Hacker News new | comments | ask | show | jobs | submit login
How my sexual health searches ended up in the hands of big tech companies (abc.net.au)
199 points by humanetech 89 days ago | hide | past | web | favorite | 90 comments

Last week, I got hit by a car while riding my bicycle. You won't believe in how many colors an upper arm can shine. Anyhow, I took a picture of the arm, shared it to a friend on WhatsApp and promptly got a newsletter from Pinterest promoting tattoo posts. I do not have the Pinterest app on my phone, barely use it otherwise and would never search for tattoos since I'm just not interested.

I've been trying to find out since then where and how Pinterest might have gotten my blue/red/yellow/green arm picture from to analyze it, interpret it and link it to my account. They might be able to search my friend's phone's pictures (in case he's got the app which I'm not sure) and link the picture back to my account. Spooky though.

Samsung phone? I found out that standard Image Gallery contained Foursquare adware in it, just after GDPR kicked in and they popped up a consent dialog.

I haven't used Pinterest in years and may have accidentally clicked on a Pinterest result in Google search results and suddenly started getting all kinds of desktop popup notifications from them and don't know how or why.

This is probably chrome desktop notifications. The box to enable them on a website looks quite a lot like one of those "do you want cookies?" Boxes, so it's easy to click without thinking about it.

They are (to me) one of the most user-hostile features chrome has added, because it's non-obvious what they are, and how to disable them. You can configure them somewhere in settings (I am on my phone right now).

I have the below address bookmarked - easier than digging through menus!


I had a related thing happen a couple of months ago: I started getting some lower back pain that I thought might be kidney stones based on a couple of Google searches. Went to my doctor, who prescribed a muscle relaxant, which I got at the pharmacy across the street. It went away.

Over the next few weeks I got several robocalls on my cell phone from a pain clinic offering me relief for my "chronic pain", so it was either triggered by my online searches or my doctor's office or pharmacy sold off my private information.

This is just correlation, not causation. The illegal "chronic pain" robo calls are being made to everyone. They have robo dialers enumerating every phone number. Everyone I know has gotten them.

Google is not the one selling your information, one of the websites you clicked probably is. They have pixels on their websites that will then match some fingerprint they generate on your browser with audiences (that contain info such as your email/phone number/etc) that already exist.

If you want to challenge my assertion that Google is not selling your information please point me to where I can buy lists of emails or phone numbers with metadata from google.

That's true, but Google is one of the companies that pushed very hard to make the current situation socially acceptable

and continues to promote and push technology that allows for it to continue as it's in their interest

Google is a bad actor but yeah they are not the worst offender yet but I'm sure that will change in time right now they are just the enabler

> That's true, but Google is one of the companies that pushed very hard to make the current situation socially acceptable

Do you think the current situation would not have happened if Google was not there?

Does anyone know how effective incognito mode is at preventing data and privacy abuses like this? I've been using it more and more, but I imagine there may some clever ways of tracking even across incognito sessions (or between incognito and regular).

If google is the issue maybe - but I seriously doubt they are the issue: they sell their ability to target you, and selling your data to third parties would essentially be against their interest. This kind of FUD has been repeated ad nauseam here and everywhere in tech sites (against Facebook too usually), but that's not the way their business model works.

If it's your doctor or your pharmacist, or the shop you bought online (or offline) something once, incognito will not help at all. They have your personal information already, the only thing that can stop them is law. The cause of the robocalls may also have been his medical insurance, if you want to go full paranoia. :)

Note those shops, the sites you created an account on, the companies those shops sold your personal data to, all of them can target you with ads on both facebook and google by using your PI (essentially donating your data to facebook and google in the process).

When I said triggered by my google searches, I mean the sites I clicked on were able to correlate to my personal details that got collected somewhere else, not that google sold my details. The thing that makes me suspect the doctor or pharmacy, though, is that I've done that sort of search in the past, but I didn't start getting the pill mill calls until I got that prescription.

Read the documents doctors have you sign very carefully.

They often include a waiver that allows them to share your PHI with whomever they want.

You're under no obligation to allow them to do so.

Sometimes it's mere proximity. If your family or friends find you have condition X or treatment Y then they may look it up to find more.

