Copyright 2000 The Washington Post
The Washington
Post
February 1, 2000, Tuesday, Final Edition
SECTION: FINANCIAL; Pg. E01
LENGTH: 985 words
HEADLINE:
Medical Web Sites Faulted on Privacy
BYLINE: John
Schwartz, Washington Post Staff Writer
BODY:
Medical Web sites say they protect the privacy of visitors,
but they often share the information they collect with other companies, a new
study has found.
That means that a visitor seeking information on, say,
erectile dysfunction might unknowingly be alerting online marketers to his
condition. And while Bob Dole might feel comfortable talking about such things
on national television, most consumers would not.
"We found that almost
across the board, the privacy practices did not match the policies," said
Janlori Goldman of the Health Privacy Project at Georgetown University, who
conducted the research that went into the report. The 21 leading health sites
reviewed for the report appear to understand the depth of consumer concerns
about privacy, Goldman said, noting that the sites sport privacy policies
prominently. Goldman said, however, that the companies are not following through
on those privacy pledges and so "they're giving people a false sense of
confidence and a false sense of trust."
Consumers are turning to the
Internet for medical information in record numbers, but a survey released just
last week shows that medical privacy online remains a strong concern.
The poll, conducted for the California HealthCare Foundation, found that
75 percent of people are concerned about health Web sites passing along their
personal data without permission, and that 17 percent said they do not go online
for such information because of privacy concerns.
Most consumers--80
percent--said the existence of a privacy policy "has a positive impact on their
willingness to engage in online health activities." And that's why the results
of the survey are troubling, Goldman said. "Our message to these companies is
privacy is the number one issue facing health Web sites," Goldman said, "and the
loose link in the chain of trust that has to be established" with consumers.
The report will be officially released today at the e-Health Ethics
Summit in Washington, a gathering of major online health information providers.
The report, an advance copy of which was provided to The Washington
Post, compared consumer health care sites on the Internet to gawky
adolescents--with plenty of abilities but little self-control: "They have not
matured enough to guarantee the quality of the information, protect consumers
from product fraud or inappropriate prescribing, or guarantee the privacy of
individuals' information."
The report found that increasingly common
mechanisms known as "cookies" (bits of code placed on the user's computer that
help a site identify him on return visits), banner advertisements and other
technologies for gathering information on visitors make Web surfing a very
public experience--even when the user believes he is acting anonymously. Some of
the information from cookies and banner advertisements is collected without
informing the visitor that it is happening. A number of Web sites even gathered
data that can be used to personally identify visitors and passed it along to
third parties "in direct violation of stated privacy policies," the group found.
"There's much more info being asked of people at these sites than just
about any other sites," said Richard Smith, a computer security consultant who
was a technical adviser for the report.
Of particular concern were
relationships with firms such as DoubleClick Inc., which collects information
through online "banner ads" and has gathered more than 100 million files on
visitors. Eight of the 21 sites reviewed had business relationships with
DoubleClick; three more had similar deals with other firms.
By analyzing
the underlying code in health-care Web sites, Smith said, he found that the
information gathered in a survey or health self-evaluations was being
transferred to another site without telling the consumer.
DoubleClick,
for example, sends information about which pages the visitor views back to the
firm. But that seemingly innocuous Internet address contains a wealth of
information--for instance, on the Drkoop.com site, the addresses of the pages
contain keywords describing whether the surfer has been to a page about diabetes
or other diseases. "None of the sites examined that use ad networks disclosed
whether they are doing profiling," the report said. "Nor did they explain what
is happening with the data being collected by the ad networks."
A top
executive at Drkoop.com Inc. insisted that his company does indeed practice what
it preaches. "Everything has to be opt-in"--meaning that consumers are given a
choice about whether or not data will be collected about them, and none will be
collected unless they expressly agree to it," said Dennis Upah, chief operating
officer for the Austin-based company.
Marc E. Boulding, general counsel
to Medscape.com, said the study should alert the industry to a need for change.
But Boulding added that some use of medical information, with consumer consent
and proper safeguards, will be necessary if the sites are going to be effective.
Sam Karp, chief information officer for the California HealthCare
Foundation, said his group doesn't oppose the gathering of personal medical
information online--quite the opposite, in fact. "We're large proponents of the
opportunities that the Internet provides for getting better-quality information
in health care," he said.
Karp, whose group is a sponsor of the ethics
summit, added that "consumers say they are willing to share some information in
return for some services." So the report is intended to wake up the industry to
its obligations, Karp said: "This is a report which in our hope will help inform
the industry about the work that they have to do to ensure confidence and trust
by consumers. . . . It seems that there's a new set of ethics that needs to be
developed."
Staff writer Robert O'Harrow Jr. contributed to this
report from New York.
LOAD-DATE: February 01, 2000