MONEY privacy

Your Embarrassing Online Searches About Health Problems Aren’t Private

camera aimed at laptop
Thomas Jackson—Getty Images

A new study found that 91% of health-related web pages reveal potentially sensitive information to third parties like data brokers and online advertisers.

Hypochondriacs beware: That Google search for “STD symptoms” could go into your digital dossier.

A new study has found that health-related web pages often leak information about you and the information you access to third parties, raising concerns about online privacy.

To conduct the study, University of Pennsylvania PhD student Timothy Libert analyzed the top 50 search results for 1,986 common diseases, some 80,000 web pages. He found that on 91% of the pages, third parties like social networks, advertisers, and data brokers could access information about who was viewing the page, like the user’s IP address. On 70% of the pages, those third parties could see information about specific “conditions, treatments and diseases” viewed.

Altogether, 78% of the health-related web pages sent information about you to Google, 31% sent information to Facebook, and 5% sent information to Experian, a credit bureau and data broker.

What’s the big deal? Libert has two major concerns about these practices. The first is that the third parties could match you with your medical search results, a problem he calls “personal identification.” This isn’t a totally imaginary scenario—data brokers routinely collect information about you from your online activity, shopping habits, and public records, then turn around and sell that information to advertisers. That already includes sensitive medical information: One data broker was caught hawking lists of “rape sufferers,” “domestic abuse victims” and “HIV/AIDS patients.”

Second, advertisers could discriminate against you based on your medical searches, regardless of whether your search results are ever connected to you personally. That’s called “blind discrimination.” In other words, advertisers could serve you certain ads and offer you certain promotions based on the websites you read. Again, this practice can be innocuous, but it can also have a dark side. “It’s like any other form of discrimination,” Libert says. “If you’re going to extend a favorable offer to somebody, your best client probably isn’t somebody with terminal cancer.”

The tech-savvy might think their searches are private because they delete cookies or use a private browser, like Google Chrome’s “incognito mode.” Sorry, but no.

That’s because of the way websites work. Libert explains that a web page is like a recipe. The code says, “display an image from this file” or “play this video from Youtube.” To pull in content from another website’s server—like a video from Youtube—your server makes a “request” to that third-party server, and reveals information about you in the process. For example, the third party can see the name of the webpage you’re visiting, which may sound harmless, but can reveal a lot. You might not, for example, want advertisers and data brokers to know that you recently read “www.cdc.gov/hiv”.

“Even if you’re using incognito mode or something, the HTTP requests, at the very basic level, are still being made,” Libert says.

And you usually don’t even know it’s happening. While you can see evidence of some third-party requests, like Youtube videos and Facebook “like” buttons, Libert says most requests are bits of code invisible to the non-programmer’s eye.

Legally, this is all aboveboard. The HIPAA law protecting medical privacy only applies to medical services like insurance claims, not other businesses.

So while Libert wants lawmakers to beef up online privacy protections, he says in the meantime, your best bet is to install a browser extension like Ghostery or Adblock Plus.

“They don’t catch everything, but they catch a lot,” Libert says.

TIME privacy

Revenge Porn Mastermind Pleads Guilty to Hacking and ID Theft

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

The "Most Hated Man on the Internet" ran a huge website featuring nude photos of ex lovers

The founder and operator of a notorious revenge porn site has pleaded guilty to charges including unauthorized access to a computer and identity theft.

Hunter Moore, 28, has been called “the most hated man on the Internet” for his role in the website IsAnybodyUp.com, which posted nude and sexually explicit photos of people without their permission. The site brought in a purported $10,000 in ad revenue per month, Ars Technica reports.

Many of the photos came from spurned ex-lovers who submitted nude images of their former partners. An ex’s full name, profession, social media profile and city of residence were posted, ensuring the pictures would appear on Google and allowing family members and co-workers to access lewd pictures. Moore also pleaded guilty to paying for stolen nude photos from victims.

Each of the three charges against Moore carries a maximum penalty of two to five years in jail. Moore will likely be sentenced within the next several months.

