Facebook’s Preventative Health Tool and your privacy: hopefully a layman’s guide

It’s 2020. Technology is still growing in leaps and bounds. People can’t keep up, including me. Facebook is introducing a preventative health tool. That seems like a useful thing, except:

DO NOT GIVE AWAY YOUR PRIVATE INFORMATION.

You need to know what your private information is. We get training on this in corporate America because losing your customers’ private information also means losing your customers, facing lawsuits, getting fined, possibly losing your job and/or going to prison.

But it’s harder to get the word out to people not in tech. So here goes: the layman’s guide to why you’re not going to tell Facebook whether you got a flu shot this year.

What’s private information?

The tech industry and many of the recent laws passed include any of the following personal data as “personally identifying information”. Some of these are going to be “no shit” but some might surprise you [1]List provided by University of Pittsburgh Information Technology:

Your name

  • Your current full name
  • Your maiden name
  • Your mother’s maiden name, father’s middle name, etc. etc. that two-factor authentication loves to use in security questions
  • Any previous name, deadname,  or alias you use

Your personal identification numbers

  • Social Security Number  (or identifying number in your country)
  • Passport number
  • Driver’s license number or state-issued ID card (or equivalent in your country)
  • Taxpayer ID (if different from SSN)
  • Patient identification number (on insurance cards, at hospitals, etc.)
  • Bank account numbers or other financial account numbers
  • Credit card numbers

Where you live / How to reach you

  • Personal (home) address
  • Email addresses
  • Telephone numbers

How to identify you / Biometric data

  • Pictures of you, especially your face or personally-identifying characteristics like tattoos
  • Fingerprints
  • Handwriting samples
  • Retina scans
  • Voice signatures
  • Facial geometry

Personally-owned Property information

The complicated stuff

Some information is not-personally-identifying by itself. For example, “born in New York City”. But when it’s combined with other information, it can become personally-identifying. “Born in NYC at Coney Island Hospital on January 1, 2020, White, Parents were uninsured, Presbyterian” [2]This is a totally made up example. probably narrows down to a much smaller number of people.

And if this information is combined with any of the other categories above, well, now you’ve probably got a lock on a specific person.

So here are examples of information that, when combined with other information, makes you identifiable:

  • Date of birth
  • Place of birth
  • Business telephone number
  • Business mailing or email addres
  • Race
  • Religion
  • Gender
  • Geographical indicators
  • Employment information
  • Medical information
  • Education information
  • Financial information

But anne, I can’t exist without exposing some of this information

You’re right, you can’t. If you protect your email address so closely that nobody has it, for example, well, you’re not going to get any email, and then what’s the point? It’s almost impossible to ensure that none of your friends or family ever post a photo that includes you on Facebook or Instagram. As for your name, well, you’ve got to be identified by something.

Depending on your goals, maybe you want some of this information to be at least a little public anyway. If you have a public LinkedIn profile because you’re actively looking for a job, you’re exposing a significant amount of your education and work history, in addition to things like your name, and potentially your gender or photo.  That’s good for helping people find you if they want to hire you, and not so good for helping people find you for other reasons like asking you to find them other people to recruit.

Any social media account carries those same risks. Do you lock down to just friends being able to find your accounts, and risk new friends not being able to find you? Or do you make everything public and then risk everything being public? Even if you do lock everything down, companies constantly add, change, and remove features, so what’s locked down today may be public tomorrow. It’s a serious challenge to can be hard to keep up with all of these accounts and all of the privacy settings etc.  [3]Facebook privacy basics, LinkedIn privacy settings, Instagram privacy settings, How to protect your personal information on Twitter and similar links are a good start. Remember that you a: need to … Continue reading

This becomes even harder if you have a job where sharing yourself or your work is part of your job. For example, I’m a UX Designer who is learning to specialize in accessibility design and development. Part of my job description includes publishing, speaking, podcasting, etc. about design and what I’ve learned. Because storytelling makes teaching more effective, I write about the experiences I’ve had working with various disability communities and people with disabilities. It doesn’t take long to dig through my blogs to discover my husband has cystic fibrosis and I have fibromyalgia [4]It can be a huge challenge to figure out what people are and aren’t comfortable with when you talk about someone else’s disabilities or health or any other personally identifiable … Continue reading.

