banner
toolbar
February 2, 2000

Health Sites Violate Their Own Privacy Standards, Study Finds
By JERI CLAUSING Bio
WASHINGTON -- Internet health sites collect some of the most personal information about their users, but few follow their own declared policies about maintaining the privacy of that data, according to a survey made public Tuesday.

The study, by the California HealthCare Foundation, found that 19 of the top 21 health sites had privacy policies, but that most failed to follow their stated practices. And none of the sites followed fair information practices as defined by the Federal Trade Commission.

The survey comes as policy makers are more closely scrutinizing the privacy practices of Web sites to determine whether new laws are needed to regulate online marketers. Privacy advocates said the study proved that the Internet industry has failed in its attempts to police itself in the area of online privacy.


Digital Privacy *
Related Articles
Ongoing Coverage of Digital Privacy

Forum
Can Privacy Be Protected Online?

"This is about the 7,000th piece of conclusive evidence that self-regulation is not working," said Jason Catlett, founder of Junkbusters Corp., a company that helps people and companies protect their privacy online.

The study's author's, however, were less judgmental, comparing the online health industry to an awkward adolescent who has yet to understand all the implications of his actions.

Richard M. Smith, an Internet security analyst, and Janlori Goldman, director of the project, said Internet health sites are well aware that consumers expect the information they supply to be confidential. They said they believe many of the sites are unaware that third-party advertisers and service providers have access to the personal information they are collecting.

The technological mechanisms behind the privacy violations, Smith said, include the use of "cookies," which track Web surfers' movements online, and banner ads, which in some cases can pick up the information entered by visitors on the pages where they are displayed.

The combination can enable advertising companies like DoubleClick to build detailed profiles of consumers and of the information they seek online.

For example, Smith said, some companies that place banner ads would be able to pick up an e-mail address entered by someone visiting a Web page about AIDS, even if the visitor never clicked on that ad. The address could then be matched with the Web "footprints" left on that computer by implanted cookies.

Many consumers and even Web site operators are unaware that advertisers have such technical capabilities, which allow them to build huge databases of consumer behavior, Smith said.

"It's complicated," Smith said. Some of the privacy violations "are accidental, and some are on purpose. Some (sites) really don't know that DoubleClick is collecting addresses," he said.

Catlett, a technical expert who previously worked for the data mining division of AT&T, said he thinks it is very plausible that many Web sites are unknowingly violating their own privacy policies.

"A lot of these sites are being set up in great haste, and often without sufficient knowledge or attention to the leakage that takes place with online advertising," he said.

Still, Catlett said, "It's horrifying but not surprising that medical sites are doing as poor a job on privacy as used car trading sites."

"I think probably medical sites are not doing any worse of a job on privacy as other e-commerce sites, but the public's expectations and need for privacy in a medical site is so much greater that the truly horrendous prevailing levels of privacy on the Web are just ludicrous," he said.

Although privacy advocates for years have been calling on Congress to pass a law setting rules for Internet sites to follow when collecting personal information, the Clinton administration and the Federal Trade Commission have sided with the Internet industry, which says it needs a chance to prove that marketers and online merchants can police themselves.

FTC officials on Tuesday had no comment on the study. This spring the commission is expected to issue its third annual report to Congress on the state of online privacy and whether it thinks new laws are needed.

The study's authors declined to get into the political debate over whether new laws are needed, saying they conducted the survey in hopes of providing the industry with the information it needs to better meet customers' online privacy expectations.

"The goal of the California HealthCare Foundation is to be a broker in this rapidly changing arena," said Mark D. Smith, president of the group, which presented its study during a summit on online health ethics.

Related Sites
These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.

Jeri Clausing at jeri@nytimes.com welcomes your comments and suggestions.

Home | Site Index | Site Search | Forums | Archives | Marketplace

Quick News | Page One Plus | International | National/N.Y. | Business | Technology | Science | Sports | Weather | Editorial | Op-Ed | Arts | Automobiles | Books | Diversions | Job Market | Real Estate | Travel

Help/Feedback | Classifieds | Services | New York Today

Copyright 2000 The New York Times Company