Wesselkamp, V., Fouad, I., Santos, C. et al. (3 more authors) (2021) In-Depth Technical and Legal Analysis of Tracking on Health Related Websites with ERNIE Extension. In: WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security, 15 Nov 2021, Seoul, Korea. ACM , pp. 151-166. ISBN 9781450385275
Abstract
Searching the Web to find doctors and make appointments online is a common practice nowadays. However, simply visiting a doctors website might disclose health related information. As the GDPR only allows processing of health data with explicit user consent, health related websites must ask consent before any data processing, in particular when they embed third party trackers.Admittedly, it is very hard for owners of such websites to both detect the complex tracking practices that exist today and to ensure legal compliance.
In this paper, we present ERNIE, a browser extension we designed to visualise six state-of-the-art tracking techniques based on cookies. Using ERNIE, we analysed 385 health related websites that users would visit when searching for doctors in Germany, Austria, France, Belgium, and Ireland. More specifically, we explored the tracking behavior before any interaction with the consent pop-up and after rejection of cookies on websites of doctors, hospitals, and health related online phone-books. We found that at least one form of tracking occurs on 62% of the websites before interacting with the consent pop-up, and 15% of websites include tracking after rejection. Finally, we performed a detailed technical and legal analysis of three health related websites that demonstrate impactful legal violations.
This paper shows that while, from a legal point of view, health related websites are more privacy-sensitive than other kinds of websites, they are exposed to the same technical difficulties to implement a legally compliant website. We believe ERNIE, the browser extension we developed, to be an invaluable tool for policy-makers and regulators to improve detection and visualization of the complex tracking techniques used on these websites.
Metadata
Item Type: | Proceedings Paper |
---|---|
Authors/Creators: |
|
Copyright, Publisher and Additional Information: | © Author | ACM 2021. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society, https://doi.org/10.1145/3463676.3485603 . |
Keywords: | tracking; browser extension; GDPR; health data; explicit consent |
Dates: |
|
Institution: | The University of Leeds |
Academic Units: | The University of Leeds > Faculty of Environment (Leeds) > Institute for Transport Studies (Leeds) > ITS: Sustainable Transport Policy (Leeds) |
Depositing User: | Symplectic Publications |
Date Deposited: | 14 Jun 2024 08:53 |
Last Modified: | 14 Jun 2024 08:53 |
Published Version: | https://dl.acm.org/doi/10.1145/3463676.3485603 |
Status: | Published |
Publisher: | ACM |
Identification Number: | 10.1145/3463676.3485603 |
Open Archives Initiative ID (OAI ID): | oai:eprints.whiterose.ac.uk:213512 |