Hacker News new | ask | show | jobs
by davidfischer 856 days ago
Healthcare providers and insurers in the US are bound by HIPAA privacy rules, but data brokers (mentioned in the article) and the ads industry generally are not. For example, if she used an app in the doctor's waiting room that shared/sold location data to a data broker, they can use her location data for retargeting purposes. There have been many cases in the past where advertisers targeted users based on visiting medical or other sensitive locations.

As to how they mailed it to her and got her home address, a data broker who has location data can fairly easily determine a user's home address from that data. Many brokers and networks may also already have an association between a "pseudo-anonymous advertising ID" and real user with name and address. Not saying that location-based retargeting happened this time as the article doesn't give us enough to go off of and other types of retargeting are another possibility.

Overall, I think it's unlikely that the provider or insurer shared her data and other alternatives are more likely.

Disclosure: I work in the ads industry but on contextual targeting only. Some location-based retargeting is terrifying and will probably eventually be criminal. It's a bit of the wild west right now.
5 comments
fnordpiglet 856 days ago
I would assume that a more likely scenario (although yours is also likely!) is someone with cancer will almost certainly search the internet at some point for information about cancer and their treatments. This will immediately be sucked up by the pervasive surveillance economy and used to extract the maximum amount of marginal revenue attainable through any means necessary. You don’t need to know they’re in a doctors waiting room, using the internet for information retrieval will specifically inform everyone interested in paying for it what you are searching for.
link
freedomben 856 days ago
Yes, I agree. It's also quite likely that people who know people with cancer will search about cancer, and sadly some of them will later need to purchase cremation services. This means that statistically it's not a bad idea to target people who have searched for cancer with cremations. This seems like the most likely explanation to me.

(Edit to add a meta note: Apparently this has to be said on Hacker News because people can't distinguish between someone presenting facts and someone making a defense, but I'm not defending the practice. I think it's abhorrent. But if we can't dispassionately analyze reality to try and understand the motivations, then we've really abandoned reason and lost our way).

link
adrr 856 days ago
All the medical information sites(WebMD,Drugs.com) are filled with ad beacons.
link
davidfischer 856 days ago
Ya, other types of retargeting like this are also likely. The jump from visiting a website to an advertiser does physical mailings isn't a big one (political advertising uses this a lot). Long story short, she was probably retargeted based on her actions and probably not based on the insurer or provider doing anything illegal.

Edit: I don't want to sound like I'm blaming the victim here. That's not my intent. I just don't think blaming the insurer or provider is fair either. I dump the blame on the data broker/ad network and to a far lesser extent the advertiser.

link
VyseofArcadia 856 days ago
I wonder would the effect would be of extending HIPAA protections to information that you have inferred. If you have inferred something about a person that is protected by privacy laws, should that inference itself also be protected? How much of a shield should "we're not 100% sure, so it's just a very well-informed guess" be?

I have my own story about advertisers inferring personal. Relationship status isn't protected, but the last time I went through a breakup, I was suddenly inundated with dating site ads. I don't feel like my shopping or web browsing habits changed, but they must have to figure it out.

link
JohnFen 855 days ago
> I wonder would the effect would be of extending HIPAA protections to information that you have inferred.

That would be helpful. Also, HIPAA itself isn't exactly a panacea and is full of loopholes. Having effective medical privacy laws would be even better.

link
davidfischer 855 days ago
I'd just like effective privacy laws in the US generally.
link
UncleEntity 856 days ago
> There have been many cases in the past where advertisers targeted users based on visiting medical or other sensitive locations.

Yep, I used to get ads like that all the time during my cab driving days.

I would often ponder on how they made any inferences out of my location data because I went to so many different places. There were definitely patterns, hauling around the same people once you learn their schedule is a big part of the job, but using it to sell me stuff is worthless.