TIME privacy

Lenovo Under Fire for Potentially Exposing Users to Hackers

Inside A Lenovo Group Store As Company Reports 25 Percent Jump In Fourth-Quarter Profit
Bloomberg/Getty Images Lenovo Group Ltd. signage is displayed near laptops in an arranged photograph at a Lenovo store in the Yuen Long district of Hong Kong on May 23, 2014.

The computer manufacturer's laptops were being sold with invasive adware

Computer manufacturer Lenovo is getting flak for selling laptops with marketing software that experts say opens up a door for hackers.

The software, called Superfish, analyzes users’ Internet habits and displays third-party ads based on that activity, The Next Web reports.

Troublingly, Superfish also impersonates certificates for encrypted websites in order to monitor users’ behavior even on protected sites. That can open a door for hackers targeting sensitive information like passwords or banking details, because users’ data isn’t being protected as well as it ought to be.

In a statement Thursday, Lenovo said it stopped preloading the software in January, and won’t preload it in the future. Lenovo also defended itself from criticism over installing Superfish in the first place, arguing the software doesn’t pose a security risk despite what several experts have said.

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Lenovo said. “But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software.”

TIME privacy

How AT&T Wants You to Pay For Your Privacy

AT&T Reports 81 Percent Rise In Q2 Profit
Tim Boyle—Getty Images An AT&T logo is displayed on an AT&T truck July 25, 2006 in Park Ridge, Illinois.

ISP can track your web history and searches

The privilege of not having your every click tracked, saved and regurgitated in the form of targeted ads will only cost you $29 per month on AT&T’s super-fast Internet service.

The company, which just announced it’s bringing its 1-gigabit-per-second service to Kansas City, touts a price tag of $70 per month for the high-speed connection meant to compete with services like Google Fiber. But that’s actually a “premier” offering that allows AT&T to track a user’s search terms and browsing history to serve targeted ads. The standard high-speed service without the tracking costs $99.

AT&T defended the pricing model to The Wall Street Journal by arguing that the ad targeting helps AT&T make more money, which in turn lets customers who participate earn a discount. The model is somewhat similar to the discounted Kindles Amazon sells that show advertising. Companies with free, ad-based services, like Facebook, don’t allow users to fully opt out of being tracked while on their sites.

However, the fact that AT&T is an Internet provider means it could gather a more comprehensive picture of your Web browsing activities than companies with a less intrusive presence. That’s lucrative for advertisers and for ISP’s, but not so great for privacy-minded end users.

TIME privacy

The 7 Weirdest Things People Left in Uber Cars

Uber At $40 Billion Valuation Would Eclipse Twitter And Hertz
Bloomberg/Getty Images The Uber Technologies Inc. logo is displayed on the window of a vehicle after dropping off a passenger at Ronald Reagan National Airport (DCA) in Washington on Nov. 26, 2014.

A "lost and found" list was found on a public site

Uber mistakenly posted an internal “lost and found” list to a public website, Motherboard discovered, offering a glimpse at more than 150 items Los Angeles-area riders have left behind.

According to screenshots posted by Motherboard, the list groups items under common categories such as wallets, suit cases, keys and phones. Then there are the “others,” ranked here in ascending order of weirdness:

1. A Patti Smith record

2. Selfie Stick

3. Medical marijuana ID

4. Knife

5. Santa hat

6. $500 cash

7. Crisco oil and ice breakers mint

The lost and found list also included some riders’ contact details. An Uber spokesperson has since apologized for the privacy lapse and vowed to investigate the leak so that it doesn’t happen again. People carrying oddball items into Uber cars, take note.

Read more at Motherboard.

MONEY identity theft

Millions of People’s Data Stolen in Health Insurance Hack

Anthem, the second-largest health insurer in the U.S., says hackers obtained names, Social Security numbers, dates of birth, and more.

TIME privacy

You Asked: What Are Verizon and AT&T’s ‘Supercookies?’