If you share the same public IP, as most homes do then that adds to it.

I started getting invitations to add a Google review to a restaurant I've never been too. But some of my family had.

I can figure out other stuff too - music tastes, social media trends, etc. Just by seeing ads and stories I'm offered on Google News and other places.

There's that famous story about a guy who discovered his daughter pregnant (or feared she was pregnant) a few years back because he started getting ads for baby clothes.

The source of the information could also be a rogue employee at any of those places, especially for something shady, like robocalls.

In most places, it is not difficult for an employee, especially someone like a sysadmin or a DBA, to simply siphon the data into a CSV. Chances are that no one will ever figure it out.

I think that once law enforcement catches up, slow as they always are, they will start creating honeypot identities and then tracing the information leaks to their source. For now, there is little to be afraid of for the leakers.

The FANG company I work for has stringent controls in place as a check against employees attempting to do this. These controls are more comprehensive than those I've seen at other companies.

I'm assuming it's not the doctor or pharmacist, as that would be a severe breach of HIPAA, I believe. But maybe that is happening...

Incognito mode still exposes your IP. My approach is to use a VPN, NoScript to block tracking / ad domains, Disconnect.me to block social domains, uBlock Origin for ads, disable location services, and use incognito mode. Even that's not perfect given browser fingerprinting technology.

You still need self destructing cookies and randomized user agent to cover all bases.

Not effective. Use Tor Browser instead.


I always use Tor Browser + ddg for searching symptoms or embarrassing questions. But I am still worried someone can link those searches by deanonymizing Tor or some security flaw

Your IP makes incognito relatively pointless, and that's before you get into various clever forms of browser finger printing. If you want privacy you need to use TOR. Incognito should be treated as a convenient way to run without cookies / to log out of sites temporarily. It's also nice for sites such as YouTube as they'll pretend to not know who you are so you can get recommendations related to what you're currently watching instead of just constantly recommending everything you've recently (or not so recently...) watched instead.

> Does anyone know how effective incognito mode is at preventing data and privacy abuses like this?

Incognito mode really doesn't do much. It only prevents storing browsing data locally on your computer. Your ISP, your search engine and the websites you visit can store your info on their servers.

> but I imagine there may some clever ways of tracking even across incognito sessions (or between incognito and regular).

Browser fingerprints, IP address, etc are used to track you. Your ISP doesn't even need to be clever since you are dependent on them for your internet connection. There are ways to "hide" yourself from websites, search engines, etc but it's nary impossible to completely "hide" from your ISP.

If your ISP is using permacookies then that would explain it.

Do they often give up information on people like this? I always thought they made all their money by hoarding info then being the middleman. It just seems like a departure from their general business plan.

I’ve had similar recently. Only it’s been an extended period of time (months) since I last searched for what started coming up. Led me to believe something was sold to someone recently.

Can you check with your doctor and pharmacy as to the possible distribution of your data? If they both deny sharing your data and you fully believe them, the mystery is closer to being solved.

> Indeed, large sections of the site's privacy policy were updated overnight.

So basically you get caught, so you change the rules. Companies shouldn't be able to violate their own privacy policy, or say they can change it at any time without any warning, especially retroactively - which usually these things are covered in the privacy policy. What use is that?! Why bother having a policy at all?

> Why bother having a policy at all?

Because it's legally required.

One of my "wake up" moments was when I searched for the phone number of a local physical therapy office on Google. Within the day, I started getting Youtube video recommendations for massage techniques to relieve shoulder pain.

Google and all of its employees who make products like this are on the absolute wrong side of history. Society will only take so much before breaking; they need to figure out their business model, and fast.

This seems like a fairly easy thing to test rigorously (in a statistically significant way). Just create a fake account and do a search and see what the effect is on other places on the web. Are there services that does this automatically, so we don't have to rely on anecdotal "I searched for X here and now I see recommendations for that on Y, and I think it was because of X, but maybe it's just coincidence"? A site that rigorously confirms secret data links between e.g. google search or gmail plain text and other places (e.g. youtube or even amazon recommendations). If it doesn't exist, it seems like a cool thing to create, as a sort of service to the world.

It'd probably reveal a lot of hidden data links that aren't obvious (or which companies promise doesn't exist).