On the other hand, corporations are assholes

The best way I can describe every company I’ve ever dealt with is “They’re that busybody you knew in middle school who always found a way to take that super-intimate thing they found out about you and make it public in a way that made them look better.”

You know, that one who used the crush you had to make sure you were as embarrassed as possible by strangers at the dance? Or the one who found out something secret about your family and slipped the information to the class bully? Or the one who thought it’d be “funny” if they pointed out loudly that your fly was down?

Businesses believe that by using evidence-based decision-making they can scale and grow more efficiently. In layman’s English, that means the more data they have about everything, the more efficiently they can use that data to make decisions about what to spend money on, who to hire, who to fire, and what to cut. [5]I honestly believe that any given person does the best they can in this world to hurt as few people as possible while helping themselves. I also believe that the phrase “what’s best for … Continue reading

They’re in the business of looking better and making more money, and frankly, most of the time they don’t care who they hurt in the process as long as they keep their customers, don’t break the law, and nobody goes to jail. [6]Enron, on the other hand, didn’t seem to be too fussy about those last two.

HR departments already regularly check your social media feeds to check up on you, and they’ve been doing it for years. Back in 2012, D Magazine’s article Why HR Managers Are Reading Your Facebook Page stated that 91% of recruiters screened applicants using social network feeds, and 70% had rejected at least one candidate based on what they found there. I’ve personally witnessed friends or associates whose HR departments reached out to them after they were hired about posts on social media, so don’t think it stops when you get in the door.

In some cases, this is self-defense. They’d like to know if you’re a Nazi bent on white supremacy, especially if they state that diversity is one of their founding principles, and deal with your employment before something hits the 5:00 news hour.

Companies that use third-party vendors to do the search ask for your consent, then let you know if anything adverse came up. Companies that don’t use third-parties may already gain information that they’re not allowed to use for hiring purposes, such as your race, whether you just announced you’re pregnant, being a member of a support group for a disability….

We’d like to think that most companies and people are honest and care about their employees. On the other hand, when your job is to figure out whose jobs are about to be cut in the most appealing way possible, you’re going to find ways to do that which dance all over that grey space. Can you cut expenses by letting go the employees that are drinking too much in their social media, or have a photo with marijuana plants, or are pro-union in their posts…. or who are driving up the cost of healthcare with their hidden disabilities unreported to the company, or are about to have a baby, or etc. etc. etc?

And then there’s the social media companies themselves

If you can’t trust the corporation you work for, who at least have a stake in you doing your job so they can profit, you really can’t trust the corporations that give you services for free. If you aren’t paying for it, you’re the product. (If you are paying for it, and they can extract data from you, you are also the product.)

Facebook is our best-known offender here.

As of 2018, Facebook generated income using the following six methods:

  1. Charging you-the-average-Joe to create an advertisement for something you’re selling
  2. Charging advertisers to place their advertisements on pages based on “targeted advertising” — i.e. targeting Phillies merchandise on the pages of Phillies fans, and not, say, Mets fans.
  3. Charging advertisers to create Facebook Messenger posts and push out ads that way (once again, in a targeted advertising method)
  4. Charging advertisers to create Facebook Live videos and push them out to targeted people
  5. Charging advertisers to run ads on their mobile apps (once again, targeted, but one of their most effective location)
  6. Data generation — i.e. aggregating information about users and selling it to places like Cambridge Analytica, Chinese companies, Apple, Amazon, Microsoft, Samsung….

In order to gather all that targeted information, Facebook uses the information you’ve already given them, even if you don’t know that you’ve given it to them.

