too often digital ads are found to be mistargeting the most vulnerable people online, including victims of abuse and children. Add to that list the clients of several digital medicine and genetic testing companies whose sites used ad tracking tools that could reveal information about people’s health.
In a recent study by researchers at Duke University and the patient privacy-focused group Light Collective, 10 patient advocates who are active in the hereditary cancer community and cancer support groups on Facebook—including three who are administrators of Facebook groups – downloaded and analyzed their data from the platform’s ‘Off Facebook Activity’ feature in September and October. The tool shows what information third parties share with Facebook and its parent company Meta about your activity on other apps and websites. Along with the retail and media sites typically featured in these reports, researchers found that several genetic testing and digital medicine companies shared customer information with the social media giant for ad targeting.
Further analysis of these websites—using tracker identification tools such as the Electronic Frontier Foundation’s Privacy Badger and The Markup’s Blacklight—revealed which ad-tech modules the companies had built into their sites. The researchers then checked the companies’ privacy policies to see if they allowed and disclosed this type of cross-site tracking and the flow of data to Facebook that could result. In three of the five cases, the companies’ policies did not contain clear language about third-party tools that could be used to retarget or re-identify users in the marketing network.
“My reaction was shocked to realize the big missing pieces in these policies,” said Andrea Downing, co-author of the study, an independent security researcher and president of the Light Collective. “And when we talked to some of these companies, it really seemed like they just didn’t fully understand the ad technology they were using. So this must be an awakening.”
Downing and study co-author Eric Peraklis, chief scientific and digital officer at Duke University’s Clinical Research Institute, emphasize that while targeted advertising is a broadly opaque ecosystem, tracking can have specific implications for patient populations. In the process of re-identifying users across multiple sites, for example, a third-party tracking tool can collect information about a user’s health status while building a broader profile of their interests, occupation, device fingerprints, and geographic region. And the interconnectedness of the advertising ecosystem means that this combined picture can potentially extract information from any kind of web browsing, including activity on sites like Facebook. A classic example is the invasive targeted ads that pregnant people and others are constantly exposed to based on marketers’ assumptions about their health status.
“The question in this experiment was, ‘Can patients believe the terms and conditions they agree to on health-related sites?’ And if they can’t, do the companies know they can’t?” Perakslis says. “And many of the companies we looked at are not HIPAA-covered entities, so this health-related data exists in an almost entirely unregulated space. Research has consistently shown that the flood of such advertising information can disproportionately harm vulnerable populations.
The majority of users, of course, click on terms of service and privacy policies without actually reading them. But researchers say it’s one more reason to shine a light on how digital ad targeting, lead generation and cross-site tracking can undermine user privacy.