logo

Is Your Mental Health for Sale?

Conference:  BlackHat EU 2019

2019-12-04

Summary

Privacy International conducted a study on mental health websites and found that many of them were poorly designed and violated GDPR and ePrivacy regulations. They also found that programmatic advertising has no place on mental health websites.
  • Privacy International conducted a study on 139 mental health websites and found that many of them were poorly designed and violated GDPR and ePrivacy regulations.
  • They found that programmatic advertising has no place on mental health websites as it is an inherently intrusive advertising practice and health websites inherently share sensitive data.
  • The study also found that web scraping and data sharing with third-party companies was common on these websites.
  • Privacy International is calling for regulators to take action and for users to file complaints if they feel their rights are being violated.
  • The methodology used in the study is open and can be replicated by anyone.
  • The full report is available on the Privacy International website.
One of the websites studied, debatehere, was found to be sending personal information in clear text to a third party that was not mentioned anywhere on their website. This is a clear violation of GDPR and ePrivacy regulations. Additionally, the NHS was found to be sending the total score of the depression test to an Adobe Analytics server without warning users. These findings highlight the need for better website design and for companies to be transparent about their data collection practices.

Abstract

According to the WHO, 25% of the European population suffer from depression or anxiety each year and depression accounts for up to 50% of chronic sick leaves. This means that every day, millions of people are looking for information about depression online - whether they are seeking help, support or trying to understand how best to support friends and family. At the same time, the current Internet business model heavily relies on targeted advertisement to generate money, tracking people around the web and syphoning their personal data to build accurate profile for the sole (official) purpose of showing you "better ads". See where all of this might go wrong?Considering the sensitive aspect of the mental health-related websites it would seem reasonable to expect that the number and nature of the third parties they include is limited to the viable minimum. Unfortunately, Privacy International's research proved that to be quite wrong. Based on an analysis of 136 popular depression-related websites in France, Germany, and the UK, we observed that a vast majority of these websites embed an impressive number of trackers, mostly for marketing purposes. You might hope that these trackers are at least enabling non-targeted advertisement, yet more than a quarter of the webpages scanned embed third parties who engage in programmatic advertising and Real Time Bidding (RTB). More concerning even, a small subset of these websites offer depression tests that share your answers and results directly or indirectly with third parties.In this talk, we will highlight what type of third parties can be found on mental health-related websites, how frequently some trackers can be found, and what type of tracking they enable. We will then take you on a journey to see exactly what data is being shared with some of these third parties when you take a depression test, from RTB pre-bid requests to the answers you give.

Materials:

Tags: