Privacy Risks Found on Almost All Websites Offering COVID-19 Information

A recent study published in JAMA found almost all websites offering information on COVID-19 have third-party tracking code that poses a privacy risk. Many web pages include tracking code that collects information about website visitors and transfers the data to third parties. Code is loaded on websites that initiates a data transfer that often includes details of the URLs that have been visited and the user’s IP address.  Other information may also be collected, and that information allows detailed profiles to be built up on people’s browsing habits and interests. Since IP addresses are collected, that information can easily be tied to a specific individual.

Researchers at the University of Pennsylvania Perelman School of Medicine and Carnegie Mellon University’s School of Computer Science had previously conducted a study of 1 million web pages, including health-related websites, and found that 91% of those websites included a third party data request and 70% had third-party cookies.

The researchers turned their attention to websites offering information on COVID-19, such sites offering symptom checkers, tips to avoid getting infected, post-infection care, and help finding testing sites. The researchers used Google Trends to find the top 25 search queries related to COVID and coronavirus on May 15, 2020. Searches were performed on Google to identify the top 20 URLs for non-personalized searches based on the top 25 search queries.

The researchers used a tool called webXray, which detects third-party tracking code on websites, data requests from third party domains, and cookies. 538 websites were analyzed for the study.

The researchers found that 535 of the 538 websites (99.44%) included third-party data requests and 477 (89%) included third-party cookies. The data requests and cookies did not vary by the type of website, and even government and academic websites, which visitors may expect to have greater privacy protections, also had tracking code and cookies.

“Compared with commercial web pages, third-party cookies were slightly less common, although still highly prevalent, among government and academic web pages,” explained the researchers. “However, the median numbers of third-party data requests and third-party cookies per page were both higher on commercial web pages (77 requests; 130 cookies) than on government (8 requests; 4 cookies), nonprofit (16 requests; 7 cookies), or academic (14 requests; 10 cookies) web pages.”

The researchers suggest decision makers at institutions may not be aware that third-party tracking code transmits data to third parties as it is usually only installed to monitor web traffic.

The researchers point out that there were two limitations to the study. Firstly, the tool used to check for third-party tracking only checked for two mechanisms of tracking and there are others, some of which have been developed to evade automatic capture. The number of websites that have third-party tracking is therefore likely to have been underestimated. Also, since the study was limited to the top 20 search results, the findings may not apply to web pages that appear lower in the search engine listings.

“Amid debate and legislative activity focused on the privacy implications of COVID-19 contact-tracing apps, these findings suggest that attention should also be paid to privacy risks of online information seeking,” warned the researchers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.