Black Hat Europe: Mental health websites are leaking user data

Almost every popular website dedicated to mental health and depression contains third-party trackers that render users vulnerable to damaging leaks of highly confidential personal information, according to researchers.

Analysis conducted by Frederike Kaltheuner of Mozilla and Eliot Bendinelli of Privacy International revealed that 97.78% of the top mental health websites contain some kind of third-party tracking element, including cookies, JavaScript, or images hosted on a third-party server.

They said that while it was very important to understand that this is not necessarily nefarious in and of itself, it does present an inherent privacy risk.

“Popular websites on mental health share users’ personal data with third parties. Some depression tests share test answers and results with third parties as well,” said Kaltheuner during a joint presentation at Black Hat Europe 2019.

“If advertising companies, data brokers and online trackers know you are depressed, this is intrusive, and information that can be used against you,” she said.

Kaltheuner and Bendinelli analysed a total of 136 mental health websites providing advice, guidance and tests to people living with depression, with a focus on France, Germany and the UK. They found an average of 44.49 tracking elements per website in France, 7.82 in Germany, which has stricter data protection laws, and 12.24 in the UK.

Crucially, said Kaltheuner, many of these third-party cookies were being placed before the user had the opportunity to consent to cookies, in clear violation of the European General Data Protection Regulation (GDPR), which states that consent must be specific, informed, unambiguous and freely given. The sites examined were clearly not obtaining it within the spirit of the regulation, she said.

The researchers found user data was being made available to multiple data brokers and marketing and advertising companies, including most of the sector’s biggest players such as Outbrain and Taboola, technology companies like Amazon Marketing Services, Facebook and Google, and, by extension, Google’s advertising services DoubleClick and AdSense, which were present on the vast majority of pages analysed.

Other companies implicated include a number engaged in the controversial practice of Programmatic advertising, something that is being increasingly scrutinised by European regulators. Programmatic advertising is best described as the practice of real-time automated bidding by advertisers on inventory – meaning space on web pages – for the opportunity to serve specific ads to the user.

Kaltheuner pointed out that the research barely scratched the surface of the problem, and it was virtually impossible to gain much insight into what was actually happening to the data exfiltrated from health websites – short of hacking into the systems of the third-party companies.

Nevertheless, she said, the fact that data about the mental health of web users was clearly entering the advertising technology ecosystem was highly troubling.

“Knowing who is depressed and when means you can be targeted when you are most vulnerable,” she said, highlighting how the adverts she saw on her personal Instagram account had changed since conducting the research. She reiterated: “Knowing the reasons why someone is depressed could be used against them.”

Kaltheuner added that the risk to user data could potentially undermine public trust in technology and drive people living with depression or other mental health conditions away from resources that could actually be extremely helpful to them. “The worst outcome I could think of is that people stop seeking help when they need to,” she said.