The New York Pops Present "Jim Henson's Musical World"
Paul Zimmerman—Getty Images Cookie Monster performs during The New York Pops Present "Jim Henson's Musical World" at Carnegie Hall on April 14, 2012 in New York City.

Some cellphone owners are discovering this tracking technology is no treat

Food doesn’t have laws — like physics or math — but if it did, “everyone loves cookies” would surely be an indisputable truth. In fact, it’s along that line of thought that “Internet cookies” got their name, because they are all about sharing information — and cookies were made for sharing.

For example, imagine that a website asked your web browser if it would like a cookie. “I would love a cookie!,” it would likely respond, because that’s pretty much what you say whenever someone offers you a tasty treat. On a diet? Just hit the gym — it’s only a cookie, and you can burn it off whenever you want.

But now imagine another website saying, “Have a cookie.” These cookies are not optional, and even worse, you’re not able to throw them out, ever. That, essentially, is a “supercookie,” a web-tracking technology that privacy advocates want eliminated from the Internet.

Overall, cookies are intended to enhance and personalize your Internet experience, and sites from Amazon to Yahoo use them to tailor the web to your liking. “Traditionally when you’re using cookies on the web, it’s primarily for maintaining some site information,” says Satnam Narang, senior security response manager at Symantec. For instance, cookies can save your username on a website so you don’t have to type it in every time you go to log in. Advertisers also use cookies to take note of what products you search for, so they can serve relevant ads to you as you traverse the web. But you can also erase cookies through your browser settings, or turn them off so that they don’t get saved to begin with. Your web browser’s “private mode” is another great way to get around them, because cookies are not saved when this feature is enabled.

Supercookies, however, operate in a completely different way than standard web cookies. Instead of being a small file that gets saved by the web browser, a supercookie is a string of code injected into the data you’re downloading. Called a “unique identifier header,” this code cannot be deleted or wiped clean, because it is not a file.

“There’s no way for you to wipe that cookie away,” says Narang, “because it’s injected into your network traffic.”

Everyday web users wouldn’t know the difference between a cookie and a supercookie until they tried (and failed) to delete their browser-based cookies — and that is what has privacy advocates so alarmed. “Even if you wipe a cookie away, the fact that your ID header (or supercookie) still exists, they’re able to correlate those two separate instances of traffic,” says Narang. “They’ve already profiled not only the cookie, but that unique identifier header.”

Even if you’re browsing in private mode, websites can still monitor the websites you visited using supercookies. “The whole purpose of using private mode is because you want to just browse the website and not have anything saved,” says Narang. “You’re saying, ‘I don’t want you to save any information about me,’ and (with supercookies) that is not being respected.”

Supercookies were first revealed in 2011, when researchers at Stanford University and the University of California at Berkeley noted that sites like MSN and Hulu were using them. At the time, Congress began looking into the technology. In November 2014, The Washington Post revealed that Verizon and AT&T had been injecting supercookie code into their network traffic. AT&T stopped using the technology shortly thereafter, providing its subscribers with this opt-out link (click on the link with your AT&T smartphone, not your computer’s web browser). But it wasn’t until Monday — and more pressure from lawmakers — that Verizon agreed to let its subscribers opt-out of the online tracking. Its opt-out solution should be made available soon.

But keep in mind, however you have used these two mobile networks to access the web, whether it has been on a smartphone, through a tablet, or with a laptop connected to a hotspot, your online activities have been tracked, and will continue to be followed with supercookies until you opt out on each device. Talk about leaving a bad taste in your mouth.

TIME Innovation

Five Best Ideas of the Day: February 4

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

1. ISIS is bringing recruits onto the battlefield faster than we can kill them.

By Tim Mack and Nancy A. Youssef in the Daily Beast

2. If body cameras become standard issue for police officers, how will we protect the privacy of people being recorded?

By Paul Rosenzweig in The Christian Science Monitor

3. A university recognizes a third gender: Neutral.

By Julie Scelfo in the New York Times

4. Can the rest of the nation — and the world — learn from one Indian state’s incredible success reducing poverty and improving quality of life?