That could turn into an arms race of the target companies trying to detect when it's a fake account versus a real one, and the analysis service trying to make the accounts seem more real. Of course, if it became public that the target companies were trying to dodge the analysis, that could be damaging to them. Then again, automated accounts would likely be against the TOS.

The analysis service could work by watching the traffic of real people who download a browser extension, but then privacy from _them_ becomes an issue.

Perhaps some kind of distributed data-collection system could be created, where an extension will analyze your own traffic, strip out as much personally identifiable information (PII) as possible / as you'd like, and then submit that to a central repository for aggregation or further collective analysis.

An arms race like that would be a help for privacy, there is no way of filtering out enough bots without a relatively high false positive rate.

But "filtering out" would just need to be reducing ad targeting, not suspending the accounts, so some level of false positives might be fine if you can get a low enough false negative rate. The goal of the companies in this hypothetical is to limit systematic statistical detection of ad targeting, not to suspend automated accounts. If a small enough percentage of human users' ads are less/not targeted, no big deal.

> Google and all of its employees who make products like this are on the absolute wrong side of history.

A few things:

1. It takes a fairly high throne to look down on people for their employers issues.

2. You assume a great deal about what people are willing to put up with for free services.

I think you're probably going to be wrong. Most people will whore themselves out for convenience because they don't care if they get targeted ads in order to get those free services.

WRT point 1 - Wait what? You can work for not-not-evil employers now and all the ethical blame is on the CEO?

> Corporation: an ingenious device for obtaining profit without individual responsibility - Bierce

Bad or good companies are subjective. My family > your ideals. Sorry man, I'm not going to take a pay cut because of your list of companies that are subjectively bad.

I’m struggling to read your comment as anything but a direct and unapologetic “Fuck you I got mine”.

Are my rights as beneath your family as my ideals? And how does the fact that you’re not self employed absolve you of this, exactly?

You don't have "the right" to no targeted advertising. You have every right to do whatever you legally can to prevent it from happening. Your rights aren't being violated. If I'm knowingly participating in a violation of your rights, I'm culpable. If I participate, knowingly or otherwise, in something that bothers you, you are exactly right fuck you I got mine. I'm not subject to other peoples belief systems.

>I’m not subject to other people’s belief systems

You live in a society. Your actions have consequences, and if you can ignore that to get your fat paycheck then I can certainly judge the shit out of you, without a very high chair.

The fact that you claim rational discourse has ended when people invoke the lessons of Nuremberg - “because Godwin’s law” - is a stain on, and reflection of your own character.

Godwin compares people to Nazis sometime himself you know, when there’s a call for it. When this many people are calling you on it, maybe you should be listening a little better..

> You live in a society. Your actions have consequences, and if you can ignore that to get your fat paycheck then I can certainly judge the shit out of you, without a very high chair.

My actions don't involve the harm of others, outside of their fragile egos and obsession with what they think should be their rights. I couldn't possibly care less about your judgement.

> The fact that you claim rational discourse has ended when people invoke the lessons of Nuremberg - “because Godwin’s law” - is a stain on, and reflection of your own character.

The fact that you think an argument about a subject with a variety of opinions deserves comparison to one of the most horrible events in human history is a reflection on your character.

> Godwin compares people to Nazis sometime himself you know, when there’s a call for it. When this many people are calling you on it, maybe you should be listening a little better..

It's valid when their behavior is something akin to Nazism. Not very many people are calling me on it... on the contrary, my post is getting upvoted. Because the reality of the situation is, targeted advertising is a topic that needs discussion but it has no place in a comparison with the death of millions of people because of their heritage/religion.

It's pathetic hyperbole people use when they can't win an argument on its merits.

Unfortunately, you are very very wrong, and World war 2 is a great example why:

Some countries had census data containing the religion of every family. People proudly declared themselves Jewish. When the Nazis invaded the countries, they grabbed the available data and instantly knew who to send to the camps. One reason why so many Jews died was the speed with which the situation evolved. Sometimes there were 2 weeks between 'nothing to wory' and the deportation.

The same principle holds for every big list of intrusive data. Yes, you are grabbing all the data you can only to target ads. Today. But that same data in other hands can block people's access to loan, deny them healthcare or make them look like terrorists.

