Of all the things the internet is good for, it's clear that looking up medical information is among the most popular activities. But while WebMD and other health-focused sites may seem like a godsend to those of us frantically trying to figure out if our nausea is just due to the bad takeout we had last night or something more serious, it turns out that many popular health websites have a troubling side effect of their own: they share user activity with third-party advertising firms, data that may make it possible to identify an individual user's health conditions. That's at least the conclusion of a new study of 20 popular health-information websites (full list below). The study, performed by University of Southern California professor Marco D. Huesch using free tools Ghostery and Charles, found that all 20 websites he looked at contained at least one method of tracking users, and that seven of the websites shared the searches that a user entered with other companies.

Health-websites-survey-jama
Health websites advertising survey (Credit: Marco D. Huesch/JAMA)

"In theory, someone could build up a very powerful document with all of your medical conditions."

Heusch told The Verge he was worried that the information these websites collected could be combined with tracking information from other websites, or from a user's social media posts (many of the sites offer social media plug-ins such as Facebook "Likes"), to create profiles about people without their explicit knowledge. "In theory, someone could build up a very powerful document with all of your medical conditions, the drugs you're taking, where you work, who your relatives are, where you live, and other personal information," Huesch said. In a twist, he added that one of his biggest concerns was that certain people could be given better medical ads than others — such as healthier people being shown ads for discounted health insurance, while sick people were left out. Heusch calls this practice "virtual redlining," but states he has no evidence that it is being committed presently.

"Technology moves too fast for regulators to keep up with."

To be clear, Huesch isn't against the practice of targeted advertising — a common tactic employed by many sites (The Verge included) to allow advertisers to serve-up ads based on a user's browsing history. He just thinks that the current situation, where the industry largely polices itself, is not ideal. "There's a balance to be found there, but right now, we're too far in one direction." Heusch told The Verge. "Technology moves too fast for regulators to keep up with." If you've used the web for any length of time in the past five years, you've probably noticed targeted advertising in the form of display ads that seem to follow you around the web — like ads for tents on a news website days after you looked at the product on a camping site. The method often involves tracking a user's browser session as they navigate around the web using cookies, and has been criticized by privacy advocates, but it is increasingly widespread.

Heusch noted that the current regulations in place — namely the US health information privacy rules (or HIPPA) — don't apply to targeting advertising because the technique uses information that isn't considered identifiable in a strictly medical sense, such as IP address or browser history. His study was published today in The Journal of the American Medical Association (JAMA), but it is behind a paywall.