By the World Bank

5. Want better schools? Leadership matters. Invest in high-quality professional development for school principals.

By Arianna Prothero in Education Week

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME privacy

What Uber Still Won’t Say About Your Data

Travis Kalanick, chief executive officer of Uber Technologies Inc., gestures as he speaks during the Institute of Directors (IOD) annual convention at the Royal Albert Hall in London, U.K., on Oct. 3, 2014.
Chris Ratcliffe—Bloomberg/Getty Images Travis Kalanick, chief executive officer of Uber Technologies Inc., gestures as he speaks during the Institute of Directors (IOD) annual convention at the Royal Albert Hall in London, U.K., on Oct. 3, 2014.

A privacy audit left some questions unanswered

Uber, the massively popular car-hailing company, has acquired a reputation for being overly cavalier about data privacy. Last November, Uber vice president Emil Michael suggested investigating journalists critical of Uber to find dirt in their “personal lives.” A venture capitalist said his private location data was broadcast to a large audience at a Chicago Uber launch party. And a Buzzfeed reporter in November was tracked on her way to an interview with New York’s top Uber executive.

Uber has since refocused its attention on riders’ privacy, rewording its data policy and hiring an outside attorney to conduct an investigation.

“At Uber, protecting the personal information of riders is a core responsibility and company value,” said Uber CEO Travis Kalanick in a Friday statement. “Delivering on that value means that privacy is woven into every facet of our business, from the design of new products to how we interact with riders, drivers and the public at large.”

The results of that audit were released Friday. The investigation, led by Harriet Pearson, a Washington, D.C. attorney at Hogan Lovells with an impressive history of arbitrating privacy and security issues, agreed with Kalanick’s own assessment: Uber has a strong privacy policy. Her six-week investigation at Uber involved reviewing hundreds of documents and interviewing Uber’s leadership. It ultimately resulted in an exculpatory report that Pearson called “comprehensive.”

“In our view, Uber has dedicated significantly more resources to privacy at this point in its age as a company given its sector and size than other companies that we’ve observed,” said Pearson in an interview with TIME. Uber is about six years old, it’s valued at more than $41 billion.

The saga has raised important questions about how private companies access our personal information, from our credit card data to our precise location. A lot of Uber’s data can be really useful: The company uses it to settle internal disputes, fix bugs or help cities plan traffic patterns, as it has done in Boston, for example.

But in the age of the Snowden National Security Agency revelations, consumers are particularly sensitive about how their personal information is used. Uber has promised to follow the report’s recommendations, such as expanding employee training and making its policies more transparent. But the audit still left some questions unanswered, according to Bruce Schneier a fellow at Harvard University’s Berkman Center for Internet & Society.

“I saw nothing in their statements” to alleviate privacy concerns, says Schneier of Uber’s report. “Anytime you put this kind of surveillance power in peoples hand, they look up their enemies and friends… If the culture is not, ‘we don’t do this,’ than you do it.”

Here’s what we still want to know more about.

How many employees at Uber can see my personal data?

Uber says access is limited to employees who have a reason to need it, like those investigating fraud, answering user-driver inquiries or conducting trip analyses, said Katherine Tassi, Uber’s managing counsel for privacy, in an interview. But Tassi doesn’t have an exact figure.

“There’s no one particular number of employees that have access to user data,” she said.

How does Uber prevent its employees from looking at my data?

Uber gives employees access to customer data based on their responsibilities, while others are locked out through technical controls. “We noticed those kinds of controls at various levels” at Uber, said Pearson.

The report indicates Uber uses a combination of passwords, informal rules and employee monitoring to restrict access. In any case, according to Pearson, the company has a well-developed system for monitoring who is accessing your data and when.

So has Uber explained its recent privacy missteps?

Not fully. “We’re not going to comment on those specific instances that were in the press, but in general, we’re an organization of human beings and human beings make mistakes,” says Tassi. Pearson says her investigation only examined Uber’s privacy program and its structure, not particular incidents. So we don’t actually know how common it is for Uber employees to tap into your data, despite the company’s policy.

