In response to a toot from Privacy International on Mastodon I thought it would be a good idea to review the sites I looked at in “Who Tracks Me part 1” and see if any improvement had been made.
In 2018, I wrote the original Who Tracks Me piece as part of The Privacy Shop (a failed attempt to create a more space that was more understandable to the every day person where they could source privacy enhancing software and services). The results of my research were astounding and shocking….if only to me.
|Mental Health Foundation of New Zealand||19|
|Inland Revenue Department||14|
|Work and Income New Zealand||2|
|Womans Refuge New Zealand||23|
|New Zealand Labour Party||14|
In my opinion none of these organisations should have had any trackers attached to them. Some of them serve the most vulnerable people in New Zealand and yet they were allowing this information to be gathered about the people using their services. This could have had serious repercussions for some people.
Thankfully, over the past two years there appears to have been some improvement (It is possible that this may also be partially due to the first measurements being taken with Lightbeam, a Firefox extension that is now unavailable). Now, using the EFF’s Privacy Badger extension the results are,
|Mental Health Foundation of New Zealand||7|
|Inland Revenue Department||1|
|Work and Income New Zealand||1|
|Woman’s Refuge New Zealand||1|
|New Zealand Labour Party (For a look at political party tracking in 2020, go here.)||4|
Is that really good enough? Those attached links are,
So, in the case of the Mental Health Foundation what exactly does that turn into?
Example: You are interested in mental health advice offered by the Mental Health Foundation of New Zealand and have clicked on their website. You are logged into several devices (your desktop, smartphone, and tablet) using the same login. Oracle partners have indicated that you are likely the same user across those same devices. Oracles partners are able to send metal health advertising offers to you (via de-identified cookie ID) to these different devices.Example example
Well, that is going to be great. I might now have mental health advertising being sent to me across all my devices. There is even a list of conditions on the site that I might be associated with and then targeted for.
- ADHD in adults
- ADHD in children
- Alzheimer’s disease
- Anorexia nervosa
- Asperger syndrome
- Attention deficit hyperactivity disorder
- Autism spectrum disorders
- Autistic disorder
- Bipolar affective disorder
- Body dysmorphia
- Body dysmorphic disorder
- Borderline personality disorder
- Bulimia nervosa
- Deliberate self-injury
- Depression – Youth
- Depressive disorder with seasonal pattern
- Dissociative identity disorder (DID)
- Eating disorders
- Gender dysphoria
- Gender identity disorder
- Generalised anxiety disorder
- Grief and loss
- Manic depression
- Multiple personality disorder (MPD)
- Narcissistic personality disorder
- Non-suicidal self injury (NSSI)
- Obsessive compulsive disorder
- Panic disorder
- Personality disorders – general
- Post-traumatic stress disorder
- Postnatal depression
- Postnatal psychosis
- Postpartum psychosis
- Schizoaffective disorder
- Seasonal affective disorder
- Suicidal ideation
- Suicide prevention resources
- Suicide: after a suicide attempt
- Suicide: coping with suicidal thoughts
- Suicide: supporting someone online
- Suicide: worried about someone?
- Tourette syndrome
I am sure most people can see why a they would not want to be associated with these conditions whether or not they have them and why they would not want to be advertised to across their devices on the basis that Oracle thinks they might have one.This is not only because of the stigma around mental health, but also because of the business decisions that can be made on the basis of the information. Could an insurance company buy this information in a claim in order to make the case that there was a breach of contract? Could Linkedin buy it to better match people with jobs? We just don’t know and once this information, that we didn’t know we were providing nor consented to provide, is in the wild it may affect our life or the lives of those around us in a myriad of unseen ways that can none the less have concrete outcomes. Additionally, the provision of that information appears to have been in breach of the Mental Health Foundations contract with Oracle which doesn’t give me a huge amount of faith that they are truly invested in privacy.
While it’s clear that there has been some improvement in the data collection activities of all of the websites I looked at in 2018, even having one company that then sells or data-shares onto other parties isn’t good enough. In the case of visiting the Mental Health Foundation of New Zealand, they have apparently just shared my information and given permission for me to be tracked across multiple devices without asking for my permission or seeking my consent at any time. Apparently they are doing this to hundreds of caregivers, family, friends and to the vulnerable people themselves.
Is that really what they mean by their motto, “Getting through together”?