Here is a posting or two from April 2022 when I took a look at Doxy.me privacy policies in force at that time. I am of course not a lawyer and could misunderstand something. Maybe.
This HHS and OCR guidance includes several sorts of 3rd party tracking technologies possibly in use by Doxy.
........................
To be crystal clear -- I am NOT accusing Doxy of breaking HIPAA or other laws, sharing PHI, or sharing video content. I am "accusing" them of doing exactly what they allow themselves to do in their "privacy" policy -- communicate "de-identified and anonymized" data to 3rd parties having little to nothing to do with the operation of the service. The huge problem is that "de-identified and anonymized" data can be easily reattached to client names by any data broker worth their salt with a big enough database.
Picture me having an angry laugh (at Doxy, not you) as I read this "privacy"policy. It's ridiculous.
In summary: They give themselves permission to do quite a lot, and by using their product, you are consenting to it. They say they are "anonymizing" everything -- but what good is that if the data can be used to easily reconstruct client identity? They don't say they are sending along tracking cookie data to 3rd parties, but they give themselves permission to do it.
A few choice pointers:
"This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information—when You use the Doxy.me Service or visit this web site"
Your permission is granted...
............................
"Usage Data is collected automatically... Usage Data may include information such as Your Device’s Internet Protocol address, browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers, and other diagnostic data. However, this Usage Data is de-identified and anonymized and not linked to a particular data. As such, it is not considered personal information; it is incidental to providing the Service."
Several Internet security sources point out (sorry -- I don't have a reference immediately available) that when data brokers accumulate several data points on you (such as browser type, IP address, "other diagnostic data") that it can act as a unique fingerprint to figure out who you are. Keep in mind that data brokers track across several websites across time. This is exactly the sort of information that cookies are commonly used for to store and pass along.
Internet Protocol address -- If a user happens to have a static IP address, this is a unique identifier of the user. If its not static, it still serves to pinpoint the general geographic area the person is in (unless a VPN is used) and can be combined with other data to identify the person.
Unique device identifiers -- Each device (laptop, smart phone, etc.) has a unique serial code that identifies it. If this information is being passed along to 3rd parties, its a unique fingerprint of the person.
Let's take an easy fictional example -- let's say a client creates a Google account. In the process of creating the Google account, the client enters their name. Let's say Google also captures their unique device identifier at that time. Now then, if the unique device identifier is passed along to Google whenever that person visits a website (say doxy.me for example), Google knows the name of the person visiting the website because its already in Google's database.
"de-identified and anonymized" data -- Sure. Internet Protocol address, browser type, browser version, unique device identifiers, and other diagnostic data do not have the client's name attached -- or any other PHI data. But so what -- the data broker already has a database to readily reattach the client's name when/if this information is provided.
.............................
"We may also collect information that Your browser sends whenever You visit this Website "
Well, I don't know -- does this mean they can capture anything else your web browser is sending out at the time you are connected to their website?
.........................
Cookies:
"Any use of Cookies – or of other tracking tools – by Us or by the owners of third-party services used by Us serves the purpose of providing the Service as requested by You."
Hmmm... Slippery. We are requesting/consenting to anything they do as defined earlier in the document.
From: https://doxy.me/en/cookie-policy/
" Please be aware that some Cookies are required to use the Doxy.me Service; some are useful but not mandatory to measure and improve performance; and some are used for advertising or marketing activities that customize information based on your interests."
So -- yes -- they ARE using cookies to advertise and market to our clients.
.............................
They do at least promise not to pass along PHI or name information.
They may or may not be passing along the above information to 3rd parties, but my September 2021 investigation showed that their servers WERE contacting 3rd parties (some known to be data brokers / ad networks). SOMETHING was passed along.
-- Michael
On 4/13/2022 5:24 PM, NAME REDACTED__ wrote:
Based on Michale's recent post, I contacted the legal office at doxy.me to ask whether doxy.me does the following:
"Doxy.me reports out cross-site tracking cookies to at least 10+ different services including Google, YouTube, Facebook, LinkedIn, and Hotbot."
The legal department directed me to their policies here:
Doxy is technically HIPAA compliant according to them and I can't PROVE otherwise.
In October 2021 -- logging in as a CLIENT -- I traced (via Pihole and the Lightbeam Firefox plug-in) their website having my web browser contact connections to Google (multiple), Youtube (multiple), Facebook, Doubleclick, Hotjar, Mixpanel, and Segment ad networks/trackers/data aggregators. Heavy additional use of outside support tools from Google, Amazon (their web hosting provider), Cloudflare, Cloudfront, and other outside supporting services.
There was just no excuse for that from a company only providing medical telehealth.
Since then Doxy seems to call on fewer outside supporting services, and last I looked (April 2022) they ran their data tracking services through one specific company -- which could then redistribute data to all the above companies. Or not.
The devil here is in what constitutes Protected Health Data (PHI). In 2022 Doxy privacy policies discussed only collecting "anonymized" data and no PHI. Sounds great. However, please see:
This HHS and OCR guidance includes the sorts of 3rd party tracking technologies DOXY is likely referring to in their privacy policies.
Then of course, there is this: Yes, someone really did name their service Doxy ("Doc See Me" according to the company). There are several double meanings here. Doxx or doxxing -- hacker slang for spreading sensitive private information all over the Internet to defame someone. Webster's Dictionary -- Doxy -- a prostitute. https://www.merriam-webster.com/dictionary/doxy
No disrespect intended to sex workers in the use of the possible slur "prostitute" here.