  • According to a 2018 article in Techworld, that phone number you use for two-factor authentication has been used to cross-reference against other information for better ad targeting.
  • They’ve logged SMS texts and phone calls without telling people by scraping it out of your phone’s logs, according to The Guardian.
  • They’ve used the political preferences, pages you’ve liked, etc. to determine what you believe, then either used that information to sell to advertisers or sold that (aggregated) data.
  • They don’t regularly check up on the companies buying their data or services to find out how they’re using the data. According to a New York Times article on the Cambridge Analytica breaches, Cambridge Analytica harvested Facebook profile data from users who took a Qualtrics survey advertised as for academic purposes, and then took the information about all of those users’ friends as well. That was against Facebook’s terms of service, but Facebook didn’t do anything about it.
  • According to that same Techworld article referenced above, Facebook buys information about you from Experian to determine where you shop, what you buy, and whether you own a car.
  • If you visit a company whose website contains the Facebook Pixel application (for their own advertising purposes), Facebook gets that data too.
  • Facebook uses the IP address of the computer or phone you use to hit their site to figure out where you are — and in 2015 they went so far as to use this data to suggest friends to you.
  • If you typed something and didn’t hit send, according to “What should you think about when using Facebook?” that doesn’t mean Facebook didn’t gather the information. They received the individual keystrokes, and stored that post as “self-censored” data. So if you wrote “I HATE MY BOSS” and then edited or deleted it before you hit send, Facebook still knows about it.

Now multiply that by every other company….

We have a lot of good reasons to believe that Facebook doesn’t use the same ethics to model their behavior as most people want them to. Most of us don’t want to have our data sold, our opinions manipulated based on what we already believe, our private information handed over (probably in aggregate) to the highest bidder for the purposes of making them money.

We don’t have a good reason to believe that Facebook is the only, or even the worst, offender. We just don’t have enough headlines about other companies stuffing the information in our face to prove it.

Google used the content of your email to target advertisements for years. Even now they use automated scanning of your messages to suggest entries to your calendar or remind you that you didn’t add that attachment you said you were going to add. Apple does the same thing with Siri and iCal.

Is it helpful? Yes, arguably.

Is it ethical? Well that depends on what else they’re doing with that data — and honestly, we don’t know what else they’re doing with it.

Does that mean we have to shut down all our email? The cat is already out of the bag, Pandora’s box is open, the barn door is ajar and the animals are on a hike four farms over, terrorizing someone else’s ducks.

But we do have to be aware of it.

That brings us to Facebook’s Preventative Health tool

Facebook is rolling out a preventative health tool, which they say will connect people to health resources and checkup recommendations from heading heath organizations.

As we remember from the first section of this rant, medical information, especially when linked to a specific person, is Personally Identifiable Information. And even if it weren’t legally PII, emotionally you know there are things about your health like that giant butt zit you had to have lanced or a horrible period or a twisted testicle or skin cancer or a miscarriage, that you just don’t want anyone to have. Not your friends. Not your family. Definitely not Facebook.

Oh, well, no big deal, you might think, because in the US at least, the Health Insurance Portability and Accountability Act (HIPAA) protects my health data.

Facebook’s gathering and use of medical information is not covered by HIPAA. 

Facebook says they won’t have access to test results for things they suggest for you. They say they won’t target ads based on your activity within Preventative Health (but if you “like” a page or write a post outside of that area, all’s fair game). They say they won’t share any health-related information with third parties.

And to be fair, Apple’s Health Record application and API are also not subject to HIPAA regulation — but that’s because none of your health information is stored anywhere except your phone unless you choose to share it with another provider. The Health Records app has to be downloaded separately from the Health app they already have. All of the data is end-to-end encrypted (as long as you’re using 2-factor authentication). And Apple’s pretty blatant about telling you what you’re sharing and getting granular with the data.