Now that the youtubes have taken up the adblocker fight I still get all sorts of ads for medical stuff that has no direct relation to me. I do try to keep up on all the complicated "don't track me, you fucking stalkers" clicky buttons they like to add so perhaps I just fall into age group where their ad dollars shine, dunno?

link
HankB99 855 days ago
I remain convinced that something on my phone listens to incidental conversations. Yesterday my wife was asking about the difference between our (past) Plymouth Voyager and the current Chrysler Pacifica. Today I get an ad in my Google (Android) feed for the Pacifica. I haven't looked at mini-vans in decades and neither of us searched for anything related.

We had just visited the Sloan museum in Flint, MI which has an extensive Buick display so an ad for a Buick would not have been unexpected.

Coincidences like this have happened too many times to be coincidental.

link
dangus 855 days ago
I think these conspiracy theories happen because people don’t understand how easy it is to leak data and how easy it is for data collectors to gather metadata and make a conclusion. Metadata is incredibly powerful and a lot of non-data scientists don’t realize the level of sophistication that companies have in their possession.

The classic example is Target predicting your pregnancy based on specific purchase behaviors. All they have to know is a consistent identifier and your purchase history and they can predict whether you’re pregnant. There’s no need to listen in on conversations or obtain other more detailed user data.

Also, a lot of “private” services and apps really don’t promise jack shit in their privacy policy. They are probably all gathering and selling the data nearly in real time. Their privacy policies are often far more broad, vague, and permissive than their PR will tell you.

You’re with your wife, your devices are often on the same networks, so it’s likely that advertisers know you know each other when you browse. Despite what your wife says, you really don’t know if she interacted with a Pacifica ad or piece of sponsored content. Even if she didn’t search for a Pacifica, it doesn’t have to be specifically something related to minivans, because that information that you are potentially more interested in minivans can come from other metadata.

TikTok manages to figure out your perception of a particular video based on how your fingers are moving on the screen, how long you’re spending on a video, what’s happening when you’re lingering or swiping, etc. You never really have to tell TikTok directly what things you like.

The game of 20 questions works from a similar concept. You can start knowing absolutely zero and ask a very small amount of binary questions to find the specific item the person has on their mind, only metadata.

link
jamesdwilson 855 days ago
> Cox Media Group recently gave advertisers an overview of a new technology it calls Active Listening. CMG claimed that its technology can use microphone data from devices like smartphones and tablets, specifically analyzing "pre-purchase conversations." The since-deleted blog post also mentions using AI to determine when the phrases heard from smart devices could be "relevant" to advertisers.

https://www.businessinsider.com/cox-active-listening-claims-...

link
dangus 855 days ago
From the archived page:

> We know what you're thinking. Is this even legal? The short answer is: yes. It is legal for phones and devices to listen to you. When a new app download or update prompts consumers with a multi-page terms of use agreement somewhere in the fine print, Active Listening is often included.

This means you have to give permissions and ignore the orange dot on your screen for this technology to work.

link
jamesdwilson 855 days ago
Don't most people just hit Accept blindly?
link
dangus 855 days ago
Probably, but that’s why new versions of iOS have a recording indicator anytime the microphone or camera is active.

And, you know, at some point consent is consent. It’s a giant dialog box that explains everything. Some people might even want an app that records their activity and gives them compensation for doing so (e.g., Microsoft/Bing Rewards). Who am I to tell that person they don’t want that?

link
HankB99 854 days ago
> You’re with your wife, your devices are often on the same networks,

I'm on Fi, she's on Verizon. But I don't doubt that data miners know we're together due to consistent proximity. Neither she nor I did any Pacifica related searches.

link
m463 855 days ago
Sorry, this is nonsense. The healthcare providers do it directly.

99.9% of people who have a healthcare provider at a minimum use their website - communicate with doctor, prescriptions, etc.

All these websites use adtech stuff, and the apps are even worse.

look, don't take my word for it, just look at kaiser permanente's website:

https://www.kp.org

It references google.com directly.

(also try www.dmv.ca.gov, same thing, same cookies)

link