Schneier on RealAge.com: Factually Incorrect

by on April 28, 2009 · 20 comments

(Update: Bruce Schneier linked to this post (and Adam’s) from his blog post on the topic, and the Wall Street Journal issued a “correction and amplification” at the top of the story on its site.)

I share many of Adam’s concerns with Bruce Schneier’s WSJ piece. But there’s something else wrong with it. He’s got the facts wrong, right in the first paragraph:

Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns.

RealAge does not sell data to drug companies. RealAge collects health information about users and markets to its users at the request of its “partners.” But, again, it does not disclose health data to those partners, including drug companies.

RealAge.com has a sensible business model: cultivate an audience of users that are interested in health, and make money on the sellers trying to reach them, like drug companies. And y’know what would kill that business model? Giving data about users to the drug companies.

And in terms of privacy, that’s a difference in kind, not degree. The data is held close by RealAge.com. Given that, Schneier’s argument that there is deception deserving government intervention falls apart. RealAge.com says what it does and does what it says.

The line from RealAge’s privacy policy that Bruce quotes is deprived of context by what he doesn’t quote. Here’s what he quotes: “[W]e will share your personal data with third parties to fulfill the services that you have asked us to provide to you.” Scary . . . ish.

The rest of the story is the next line: “These third parties are required not to use your Personal Data other than to provide the services requested by RealAge.”

When I first read the privacy policy a few weeks ago – here’s what I wrote then – I assumed this language allowed them to use an email service provider to store and send emails. I was impressed that they say they specifically require service providers like this not to repurpose the data.

When I checked with the people at RealAge.com today, they confirmed that these lines in their privacy policy are for this kind of third-party service provider, not for drug companies.

So, with the sinister data-sharing-with-drug-companies meme kinda dropped out of the equation, what you have left is the question whether personal information should be used to direct health information toward interested people. Should people get information about remedies they might need from companies interested in selling them?

People are free to doubt drug advertisements because they’re advertisements, but given the prospective health benefits, more information is better than none, and I have a hard time saying health marketing is bad. It’s a lot easier to say it’s bad when you assume incorrectly what happens to personal data in the process.

Previous post:

Next post: