Getty Images/iStockphoto

COVID-19 Sites Plagued with Third-Party Tracking, Posing Privacy Risk

A JAMA study found nearly all COVID-19 webpages designed to help individuals find information on the coronavirus contain code that transfers data to third parties, posing serious privacy risks.

Nearly all webpages tied to the COVID-19 pandemic and designed to help individuals find information about the coronavirus contain code that transfers data to third parties, which can pose serious privacy risks, according to a new study published in JAMA

A range of entities have built webpages meant as resources for individuals to check symptoms, locate COVID-19 testing sites, and information about keeping safe during the crisis. 

To understand the potential privacy risks posed by these resources, researchers from the University of Pennsylvania Perelman School of Medicine and Carnegie Mellon University’s School of Computer Science assessed the prevalence and characteristics of web-tracking on sites tied to COVID-19. 

Using Google Trends to identify the top 25 search queries related to the coronavirus and COVID, the researchers were able to ascertain the leading 20 URLs for each of those queries using non-personalized Google searches. 

The researchers found that of the 538 analyzed websites, 535 sites – or a whopping 95 percent – unique websites included a third-party data request, which didn’t significantly vary by the type of website. Another 477 of those websites, or 89 percent, included a third-party cookie. 

“Compared with commercial web pages, third-party cookies were slightly less common, although still highly prevalent, among government and academic web pages,” researchers wrote. “However, the median numbers of third-party data requests and third-party cookies per page were both higher on commercial web pages: 77 requests resulted in 130 cookies, compared to eight requests on government sites that resulted in four cookies. 

Meanwhile, 16 requests to nonprofit sites resulted in seven cookies, and 14 requests to academic sites resulted in 10 cookies. 

Overall, 95 percent of web pages included a data request from a third-party domain owned by Google, and another seven companies received data from at least 40 percent of the analyzed COVID-19-related webpages. 

Researchers compared the data to a larger study of 1 million popular webpages, which determined 91 percent of those sites included a third-party data request, and 70 percent included a third-party cookie. The data shows that COVID-19 sites feature more third-party tracking. 

“Third-party tracking was pervasive even among government and academic COVID-19–related web pages, on which visitors might reasonably expect greater privacy protections,” researchers explained. “Decision-makers at these institutions may be unaware of third-party tracking on their websites because they do not realize that tools used to monitor website traffic transmit data to third parties.” 

Notably, the study was limited as it only tracked two forms of third-party tracking. As there are more methods used by third parties to track users, even automated means of capturing user data, the researchers believe these COVID-19 findings “likely underestimate the extent of third-party tracking.” 

Further, the study only focused on the top 20 results for specific Google searchers, which means COVID-19 sites with lower search rankings or searchers performed using other search engines were not included in the study. 

“Amid debate and legislative activity focused on the privacy implications of COVID-19 contact-tracing apps, these findings suggest that attention should also be paid to privacy risks of online information seeking,” researchers concluded. 

The report mirrors earlier findings on other health apps used by individuals for more generalized personal healthcare. For example, a BMJ study published in March 2019 found that the majority of health apps share user data and lacked transparency about the practice. 

Meanwhile, the leading 36 to-ranked mental health apps for depression and smoking cessation in the US and Australia routinely share user data with third-parties – and only 12 of those apps disclosed the practice with users, according to an April 2019 study published in JAMA

Guardsquare recently found the majority of government COVID-19 contact tracing apps from across the world don’t employ sufficient privacy and security practices, making the apps an easy target for hackers. 

Stakeholders are aware of the privacy risks posed to users by these modern digital technologies, but HIPAA is limited in its regulation, and Congress has yet to come to a bipartisan agreement on the best way to regulate these privacy risks. Prior to the pandemic, stakeholders predicted progress may be made during a lame duck session.

For now, the onus is on the users and developers to address these concerns. However, reports show that consumer adoption of digital health technologies is hindered by these privacy and security concerns.

Next Steps

Dig Deeper on Health data access & privacy