By SAM METZ AP/Report for America
CARSON CITY, Nev. (AP) — The Nevada website the public uses to get information on coronavirus vaccines is packed with more ad trackers and third-party cookies than any state vaccination website in the country, allowing companies to track how visitors navigate the internet and collect data on them that can potentially be used or sold by third parties.
Since vaccines became available, health officials have directed people looking for vaccine information — where doses are available and how to schedule appointments, for example — to ImmunizeNevada.org or NVCOVIDFighter.org, which is an address that directs visitors to the same website.
Both state officials and representatives from Immunize Nevada, the nonprofit that runs the website, say the trackers are standard for outreach campaigns and for user experience and to evaluate the effectiveness of advertising efforts.
But digital privacy experts question that explanation. They say the number of trackers on Nevada’s site in comparison to other states is alarming and goes beyond data-gathering applicable to outreach. Potentially, experts say, the information can be packaged by brokers that sell data to customers ranging from insurance companies to political campaigns — something the state and creative agency with which it contracts deny.
“The vast majority of these cookies are generating data that would be completely useless to state officials in optimizing their outreach, while putting a lot of our health data in the hands of advertisers,” said Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project.
An investigation by The Markup published in March found that Nevada’s website took longer to load than any state vaccination website in the U.S. The technology publication launched last year with reporters and editors from ProPublica, the Wall Street Journal and other publications. It found the state’s website used more third-party cookies than the majority of states combined.
Through a tool called “Blacklight,” The Markup found — at that time — the site contained 24 ad trackers and 45 third-party cookies. By comparison, 23 states used no third-party cookies. Texas, New York, Kentucky, West Virginia and New Hampshire’s sites use neither ad trackers nor third-party cookies, The Markup found.
According to both Immunize Nevada and Blacklight, the site had 19 third-party cookies as of Wednesday, including from Facebook, Google, YouTube, and Spectrum. That’s still more than any state in The Markup’s nationwide investigation.
Cookies are scripts placed in a website’s coding that is implanted in browsers to collect information on what people do online. Third-party cookies allow companies other than website operators to track users and frequently are used to sell data to advertisers.
Health officials and Immunize Nevada also work with the creative agency Estipona Group on the website and a complementary outreach campaign called “3 Million Reasons” aimed at swaying vaccine hesitant populations through ads on social media, including through the companies planting the cookies.
Edward Estipona, the firm’s CEO, acknowledged The Markup’s conclusions and said his team conducted a “full site audit” after the investigation to remove “outdated” cookies. Those now in use are “industry standard” in advertising, Estipona said. His team uses cookie data — from Google Analytics, for example — to gauge what groups are seeking out information and then tinker with their outreach accordingly.
“We’re not tracking people. We can only see how someone came to our site, their journey throughout the site, and when they left. We see no personal information about these users. Any website with Google Analytics installed will be able to see this same information about its visitors,” he said. “We feel it’s important to know what information on our site is most helpful. In knowing that, we can make our site easier to navigate and make the most searched information the most prominent.”
At an April press conference at a vaccination clinic, Gov. Steve Sisolak promoted the website as a way to get reliable vaccine information. His spokesperson did not respond to a request for comment on the website’s trackers.
To Matthew McCoy, a University of Pennsylvania medical ethics professor who has studied third-party tracking on COVID-related websites, it’s unlikely that all the cookies on Nevada’s site benefit users, who may not know how information about what sites they visit is collected and packaged.
“Most of them have no conception that when they log on to the page, they’re also giving information about themselves to this whole range of third parties,” he said.
In addition to Google and Facebook, the cookies found on the site are also from data brokerage firms including Neustar and The Trade Desk, The Markup found. Neustar collects data on behalf of defense, telecommunications, marketing firms and the health insurance provider Aetna. The Trade Desk has sold analytics used by political campaigns including U.S. Sen. Elizabeth Warren’s 2020 presidential primary bid.
Estipona said his programmers disputed the planting of cookies by Neustar and The Trade Desk. He and Nevada Department of Health and Human Services spokesperson Shannon Litz said none of the data collected through the trackers was sold for future use. But the $4 million contract between the two parties does not include provisions about data retention or deletion. Neither Estipona nor Litz explained how they knew what happened to the information once in the hands of third parties.
The website offers a live chat feature, YouTube videos in English and Spanish, and a “Social Hub” that displays Immunize Nevada’s Facebook, Twitter and Instagram feeds. The embeds all require third-party cookies that privacy experts say collect data that can be used for tracking regardless of the reason they were planted.
Alan Butler, the executive director of the Electronic Privacy Information Center, said few regulations exist about how third-party cookie data from social media embeds can be used. He said, unless it’s stipulated in a contract, third parties can — and do — use the profiles they create of people based on their internet behavior like all other data.
“I don’t think anything we’ve seen publicly indicates that they do that or that that’s a common or even known contractual arrangement,” Butler said. “Absent some contract, there’s no legal limit once that data is collected on using it like they use all the other data they collect — which is to profile, target and categorize individual users.”
He and Cahn, the executive director of the Surveillance Technology Oversight Project, said The Markup’s analysis of cookies and trackers was credible and used widely available tools. Cahn said the majority of the trackers implanted by the Nevada site wouldn’t be useful for outreach, but could have the opposite effect — fueling vaccine hesitancy.
“One of the big lies that has been perpetrated by vaccine conspiracy theorists throughout the rollout is that there were some sort of tracking chip embedded in the vaccine,” he said. “At a moment when a lot of Americans are hyper-sensitive to any potential tracking, this — I think — is going to undermine public trust we need to build.”
Metz is a corps member for the Associated Press/Report for America Statehouse News Initiative. Report for America is a nonprofit national service program that places journalists in newsrooms to report on undercovered issues.