Googling your medical symptoms or looking for information online may feel like a private experience—after all, there’s no doctor or nurse involved; it’s just you and your computer.
But when you visit a web page, third parties—entities other than you and the site you’re visiting—can often see when you access a page. The third parties might be ones you’re familiar with, such as Facebook, Google, and Twitter, which can track some of your online behavior even when you’re not using them directly—or they might be advertising and analytics companies you’ve never heard of.
Tim Libert, Ph.D., a researcher in the department of computer science at the University of Oxford, compares searching the internet to looking into a two-sided mirror. “Behind the mirror is a whole mysterious world of companies who are watching what you do,” he says. In a 2015 study (PDF), Libert reviewed more than 80,000 web pages containing information about common diseases and found that more than 90 percent delivered users’ data to third parties, such as Adobe, Amazon, Facebook, Pinterest, and more.
A main goal of all this tracking is to target you with advertisements.
In Consumer Reports’ medical privacy survey, 45 percent of respondents said they’d seen ads online that were personalized based on their health information or medical searches—like an ad for cold medicine after they’d searched for “cold symptoms.”
Of those who’d seen such ads, half called the experience “creepy.” Some—17 percent—found it convenient.
But beyond the potential creepiness, there’s more harm that could potentially arise.
One may be simple embarrassment. Suppose you look up a medical problem on a computer you share at home or work, such as a sexually transmitted infection. You might later be served a related ad that one of your fellow users can see—revealing information about yourself that you might have preferred to keep private.
More sinister harms are possible, too. One problem, notes CR’s Brookman: The profiles of data that companies have on you may not be anonymous, or separated from personal identifying information, like your name, address, phone number, and more. Some companies, such as Facebook and Google, ask for that information when you sign up for their service. Other third parties may be able to pick up personal information by tracking your activity on sites that require you to log in.
Tien, of the Electronic Frontier Foundation, says you could end up on a mailing list for a chronic disease you have, or even on a list for lawyers looking for cases tied to specific medical conditions.
The biggest companies, such as Google, say they don’t give away your identifying information when they sell data to other firms, sharing only an anonymized profile. But, Brookman says, there’s no guarantee that an unscrupulous company could not sell the profile they have of you, name and address included, to other buyers. It’s possible, for example, that your data could appear on a background check for employment.
Another possibility, Libert says, is that an ad company that has collected a profile of you based on your internet searching and browsing history may not have adequate data protection in place. That means your profile, including any health information it contains, could be vulnerable to being stolen by a hacker.
Armed with your name, personal information, and details of potential medical conditions, a thief may have enough details about you to steal your medical identity.
That may seem far-fetched, says Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit group based in San Diego, but she explains that the more pieces of information about you a thief has, the more effectively they can pretend to be you.