A study published in the March 2015 issue of Communications of the ACM (Association for Computing Machinery) revealed that 91% of health-related websites initiated some type of HTTP request (HTTP is a request/response protocol, by which, for example, a computer sends a request for a file and the web server sends back a response) to third parties and that approximately 70% of those requests included sensitive information about specific symptoms, treatments, or diseases.
The study looked at 80,142 unique health-related web pages, which were identified by compiling responses to search queries for 1,986 common diseases. Of all the pages examined, 91% initiated some form of third-party HTTP request. Commercial pages had the most third-party requests, and education pages had the least third-party requests. Non-profit pages and government pages fell in the middle.
HTTP requests often include the uniform resource identifier (URI) of the page being viewed (“known as the Referer”). “The ‘Referer’ contains the address of the page the user is currently viewing.” The study reviewed a sample of the URIs taken, and found “70% contained information related to a specific symptom, treatment, or disease.”
The study also investigated the corporate ownership of the third parties that were receiving this information. They include advertising companies and data brokers, which each present their own risks. As explained in the paper, with advertisers there is a potential for blind discrimination whereby the online advertisers use the data collected in some way to influence advertising decisions, for example, through targeted advertising. Data brokers present a risk of personal identification, as they may attempt to aggregate and correlate as much personal data as possible to enhance the market value of the data they hold.