A “frightening, problematic and potentially illegal” problem.
Well… that might not be the case according to the findings of a recent study conducted by The Markup, a non-profit newsroom that studies “how powerful institutions are using technology to change our society. “.
The study looked at Newsweek’s top 100 US hospitals. On a third of the websites, the researchers found a Facebook tracker, called Meta Pixel, sending highly personal health data to Facebook each time the user clicked the “book an appointment” button. Since the data is connected to an IP address, the IP address and appointment information is transmitted to Facebook.
So Facebook knows the day and time when I go to the doctor. What’s the big deal?
Well, for starters, it’s not just the day and time for sending trackers like these. In the case of this study, the researchers found that web trackers sent Facebook the following information, depending on how the tracker was structured on the web page:
- Doctor’s name
- Search term used to find doctor’s name
- Health conditions selected from drop-down menus (e.g. pregnancy or Alzheimer’s)
The researchers also found the Meta Pixel Facebook tracker installed in password-protected patient portals. Data collection from private patient portals included:
- Patient Medication Names
- Descriptions of allergic reactions
- Details of upcoming doctor’s appointments.
Additionally, Meta Pixel data packets include the User’s IP address which may be used, in combination with other User Data, to identify the individual or household. The Healthcare Insurance Portability and Accountability Act (HIPAA) lists the IP address as one of several identifiers (along with such things as name and address) which, when linked to information about the state of health of a person, are considered protected health information (PHI).
Web trackers and security: These healthcare providers are likely violating HIPAA (with help from Facebook)
Big data and healthcare experts describe the prevalence of web trackers capturing sensitive patient information as a “frightening, problematic and potentially illegal” security issue. Researchers in this study consulted with health data security experts, former health regulators, and privacy advocates, all of whom believed the hospitals in question likely violated HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information (known as PHI) from disclosure without the consent or knowledge of the patient. In accordance with regulations, PHI can only be shared when the patient has given prior consent or under certain contracts. It appears that neither the hospitals nor Facebook (Meta) had such contracts in place, suggesting that the hospitals were publishing and that Facebook was capturing this information without patient consent.
A spokesperson for Facebook’s parent company, Meta responded to researchers with a brief email saying that Meta’s systems are designed to filter out potentially sensitive health information that may be mistakenly submitted through the use of their tools. commercial. However, a survey in 2021 found that the Meta filtering system “did not yet work with full accuracy”. A subsequent investigation by researchers at The Markup found that Meta’s health information filtering system did not, in fact, block information about health conditions and appointment types (e.g. pregnancy or Alzheimer’s).
Internal Facebook employees were more candid about the effectiveness of the company’s tools for filtering sensitive information. According to a leaked 2021 statement from a Facebook engineer, “We do not have an adequate level of control and accountability over how our systems use data, and therefore cannot confidently make changes. policies or external commitments such as “we will not. use X data for Y purposes.”
What are web trackers?
Web trackers, like “Meta Pixel”, use code to track users’ online activity, as they browse a website or as part of web browser activities. Tracking includes the buttons the user clicks, the information he enters into forms and the pages of the site he visits.
It is important to note that Meta Pixel is not the only web tracking tool. Apart from cookies, web beacons, fingerprints (browser fingerprints), super cookies, embedded scripts and cross-site trackers are other types of web trackers. Many companies use trackers for targeted advertising and social media, including Twitter, Google, Facebook, Amazon, AppNexus, and ComScore. While many trackers are used purely for advertising purposes, others are used to track user behavior and analytics.
The long and short answers are both yes. First, misused web trackers could lead to significant regulatory violations including HIPAA, General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS) and others. Sanctions for compliance violations include fines and reputational damage.
Even more concerning, a recent study by several researchers from Radboud University and the University of Lausanne found that thousands of websites among the world’s top 100,000 were leaking information entered into site forms. This information included “personal IDs, email addresses, usernames, passwords, or even messages entered into forms, then deleted and never actually submitted.” While the trackers themselves were intended only to monitor end-user activity or determine anonymous user preferences, as the tracker code was embedded near areas that collected sensitive data, the User activity and sensitive information was ultimately sent to third parties. This presents serious privacy and security concerns, as no one wants their username and password data disclosed to employees working at third-party advertisers.
How can companies improve the security of Web Tracker?