But the biggest difference between Apple and Facebook is simply that Apple is transparently communicating what they do and don’t expect and how to keep yourself safe…. while Facebook’s track record of manipulating, secretly gathering, monetizing, misusing, and selling your data to companies that may or may not be even less responsible than Facebook is, is pretty blatantly obvious.

Your personally identifiable information is the product, so don’t share it.

I think that Facebook’s work with multiple medical organizations to help people stay healthy and safe is a good idea.

I also think that Facebook is one of the last companies on earth that should be trusted with it. For that matter, I’m not sure any of them should be.

Here’s the slippery slope scenario:

We already know that companies are checking their prospective employees’ Facebook accounts. According to an article on UPenn Wharton’s site in 2014, lending companies have been doing so outside of the US as well. (This isn’t widespread in the US because legislation barring discrimination and a fear of lawsuits makes lenders hesitant, according to the article.)

Imagine if Facebook provided advertisers and other businesses the ability to screen for health criteria when, for example, setting up job ads. [7]Facebook and a number of other companies were sued in 2018 for creating job ads that screen out older prospects. They claim they’re not the ones discriminating — their customers are … Continue reading Yes, they say they’re not going to do it now, but that’s out of the goodness of their heart, not because they’ll get wiped off the map by the Department of Justice.

Imagine you can’t get a job because you were filtered out of the job postings as one of the people who didn’t get a colonoscopy this year.

Imagine you can’t get health insurance because you showed up on a Cambridge-Analytica-style database of people who have the BRCA gene for breast cancer, where someone cross-referenced information on Facebook about your health with Google searches you’ve been tagged on.

Imagine you can’t adopt a child or qualify for fertility treatments because you have the early stages of a disability like Multiple Sclerosis and an adoption agency / financial lender / insurance company / employer found out.

Imagine trying to prove any of that in a court of law, and what it would cost.

Steps you can take to protect yourself

  • Lock down your privacy on your social media accounts as much as seems feasible to you
  • Trust companies that are covered by HIPAA regulation (like the apps your doctor tells you to install to access their doctor’s offices — Epic, for example, your insurance company’s app or website, etc.) more than companies that are not (Facebook, Google, Twitter… don’t be afraid to ask or search the web for more information!)
  • Think about whether what you’re typing on social media is something you’d yell in a crowded train station to a bunch of strangers. (And while you’re at it, don’t yell that stuff on a phone call in the quiet car of the train either.)
  • Don’t share if you don’t have to.
  • Support journailsm organizations like ProPublica, because they do the research that uncovers missteps corporations would like you to not know about
  • Support universal health care, privacy legislation, and regulation in general when talking to your politicians and when voting at the polls, because regulation is literally the difference between privacy and publicly traded knowledge in these areas.

Finally, if you see someone doing something risky or dangerous, ask them about it (nicely) and help them better understand the risks. We’re all in this together.

Footnotes

Footnotes
1 List provided by University of Pittsburgh Information Technology
2 This is a totally made up example.
3 Facebook privacy basics, LinkedIn privacy settings, Instagram privacy settings, How to protect your personal information on Twitter and similar links are a good start. Remember that you a: need to check them regularly and b: need to remember these companies benefit from your lack of privacy, so while they’ll tell you how to secure your account, they’ll often recommend you shouldn’t.
4 It can be a huge challenge to figure out what people are and aren’t comfortable with when you talk about someone else’s disabilities or health or any other personally identifiable information. Be responsible. If you’re writing about someone else, let them read it before you hit publish, and if they ask you to remove something, remove it, no questions asked.
5 I honestly believe that any given person does the best they can in this world to hurt as few people as possible while helping themselves. I also believe that the phrase “what’s best for the business” short-circuits what people would choose if they were making one-on-one decisions with other people, and results in the exact opposite of ethical decision making.
6 Enron, on the other hand, didn’t seem to be too fussy about those last two.
7 Facebook and a number of other companies were sued in 2018 for creating job ads that screen out older prospects. They claim they’re not the ones discriminating — their customers are — but they’re not doing anything to prevent the discrimination, either.