The US democracy is eroding, fast. It is not that far fetched to see the data ending up with the government: 1) How many data has ended up in a FOIA request? You don't know, as you don't see them. 2) Snowden proved that Google already leaked data to the government without even realizing it 3) An executive order from the US president will give him any access to the data.

And that's just the US government. Businesses sell data to each other whenever they want. Today Google seems not to do it, but one CxO change or bad financial quarter can change a lot here, fast.

Basically, Google is playing with fire, in a political situation equivalent to a big gas leak. Be very carefull.

I hate to godwin this thread, but wasn't half the issue people claimed to have with ex nazis was that they never stood up and stopped following orders?

Obviously Googlers are not Nazis. I guess the subjective part ends up being where you draw the line.

You aren't the first to do so. That line is an easy one to draw, and the moment you have to bring up Nazi's you're argument doesn't hold water. There's a huge swath of subjectivity between targeted advertising and murdering hundreds of millions of people.

> and the moment you have to bring up Nazi's you're argument doesn't hold water

Not really.

You are thoroughly misusing Godwin's law, and Godwin himself stated that he never intended people like yourself to stifle conversation on a subject by chanting his name.

Godwin stated that references and comparisons to Hitler or the Nazis are perfectly reasonable in a conversation, as long as the person shows sufficient understanding of history, which the posters you are arguing with seem to have.

I view it as something governments will eventually step in to fix. It's very convenient to dump toxic waste into rivers. If it weren't for regulation companies would probably still do this. That doesn't make it ok, and it doesn't mean that behaviors like that will always be allowed.

You clearly didn’t read the article. It’s the government website that sent those searches to two advertising and data collecting systems.

Familiar with the “banality of evil”? Give it a good thought before you give employees a free pass for the behavior of their employers.


Yes, because targeted advertising is just like playing along with killing hundreds of millions of people. It's almost like a grey area exists here.

More like there is a wide spectrum of severity. There is no equivalence being inferred here.

The strongest lesson life has taught me:

Never underestimate the power of convenience.

I don't necessarily disagree with you.

However, you are stating that ads for massage techniques could "break society."

That just doesn't add up to me.

What is not being stated here? How does this connect? (These are not rhetorical questions!)

When I say "society could break" I mean that there is a general acceptance, or stability, in society whereby we accept that these practices are alright. And that stability will break.

Google, and companies like them, are built on practices which only exist because their users don't fully comprehend the depth of discovery, correlation, and export Google is making on their data. Maybe deeper, users don't fully realize the value of their data.

If you build a business on the ignorance of your customers, you will fail. Period. Society always gets smarter. Google has so much amazing technology and legitimate value (G-Suite, Cloud, etc) to fall back on that they'll be alright, but companies like Facebook don't have that same level of breadth.

I suppose one relatively easy scenario for me to imagine would be these massive databases of information on billions of individuals being either hacked, leaked, or taken by groups with idealogies which could use such data to discriminate or worse.

A slower moving but potentially more insiduous effect on society might be the slow cracking down of any semblance of privacy and the use of all this data to discriminate whether intentional or not.

And indeed there have already been studies showing that a lot of these AI programs trained over large data sets are discriminating against minorities and the poor. I doubt it's intentionally built into the system but it appears to be a side effect of some systems.

I searched for a car model and my bank called me an hour later to talk about car loans!

That was my wake up moment.

Honestly, that just seems like a coincidence. Do you have thoughts on how that information got transferred?

I was logged into search under my gmail address. The bank has that same address on file. They’re probably buying a data feed from the search company.

If not, maybe one of the pages I landed on was able to see my info and has a marketing deal with the bank.

Further proof, as if any was needed, why other countries require something like the GDPR, backed up be significant penalties, and well-resourced enforcement.

It won't happen in Australia though, as we are governed by fools who barely understand technology, and if they need to, rely on the representations of business to make any decisions.

From the perspective of a casual, non-European observer, the only effect of the GDPR that I've witnessed is the explosion of websites being extremely aggressive about forcing me to consent to their tracking cookies.

Where is the real benefit to Europeans' privacy?

GDPR is just the newest privacy law, a lot of EU countries had privacy laws before GDPR. So it isn't that radical, but the fines are bigger.

