Michelle Ayers is Head of Research Services at Jenkins Law Library , Philadelphia, PA.
We are often told that attorney-client confidentiality is as sacred as the healthcare provider-patient relationship. Yet, as I conduct research on the Web for our library members and the general public, I do not see this principle routinely applied to the privacy concerns of legal researchers. The medical profession has adopted privacy policies for self-policing of medical Web sites. Even with these efforts, medical privacy is not always guaranteed. Legal researchers, too, are not often guaranteed privacy in their searching. As with the medical community, the privacy statements can be vague, confusing or non-existent. This article will review the methods the medical profession has developed for self regulation using privacy policies. I compare these policies to the statements used in some of the major legal Web sites. Finally, I suggest ways to protect your privacy, that of your organization and your clients when conducting sensitive legal research on the Internet.
Data Collection and Privacy on Medical Web Sites
Here at Jenkins Law Library, one criteria we use for testing the quality of medical Web sites is the HON Code ( http://www.hon.con/ ). The HON Code of Conduct was formed in 1995 by the Health on the Net Foundation. Its purpose is to encourage medical Web managers to adopt the HON codes self regulatory and voluntary seal of good conduct based on the following principles: the authority of the information provided, data confidentiality and privacy, proper attribution of sources, transparency of financial sponsorship and the importance of clearly separating advertising from editorial content. (See http://www.hon.ch/HONcode/Conduct.html for a complete list of the eight principles and their definitions.) On a voluntary basis, Web sites post the HON Code of Conduct seal on their home page as a signal that they adhere to the eight principles of the HON Code. Notice that “data confidentiality and privacy” is one of these principles.
Recently, a study was released in February 2000 by the California Healthcare Foundation that compared the sites’ stated privacy policies with the actual privacy afforded users of the site. For the full report see: http://ehealth.chcf.org/priv_pol3/index_show.cfm?doc_id=33. The report was conducted by Janlori Goldman and Zoe Hudson of the Health Privacy Project at Georgetown University and Richard Smith, an Internet security expert. It looks at the privacy policies and practices of twenty one of the most heavily trafficked health sites on the Internet. Many of these sites post the HON Code of Conduct and further elaborate with privacy statements on their Web sites.
The identity of the twenty one Web sites is interesting. They included many of the medical sites that legal professionals may routinely use: Medscape.com, Drkoop.com, Oncolink.com, Webmed.com to name a few. It was surprising to see that the survey also listed several standard search engines and directories among the twenty one “health” sites they monitored. They are Altavista.com, Yahoo.com, Excite.com. The question the survey answers is this: do these sites adhere to their own privacy policies?
Survey Says…
To conduct the investigation, the authors used the twenty one health sites like a typical user and observed how personal data was handled. They then compared these observations to each site’s privacy policy. The findings are quite remarkable. Here are two interesting points:
- Only one Web site, Oncolink.com, makes their privacy statement binding on their business partners. All others either do not make it binding [Altavista.com; CVS.com; Drugstore,com; Exicte.com; Healthcentralcom; Intelihealth.com; Ivillage.com; mayohealth.org; mediconsult.com; mediscape.com; mothernature.com; onhealth.com; Webmed.com; and Yahoo.com] or a notice to the user about the policy was not available [Cansearch.com; Drkoop.com; Hivinsite.ucsf.ude; Mhnet.org; Planetrx.com; Thebody.com]
- While almost all Web sites had a notice to the user about who is collecting the information, what information is collected, when and how it is collected and whether visitors are profiled, few sites gave users access and control over the information collected.
Privacy Statements of Legal Research Web Sites
Privacy statements from legal related Web sites varied in format, depth and content. Generally, all the major sites had some sort of privacy policy with standard language.
I began my survey of the more popular legal Web sites by deciding to ask some basic questions about each site. These questions were the same criteria used in the Report on the Privacy Policies and Practices of Health Web Sites. The following chart shows what I found.
Web Sites Is there a privacy statement? If so, is it displayed on the home page or linked from home page? Is there an TRUSTe endorsement? Is advertising accepted? Are cookies used? Lawguru.com yes yes no yes yes Findlaw.com yes yes no yes yes LLRX.com no n/a n/a yes no Catalaw.com yes, via third party host no yes yes yes ALSO! yes no no no no About.com yes yes yes yes yes Virtualchase.com no n/a n/a n/a n/a ‘Lectric Law Library no n/a n/a n/a n/a Law.com yes yes no yes yes Loislaw.com no n/a no n/a n/a Versuslaw.com yes yes no no yes
Web Sites If a privacy statement exists, does the statement indicate the information collection points? At the collection points, is the data sent to the host site; another party? Is the privacy statement binding on the business partners, banner advertisers, 3rd parties Does the user have the right to view, correct or opt-out f the data collection process? Lawguru.com yes no unclear yes Findlaw.com yes maybe maybe yes LLRX.com n/a n/a na/ n/a Catalaw.com yes yes maybe maybe ALSO! n/a n/a n/a n/a About.com yes yes maybe yes Virtualchase.com n/a n/a n/a n/a ‘Lectric Law Library n/a n/a n/a n/a Law.com yes yes maybe yes Loislaw.com n/a n/a n/a n/a Versuslaw.com n/a n/a n/a n/a
How to Protect Yourself
Granted, this survey was not meant to be a true scientific sampling. The purpose here is to illustrate the variations in privacy statements and to make you aware to check for privacy statements prior to conducting sensitive research over the Internet.
Awareness alone is not all you need to protect you and your clients in the brave new world of Internet research. There are tools to help with the challenge. A cookie manager called Privacy Companion helps your browser know the difference between first-party cookie from, say, the New York Times, to let you into the site, but disallow third-party cookies from ad companies that track your habits while you’re there ( http://www.idcide.com/html/prod/prod.htm ). Complete cloaking tools like Anonymizer and Freedom can cloak the identity of a user in a broader way by hiding everything from your email address to your computer’s IP address (http://www.anonymizer.com/3.0/index.shtml and http://www.zeroknowledge.com/ ).
The question of protecting ones privacy on the Internet is not just a consumer issue. Legal professionals need to gain awareness of this issue and how it effects them as the Internet becomes the tool of choice for conducting research to support our clientele.