NHS’ mood assesment page with clear choice given to the user.This is not the first time PI’s research pushes companies to change. Many Android apps using the Facebook SDK changed their default behavior following our App analysis in 2018, while Facebook changed the default parameters of its SDK to prevent data from being shared as soon as the user would open an app this SDK. Similarly, in September 2019, our research into menstruation apps led two of the main apps we exposed to stop sharing sensitive personal data with Facebook. This is a positive change that we welcome and that proves that websites and apps don’t have to trade your privacy.
Yet, selling your mental health data is still a thing. It shouldn’t be.Unfortunately these good examples are far from being the norm. Most websites still share your data with third-parties for advertising purposes. Even more worryingly, two of the websites offering depression tests (French group TF1 owned health site Doctissimo and new-Zealand national public health programme’s Depression.org.nz) still share your test answers with third-parties*. This means that our initial analysis of these privacy and security issues still applies. This is unacceptable.
Our research also reveals that very little has changed in terms of the number of third parties contacted by mental health websites and cookies dropped. If anything it seems that the number of third party elements loaded has increased for all three countries we looked at. These elements could have other uses than marketing but given the high percentage of third parties with marketing purposes we can assume an important part of those are loaded for this purpose. For example, the page dedicated to treatments for depression on French health website Eurekasante contacts an astounding 71 third parties (compared to 36 in our first research) as soon as you open the page. Most of them for advertising purposes.
Data brokers then aggregate this deidentified health information and sell it to third party buyers; for example Adam Tanner of the Harvard Institute for Quantitative Social Science estimates that a large pharmaceutical company might pay between $10 million and $40 million per year for data, consulting and services from Iqvia alone.
VCH declined an interview and provided an email statement that said, in part, their health authority “has clear privacy protocols to protect patient information and we take breaches of privacy extremely seriously.” They also said they recently made changes to their systems to limit patient information sent through paging broadcasts and are working with B.C.’s Office of the Information and Privacy Commissioner as they “move to alternate technologies.”.