We've already seen quicker reporting of breaches. Web trackers are down [0]. Telemetry without an off-switch has been ruled in violation (Microsoft Office [1]). In smaller cases, apps that don't secure passwords properly have been fined [4]. I'm sorry for linking to el Reg so much, but there just aren't that many English language news outlets covering these things.

As for "forcing me to consent", it violates the GDPR (e.g. [2], ICO "consent cannot be freely given and is invalid"). This is largely websites trying to see how far they can push it, because the data protection agencies aren't handing out fines straight away. This is actually very frustrating in obvious cases.

If you'd like to help getting rid of them, but aren't a European or can't be bothered reporting them to the relevant data protection agency, Max Schrems has founded https://noyb.eu/. Privacy international has also done some work in this area [3], but Schrems seems to be focussed on the "smaller" violation such as popups, and has a great track record.

[0] https://www.theregister.co.uk/2018/10/12/gdpr_helps_google/

[1] https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/

[2] https://www.theregister.co.uk/2018/11/19/ico_washington_post...

[3] https://privacyinternational.org/topics/general-data-protect...

[4] https://www.theregister.co.uk/2018/11/23/knuddels_fined_for_...

Do you think that at least being aware how your data is abused is not a good thing?

I'd bet if you surveyed Europeans they wouldn't be more aware of how data is being used pre vs. post GDPR.

When I watch my non-technical friends use websites, they dismiss the prompts without reading or understanding them.

> When I watch my non-technical friends use websites, they dismiss the prompts without reading or understanding them.

That's a problem in general in IT. The nice solution would be websites respecting DNT option in browsers and every browser asking if they want to be tracked on the web or not. Or well, we could just purge 3rd party cookies from existence for starters.

Unrealistic. Economics drive the internet and ignoring DNT / having 3rd party cookies is vital to monetization.

I disagree. Economics may drive everything, but there's more to life than money, and it shouldn't stop us from creating laws that protect citizens and increase public good.

Before we created the relevant laws, economics also drove companies to hire children, dump trash into rivers, ignore safety, etc. It wouldn't be too much of a stretch to say tracking cookies and advertising malware are the pollution of the internet.

Even as a tech person, I'm skeptical ad-based services are a net win for consumers. It wouldn't be the end of the world, IMO, if tracking cookies and shady marketing practices were illegal and companies had to use traditional sales tactics online.

I've used it 10's of times to remove my contact info from various websites and now I get 0 unsolicited unwated calls on my phone.

Which websites have you requested deletion from?

Various Czech websites, that do name squatting. (They create a web page with your name so that people searching for you get to their website loaded with ads). Some czech and EU based websites collecting information on "enterpreneurs" like infobel.com.

Every single one responded positively, or at least semi-positively. It's good to remember that there's requirement to accept GDPR requests delivered in any form. So for example infobel had a non-working contact form, and no e-mail contact on the website. So I just sent an e-mail to info@infobel.com and they had to respond, even if it looks like from their website you have to use website conctact/removal request form. The same goes for Facebook messages, or twitter DMs if the company has these communication channels.

The real benefit is that we'll use the web less because it's such a pain in the ass now.

Are you potentially confusing GODR with the EU cookie law?

No, GDPR created a new storm of more fine-grained requests for permissions to store information -- on top of the old cookie-law related cookie popups.

No, these notices explicitly mention the GDPR.

websites were already extremely aggressive about forcing you to consent before GDPR (and they still are) the difference is that some of what they are doing is a little bit more visible now.

Benefit for me is; knowledge is power. When I know a website is intent on ravaging me, I can just keep moving.

Has GDPR meaningfully changed enforcement of rights? I’m familiar with the law itself and the details of it. (IAAL who practices in this area.) I’ve seen these regulatory pushes toward consumer-oriented privacy in the past, and they seem to serve the consulting industry above all. The consequences of breaking the rules are laughably impotent so far, despite more or less well-meaning words passed as binding legislation. Even the reputational damage of having your company featured in headlines about data leaks has fizzled. People don’t even seem to punish the offenders by shifting their spending habits. Am I wrong?

