
Mental health websites are sharing user data with advertisers, including the results of tests for depression. This means that people seeking information or help for mental health conditions can be targeted with adverts while they may be vulnerable.
Eliot Bendinelli at Privacy International in London and his colleagues looked at 136 of the most popular websites in the UK, France and Germany that provide resources and information about mental health conditions. The researchers found that 76 per cent of the websites contained third-party marketing trackers. These collect information about a user and can track them as they browse other sites. This can be combined into a detailed profile.
Many of the pages had trackers from Google, Facebook and Amazon and shared information with data brokers – firms that aggregate information and sell individual profiles to other organisations – and advertising companies.
Advertisement
“It’s currently almost impossible to seek information and help about depression without advertisers knowing,” says Frederike Kaltheuner at the Mozilla Foundation in London, who is part of the team. “Knowing who is depressed and when allows advertisers to target people when they are at their most vulnerable. Feeling low today? Here are some diet pills.”
Advertisers target users based on their personal data, such as their IP address and location, and the site they visit, says Bendinelli. Some sites also have real-time bidding, where information, including a page’s content and URL, is used to instantaneously show a relevant ad on the page.
Several websites with questionnaires about depression stored users’ answers and shared them with third parties.
When the researchers first analysed the UK’s National Health Service website in September, they found that a mood self-assessment quiz shared individual answers, test scores and the test URL with Adobe for analysis purposes. However, the NHS website has since updated its privacy policy so users now need to manually opt in to be tracked.
The team also found that doctissimo.fr, one of France’s most popular health websites, sent unique user identifiers and answers to a data collection firm. “Doctissimo basically sends all of your answers to the test to a third party that is named nowhere on their website, nowhere in their privacy policy,” says Bendinelli. “That’s a perfect example of abusing people’s confidence.”
The research was presented this week at the Black Hat Europe event in London.
Under the EU’s General Data Protection Regulation, websites and apps are required to obtain consent before tracking users. Data relating to physical or mental health is considered a “special category” and can only be processed with explicit consent or for relevant other reasons.
The data collected by brokers could potentially be used in future to affect an individual’s insurance premiums or ability to get a mortgage, says Bendinelli.
“Many websites are falling short of their obligations,” says Kaltheuner. “This is simply unacceptable and deeply worrying.”
Doctissimo.fr didn’t respond to żěè¶ĚĘÓƵ’s requests for comment. Google and Amazon say they don’t use sensitive data for advertising and that they prohibit advertisers from doing so as well. Facebook says it requires website owners to be clear about the information they are sharing with the firm.