NIDA should beware of funding companies that violate people’s privacy

In a ground-breaking settlement with the Federal Trade Commission, two online addiction and mental health treatment companies, Monument and Cerebral, admitted to deceptively and widely sharing sensitive personal and health information with third-party advertising platforms including Meta (Facebook) and Google. They aren’t alone.

Our research at the Opioid Policy Institute has found more than a dozen other online addiction treatment companies engaging in similar deceptive behavior that contradicts their claims of private, secure, or confidential services. Perhaps the most shocking aspect of these business practices is the role of federal funding for these services.

The National Institute on Drug Abuse (NIDA) is the premier drug addiction research branch of the National Institutes of Health. For decades, NIDA’s work to reduce opioid overdose deaths has been stymied by long-standing gaps in treatment, with fewer than 25% of people receiving evidence-based medications for opioid addiction. One way NIDA has been working to address addiction treatment gaps is through encouraging grant proposals for digital health.

Digital health approaches to addiction treatment and recovery are thought to increase connections between people seeking treatment or in long-term recovery to prescribers, psychological services, or recovery supports through websites or apps. The goal is to reduce barriers like travel time, difficulty accessing providers, and isolation. But as with all technology, this digital approach comes with readily anticipated, potentially severe, and completely preventable privacy risks.

Among the 23 opioid addiction treatment and recovery companies the Opioid Policy Institute monitors, 22 engaged in activity similar to that found to be illegal in the FTC’s recent cases. Twelve of the 23 received NIDA funding. These companies conspicuously claimed to be “private,” “confidential,” or “HIPAA compliant” while surreptitiously sharing personal and health data with outside firms that can then use this information to target advertising. This means information like drug use history, health insurance, and detailed personal information can be used to determine what ads are served — or not served — to people who browse these services, contributing to silent and illegal discrimination based on their health condition.

Thirteen companies — five of which received NIDA funding — used Facebook Pixel, a tracking tool that reports users interactions with a website to Facebook. That means when people interacted with digital health websites that used Facebook Pixel, information including specific interactions like purchases and form responses (things like drug use history and insurance type) was sent to Facebook and used to target ads on Facebook and related properties such as Instagram.

To confirm a connection between visiting digital health websites and Facebook receiving interaction data for advertising purposes, researchers at the Opioid Policy Institute used a validated technique that included visiting all the monitored addiction treatment and recovery websites. Next we visited the off-Facebook activity page for a dummy Facebook profile (Bill Wilson) we set up. The off-Facebook activity page provides people who have a Facebook profile with an interaction summary originating from non-Facebook websites that use Facebook’s business tools like the Facebook Pixel. Any website visit that occurred on the Bill Wilson off-Facebook activity page established that a Facebook Pixel had been installed and was sending website interaction data to Facebook tagged to the specific profile establishing a clear and illegal link between seeking treatment and ad tracking. This occurs even though Meta prohibits companies that handle sensitive health information from using these ad tools.

Meta is not the only company that fails to address this problem by not enforcing its terms of service. Google also prohibits the use of its tools, like Google Analytics, when a company handles sensitive health information. Yet when notified that the companies our organization monitors are violating their terms of service, neither Google nor Meta took action to prevent their tools being used in this way.

Thirteen of the companies we studied received taxpayer dollars (a total of $16.7 million in funding from the NIH or NIDA) to support their development and commercialization. Of these, 12 engaged in activity similar to that found to be illegal in the FTC’s recent cases against Monument and Cerebral. Effectively, taxpayers have funded the development of privacy-destroying companies that put people who use drugs at significant risk.

How did this happen?

It’s not clear how things got to this point. NIDA knows that privacy is a core part of addiction treatment, harm reduction, recovery, and research. These 23 companies, including those funded by NIDA, also appear to know privacy is important to people seeking addiction support because they frequently mention they offer private, secure, confidential treatment and recovery support on their websites, apps, and advertisements. It’s a standard — and deceptive — part of their sales pitches.

People who use drugs rank privacy as an essential aspect of addiction support because they have historically been marginalized, overpoliced, and exploited. Knowledge about an individual’s drug use — past or present — has led to substantial harm across employment, housing, and other human rights violations. These are not hypothetical harms: people who use drugs face these barriers daily.

Yet no one appears to be protecting the privacy of vulnerable people using these services. It appears that these NIDA-funded digital health companies said they were private, secure, and confidential, and both the funder and people seeking care took their word on it. This is unacceptable.

One could argue that a funder should not have to ensure that the entity it is funding meets federal privacy regulations. It is the responsibility of the funded entity to not deceive users — or the funder — or engage in illegal business practices.

We believe that the primary blame for these wide-ranging privacy issues and deceptive claims lies with the digital health companies. Blame also falls on Meta/Facebook, Google, and other companies that created privacy-violating tools with little oversight of their use when handling sensitive health data. Blame can also be assigned to funders of these services, like Y Combinator, Palantir, Mark Cuban, and NIH/NIDA.

NIDA’s role in funding addiction research is unmatched. One mechanism that it administers is funding through Small Business Innovative Research (SBIR) grants. These grants are designed to facilitate business pitches to the country’s leading addiction research organization. Receiving SBIR funding confers tremendous prestige, and sets up companies for larger outside funding rounds. Future investors see the federal government stamp of approval as an important signal. SBIR funding is also non-dilutive, meaning that the current ownership shares are not further divided and allocated to the funder, therefore future funding rounds have more shares available to sell for larger sums. To addiction treatment providers, federal funding may also provide these companies credibility in a nascent and turbulent field.

For these reasons, and because taxpayer dollars are being used, NIDA must do more to ensure that funding does not further marginalize people already experiencing significant harm.

There are clear fixes to this disastrous funding approach beyond much-needed FTC actions to clean up the mess.

NIDA must look inward. If it does not have the expertise to evaluate the services it funds, other governmental agencies such as the National Institute of Standards and Technology, the Food and Drug Administration, and the FTC should be included in planning these grants, evaluating the services offered, and creating best practice guidelines. NIDA must require initial and ongoing privacy and security audits, as is done for other federal research grants. NIDA should also restrict how its funding is discussed by the companies in line with other grant funding: the funding must not be portrayed as an endorsement that deceives patients, providers, and other funders. Importantly, NIDA should also take steps to claw back funding that was used to facilitate privacy violations of people seeking addiction treatment.

As shown by the Monument and Cerebral cases, problems with privacy and addiction treatment are not limited to companies receiving grants from the NIH or NIDA. A dozen other non-NIDA-funded companies in our research also violate existing privacy laws. Yet NIH and NIDA have a unique role to play in righting the wrongs of the past and ensuring that future funding does not harm people seeking care. The FTC should not be alone in policing this space. Funders have a responsibility to ensure that taxpayers’ money does not hurt people who desperately need help.

Addiction treatment and recovery support can certainly benefit from digital approaches. But accessing addiction treatment and recovery support cannot come at the expense of individual’s federally protected privacy rights. NIDA cannot afford to be naïve about these risks. The costs to people using these services are too great.

Jonathan JK Stoltman is director of the Opioid Policy Institute and co-director of Reporting on Addiction, a collaboration of addiction science experts, journalists, and journalism educators focused on improving addiction reporting. Mishka Terplan is medical director and senior research scientist at Friends Research Institute and senior physician research scientist at the Opioid Policy Institute.