Privacy Risks Discovered on Nearly All Sites Providing COVID-19 Information

A new study that JAMA published revealed that nearly all websites providing COVID-19 information include third-party tracking code that presents a risk to privacy. With the tracking code, the web pages could collect information from website visitors and transmit that data to third parties. The transferred data usually includes the URLs visited by a user and his/her IP address. Other data could also be obtained, and that information enables the creation of detailed profiles on the browsing habits and interests of people. Because IP addresses are gathered, that data can quickly be linked with a particular individual.

The Carnegie Mellon University’s School of Computer Science and University of Pennsylvania Perelman School of Medicine researchers had earlier done research of 1 million webpages, such as health-connected websites, and discovered that 91% of those sites included a third party data request while 70% got third-party cookies.

The researchers switched their interest to web pages giving facts on COVID-19, for example, sites providing symptom checkers, ideas to prevent having infected, after-infection healthcare, and help to locate testing sites. The researchers utilized Google Trends to locate the top 25 search queries regarding COVID and coronavirus on May 15, 2020. They searched on Google to determine the top 20 web addresses for non-personalized searches according to the top 25 search inquiries.

The researchers utilized a tool known as webXray, which finds cookies, third-party tracking code on web pages, and data requests coming from third party websites. They reviewed 538 sites.

The researchers learned that 99.44% or 535 of the 538 websites contained third-party data requests and 89% or 477 had third-party cookies. There was no difference in cookies and data requests based on the type of site. Even academic and government web pages, which users may be expecting to have better privacy protections, likewise had tracking code and cookies.

The researchers noted that commercial websites had less common third-party cookies but still remarkably prevalent among federal and academic webpages. Nonetheless, the median numbers of third-party data requests and cookies per page were higher on commercial websites (77 requests; 130 cookies) compared to on government webpages (8 requests; 4 cookies), academic websites (14 requests; 10 cookies), nonprofit webpages (16 requests; 7 cookies).

The researchers said decision-makers at organizations might be unaware that third-party tracking code sends information to third parties as it is typically only installed to keep track of webpage traffic.

The researchers stated that the study had two restrictions. First, the tool employed to look for third-party tracking only looked for two ways of tracking and there are actually some others, some of which were made to avert automated capture. Therefore, the number of sites inspected for third-party tracking may have been under-rated. Furthermore, since the research only looked at the top 20 search listing, the results may not be applicable to webpages that appear way down the search results.

In the middle of the debate and legislative activity concentrated on the privacy risks of COVID-19 contact-tracing applications, these findings indicate that focus should also be aimed at privacy risks to online searchers.