The WebMD Symptom Checker passes your information to dozens of companies and third parties including Facebook, Google and other advertisers. The FT’s European technology correspondent Madhumita Murgia and senior newsroom developer Max Harlow explain how it works. Read more at
Every day thousands of people look at health websites to find out information about their health or put in their symptoms to figure out if they can get a diagnosis so we decided to look behind the scenes and look at really what happens to the data that we put into health websites so max here is going to take us through one specific website that we decided to analyze
And show us really what’s going on the hidden tracking that happens behind the scenes we’re going to be going to the webmd symptoms checker what might not be clear when we’re opening up a web page is there’s a lot of stuff that’s happening behind the scenes though normally this is hidden to us we’ve got a tool here called http toolkit that will let us see exactly
What’s going on so here really we should be able to see a list of companies or trackers that are looking at what we’re doing on this website right yes well we’re interested in as third parties domain names websites owned by other companies potentially that are being communicated with by this page this is the request that our computer made when we went to this url
When we press enter and down here we’ve got this bit of information it says setcookie and we’ve got this thing which says visitor id equals and there we’ve got a long string of numbers and letters right we can look at what other requests this page is made which is also included this specific id what’s a request max so this is just communicating with another website
Normally fetching a bit of information so fetching a whole webpage or fetching an image or fetching a script a bit of code that’s going to be used on the page and the thing that’s interesting here is this is even before we’ve clicked i agree to their privacy policy right so at this point we haven’t agreed to being tracked we haven’t agreed to anything so these
Companies that are getting the id what does it mean that what can they do with that id well they can associate that id with this web address but also we’re about to start entering some personal information and if there were further requests sending that information to them i’ll have a personal identifier and then they also have some protected category data about
Us okay so shall we go in and try and put in some medical symptoms and see who ends up getting a peek at them are we gonna be male or female now okay so back on this list if i click here we can see what happened when i pressed that male button so it went to facebook.com/ so as soon as we clicked male that information went to facebook and a bunch of other people
So what’s our main symptom what do we want to start with so let’s start with some some diarrhea okay pleasant okay so if i search for diarrhea we can see another space similar requests going out fever yes have a fever there we are again and there we are again we’re looking here we can see other bits of information so it’s we’ve clicked a common symptom button one
Of these buttons down here and the bottom texas fever throat irritation yes thanks most likely we’ve got pulse rate of colitis or the flu or we’ve got taken a drug overdose that’s facebook so facebook has received all of the buttons that we’ve clicked including our symptoms even our diagnosis and we don’t know what they’re doing with it but i think it’s really
Interesting because you know ultimately they’re an advertising company so if they’re using this to build profiles about us associated with one of the ids then it just means that people can target us or rather other advertising companies can target us based on what they think we have yes this is all personal health information the information that’s meant to be
Some of the most protected by law and certainly something you don’t want facebook to know about you possibly not so let’s have a look at some of the third parties now i was expecting this to all be tech companies but there’s so many that are many other companies which really are household names widget comm ad nexus mm-hmm they’re quite a big ad tech company as
Well a long day and you would never realize from going to this quite simple page with two adverts just how many companies will be receiving data about and what’s interesting right is that we don’t know what happens after this moment so they could be selling on this information or sharing it with a whole bunch of other companies who then sell it on and on and on
So you know we we have no idea really whose hands that ends up in and we have no choice but to trust them so what a thing is interesting is a lot of that happen before we click to accept at all yeah there was a link to the privacy policy there though every time you place any of these tracking cookies onto a website you have to ask the user whether they consent to
That so when i went through the policy kind of says that they share data with third parties they list third parties so what they said is we share some data with google and facebook if you want to know what they do with it look at their privacy policies and you know that’s very much gray area because according to the law consent is supposed to be unambiguous and i
Wouldn’t say that was unambiguous at all because i’m still left with a million questions about where my data’s going and what’s happening with it it’s that protected category data that they’re meant to require explicit consent that this didn’t seem to be particularly special did you know we would never dream that this data was being shared in the way that it was
And the privacy policy really doesn’t give us an idea of the extent of this doesn’t
Transcribed from video
How medical websites share your data | FT By Financial Times