As consumers become better informed about their own health, they're turning increasingly to the Internet as a trusted source of information.
But while many popular health Web sites promise confidentiality as they offer diagnoses, sell products or conduct detailed health surveys, a check of 21 leading sites found that some third parties, such as online marketers, are casting an invisible eye on visitors' cyberspace travels. Visitors to these sites unknowingly help the companies compile personal profiles.
Janlori Goldman, director of the Health Privacy Project at Georgetown University in Washington, D.C., warns that without better privacy protections, employers, health insurers and others could one day obtain very personal information without your consent.
The California HealthCare Foundation, an Oakland-based health-care philanthropy, last week released "Privacy: Report on the Privacy Policies and Practices of Health Web Sites," written by Goldman and Richard M. Smith, an Internet security consultant in Brookline, Mass. Goldman discussed concerns about privacy policies in an interview.
Question: We know personal health information is sensitive. What did you learn in your research about Internet privacy policies?
Answer: While many health Web sites have privacy policies, those policies don't match up with the sites' actual practices. In many cases, sites do not tell users how their information is collected, by whom and how it may be used.
Q: Your report refers to the peril of third-party companies tracking users' Internet activities for marketing purposes. Can you explain that?
A: Right now, the Web allows for many different entities to sit on one site. For instance, the advertisements that appear at the top of many sites, known as banner ads, are placed there by companies that collect information about what users are looking at and what they're doing on a site without the user ever having to actually click on [the ad]. [The information collected] may not [identify an individual], but it may become identifiable if the user voluntarily gives information. When you register at a site, buy a product or fill out a health survey, you're voluntarily giving information. The people who run the banner ads can look back at all the aggregate information they have on you [from other sites you've visited]. Their goal is to try to combine [all that information]. Users are not being told this is happening.
Q: On Thursday, the Internet's largest advertising company, DoubleClick Inc., responded to criticism from privacy advocates by saying that it doesn't monitor the movements of health Web site visitors. Are you still concerned?
A: I don't think it's enough for the public to be verbally assured by DoubleClick that it is not going to do anything with health information. We need written, enforceable privacy policies at health Web sites that give people assurance that their personal information will not be used or disclosed without their knowledge and permission.
Q: The technology seems to be confusing even some of the companies offering online health information and services. How much of the privacy gap is due to a lack of information within the industry?
A: I think that while the technology is complex and the Web is a different place than your traditional offline health care environment, that's no excuse. If you want to move health-care activities to the Internet, you have to put privacy first. You cannot put people at risk and say, "We did not understand how the technology works."
Q: Do you foresee threats to privacy in employment and health insurance?
Q: What kind of policy are you asking companies for?