Do Uber employees ever get in trouble for doing fishy things with users’ data?

Uber won’t say. We know that Uber “disciplined” New York executive Josh Mohrer in November for tracking that Buzzfeed reporter’s ride, but we’re not sure how. Other than that, we don’t have any evidence Uber employees committed any other privacy violations.

Are Uber employees taught not to spy on me?

Uber talks informally with its employees about protecting customer data. Employees get “communications” from the senior team on handling riders’ data, Tassi said, and new Uber hires have to accept the company’s data access policy.

But when pressed, Uber didn’t say whether there’s a formal training program for employees, merely saying it was “in early stages of development.” That training “needs further formalization,” said Tassi.

TIME How-To

How to Hide Anything on Your iPhone

TIME.com stock photos Social Apps iPhone
Elizabeth Renstrom for TIME

You have a right to privacy. Here’s how to protect it.

The eyes may be the window to your soul, but your iPhone is the peephole into your daily life. Who you contact, which apps you use, which selfies you snap — it’s all right there. So if you care about your privacy, it’s worth taking some simple steps to protect it. Here are seven ways to keep digital snoops at bay.

Pair Touch ID With a Complex Password

If you’re already using your fingerprint to unlock your iPhone, you’re on the right track. (If not, tap Settings >Touch ID & Passcode and add it now.) Here’s another trick: add a complex password to enter each time you power up your phone. (Tap Settings > Touch ID & Passcode, disable Simple Passcode and follow prompts). For a stronger passcode that’s quick to enter, stick to all numbers and aim for up to 12 digits. That won’t stop a dedicated hacker, but it’s tougher for an unwanted onlooker to figure out than a standard 4-digit password.

Nix the Notifications on Your Lock Screen

Hide your notifications by going to Settings > Notifications and toggling off the Show on Lock Screen slider. Alternately, you can also fine tune this setting so that only certain apps can place notifications on your lock screen using the options right below this setting. You can even block notifications from individual message threads: go into the message, tap the word Details on the upper right hand corner of your screen and slide the Do Not Disturb Button to the left. Voila.

Hide Clandestine Contacts

There’s no built-in setting for hiding individual contacts, but there are some smart workarounds. The simplest way is never to save the person’s name so only their number appears in your recent calls list. To hide all your recent and favorite contacts in the App Switcher – which appears atop your screen when you press the home button twice – tap Settings > Mail, Contacts, Calendars > Contacts > Show in App Switcher and toggle off Phone Favorites and Recents.

Deep-Six Secret Texts

This one’s easy – just delete them. Swipe left on the Messages screen to delete entire exchanges at once. If you only want to nix certain parts of a thread, hold your finger on the offending text bubble, tap More when it pops up, select each bubble you want to delete using the check marks at left, then tap the trash icon at the bottom left of your screen.

Zap Photos and Videos

Here’s one case when you’re better off using a third-party app instead of the iPhone’s built-in option. While you can hide any photo from your camera roll by holding your finger on it, then selecting Hide, the Hidden Album is not password-protected. Instead, try a free app like KYMS or Private Photo Vault, which require a password to access. Just remember to permanently delete the originals from the default iPhone photo app afterwards.

Make Apps Disappear

Don’t want anyone who borrows your phone to know you’re on Tinder or have a Private Photo Vault? There are two ways around this. First, you can hide apps inside another folder like your “Extras” by holding down the app icon until it starts shaking, then dragging it into the desired folder. Second, you can hide app icons altogether by dragging them into the dock, then using Spotlight to access it. Get a detailed explanation for how to do both tricks here.

Hide Your Search History in Safari

If you just want to browse privately for a while, open Safari, tap the page icon in the lower right corner, then tap Private. To clear your entire browser history, go back to your phone’s home screen, tap Settings > Safari > Clear History and Website Data. Pro tip: download the DuckDuckGo search engine and use it instead. Unlike Safari, it never stores your search history.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser