Privacy Risks Identified on Most Webpages Featuring COVID-19 Facts

JAMA published a new research article that revealed the fact that almost all websites providing COVID-19 facts have a third-party tracking code that poses a threat to privacy. By using the tracking code, the websites could gather data from website guests and send that information to third parties. The transmitted information typically includes the web addresses seen by a visitor and his/her IP address. Other details may also be gathered, and that data permits the generation of complete profiles on the viewing habits and interests of visitors. Considering that IP addresses are obtained, that fact could readily be associated with a certain person.

The Carnegie Mellon University’s School of Computer Science and University of Pennsylvania Perelman School of Medicine experts had already performed a study of 1 million website pages, which include health-linked websites, and discovered that 91% of those web pages had a third party data request while 70% use third-party cookies.

The researchers focused their attention to sites giving news on COVID-19, such as web pages that offer symptom checkers, guidelines to stay clear of being infected, post-infection care, and help to select testing sites. The researchers made use of Google Trends to discover the top 25 search keywords linked to COVID and coronavirus on May 15, 2020. They searched on Google to discover the top 20 URLs for non-personalized searches based upon the top 25 search phrases.

The researchers utilized a tool named webXray, which detects cookies, third-party tracking code on sites, and data requests by other domains. They analyzed 538 web pages.

The researchers learned that 535 (99.44%) of the 538 websites contained third-party data requests and 477 (89%) had third-party cookies. There was no variance of cookies and information requests according to the type of webpage. Even academic and government sites, which visitors may think to have more privacy protections, also had cookies and tracking code.

The researchers explained that commercial websites had less common third-party cookies though still more prevalent among federal and academic webpages. Nevertheless, the median numbers of third-party cookies and data requests per page were higher on commercial websites (77 requests; 130 cookies) than on government webpages (8 requests; 4 cookies), academic websites (14 requests; 10 cookies), non-profit webpages (16 requests; 7 cookies).

The researchers mentioned decision-makers at companies may be uninformed that third-party tracking code transfers data to third parties as it is normally only installed to check website traffic.

The researchers explained that the research had two limitations. First, the tool employed to search for third-party tracking only searched for two means of tracking and there are actually many others, some of which were created to elude auto-capture. Therefore, the number of web pages checked for third-party tracking is likely underestimated. Additionally, since the study only checked the top 20 search results, the conclusions may not cover websites that appear lower in the search engine listings.

In the midst of discussion and legislative activity centered on the privacy effects of COVID-19 contact-tracing software, these study results show that interest must also be directed at privacy issues on online search engine users.