfs all the other top third-party aggregators combined, got so busy using some of this data to target advertising that it ran afoul of Canada’s privacy laws.

No fines were assessed in the Canadian case (Google has been fined millions in the U.S. for placing unauthorized tracking cookies), but, according to Motherboard, Google agreed to implement a more stringent privacy policy.

The problem is, with all that data out there, it is very easy to deflect blame (as Google did in the Canada case). One company might claim to be fastidious with sensitive data, but as information gets inadvertently passed or intentionally sold around the Net, it becomes increasingly easy for marketers, governments and thieves to gather enough dots to damningly connect.

The thieving part is, sort of by definition, against the law, but it’s not as clear cut when it comes to marketing.

It might be illegal in many cases to directly disclose an individual’s specific medical condition, but the laws that apply to medical information do not apply to web searches. Is it illegal for a data marketer to develop proprietary databases around searches common to the sufferers of specific maladies? Likely not.

And is it illegal for a health insurer to then buy a marketing list, presumably to better identify customers, but also maybe use it to structure fee schedules? The Motherboard piece doesn’t make a definitive ruling here, but it appears, given the space between medical privacy and data protection, there are may ways to diagnose a patient ... er, um ... customer.