> People don’t even seem to punish the offenders by shifting their spending habits

Well, if that was viable, we probably wouldn't have needed such high fines in the GDPR. Two scenarios:

A) It's hard to move away because of dominance, e.g. Google. You either have to buy an offensively expensive iPhone, or root an Android phone. Even then living without the Play store is hard. Moving e.g. email providers takes years nowadays regardless of the provider. Google Search and Maps can be replaced in theory, but it's quite a chore - Google didn't get big on bad products.

B) What spending? How do you stop spending on something you aren't paying for with money? Yes, ad and tracking blockers, but for Joe Bloggs that isn't obvious. And Consumers weren't paying Equifax directly, otherwise they probably would have been bankrupted.

> Has GDPR meaningfully changed enforcement of rights?

We don't know yet. (I'm assuming this isn't a rhetorical question.)

On the one hand, the fines now have business impact. For example, before the GDPR, the UK's ICO could only hand out a laughable max fine of £500,000. On the other hand, ICO has been toothless, only handing out the max fine once. ICO was severely underfunded, so this is almost by design.

Germany is pretty privacy conscious, but unfortunately data protection is also handled on a state level. So there are 16 data protection agencies and one federal one (Datenschutzaufsichtsbehörden, the federal one being the BfDI). From experience, that kind of bureaucracy doesn't help with speed.

While this isn't enforcement, it has had some meaningful effect. Having worked for a big multinational, there was a lot of money and hours spent on GDPR compliance. This reduces e.g. data retention, which could help limit damage in future. Before that, data retention was basically endless.

We've seen some minor cases, but being a lawyer, I'm sure you know we're at least a few years off the really big cases, especially if the European data protection authorities need to work together.

I appreciate the points you raise, and basically agree that the jury is still out on my question. I honestly don’t understand why there wouldn’t be enforcement actions on day one this past spring. We all had plenty of time to prepare.

As for the compliance effort: it’s mostly security theater in the enterprise, and benefits consultants and lawyers mainly. I take your point about retention, though.

We’ll see if any of it really makes any difference. I’m pretty jaded after doing this since the late 90’s.

It’s almost like the reason iPhones are so expensive is that they Apple makes money from selling hardware rather than ads...

> we are governed by fools who barely understand technology

This is an argument heard all around the world with regards to similar issues. I wonder to what extent it actually applies, and it is not your latter statement - that lobbying and commercial interests are at play - that is prevailing (so they are 'willing fools').

Hard to know, of course, but I'd say these lawmakers need not have to know the intricacies of the technology themselves, but can rely on accurate reports detailing their implications in layman's terms. They can have expert advisory groups do the hard work for them.

Providing knowledgeable, disinterested advice to politicians is what the civil service is supposed to do. In Westminster style democracies, anyway.

"Any sufficiently advanced incompetence is indistinguishable from malice".

I caught some brief clip on the news last night about Canada looking at introducing something similar to the GDPR. Can’t find any details in a quick search though.

I use DuckDuckGo, XMPP, ownCloud, Firefox with bunch of privacy enhancing extensions... My main phone is Maemo based, and I keep one with LineageOS and microG (so no Google Play Services) around as well. I access Facebook and Twitter only via webapps, with isolated wrappers like FaceSlim on mobile. Not only I feel somewhat safer about my data - battery usage, speed and user experience is so much better! Win-win :D

Did you read the article? Author says he searched using DuckDuckgo.

What this article tries to tell is that using DuckDuckGo is just a one small piece of bigger puzzle, not that DuckDuckGo tracks you.

If you block 3rd party cookies, can the (exact) scenario described in the article still happen ?

Pretty sure yes; after Safari started blocking third party cookies by default a few years ago, Google, Facebook, and Microsoft have all started supporting the option to use first party cookies to get around this. As I understand it, they deploy code that stores tracking information on-site using first party cookies, then access that data directly.




Someone please correct me if my understanding of this is incorrect, I've been out the ad world for awhile (thankfully!)

This is terrifying, thx for the answer

Yes. There are many ways to identify a person beyond cookies.

Also, 90% of sites these days try to access canvas, and don't break if disallowed - which probably means they try to fingerprint; this fingerprint is a '0-party' cookie, in that it correlates but isn't even stored on your machine.

Firefox has a setting to stop that in about:config, if you are interested.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact