Feeds

NHS enables Facebook to track surfers on health info website

Privacy experts say 'ick, germs'

High performance access to file storage

Privacy experts have expressed dismay at a decision by the NHS to allow Facebook and Google to track users on one of its sites.

The NHS has integrated its NHS Choices site into the Facebook Connect platform, so that surfers can express an interest ("like") for pages on the site and share content with their friends and contacts on Facebook. Google is also able to track the behaviour of individuals on the NHS Choices website, online privacy firm Garlik warns.

Garlik is sharply critical of the designers of the site. Mischa Tuffield, a developer at Garlik, criticised the design decisions as either "ill judged or ill informed".

Most of Tuffield's criticism focuses on the tie-up between the health information site and Facebook Connect which "opens the door to third-party tracking", even in cases where a user is not logged into Facebook at the time of visiting the NHS Choices site.

The site also uses analytics services from Google and Webtrends, something Garlik argues should not be trusted to a third-party supplier, as outlined here. However, it reserves the bulk of its criticism for the tie-up with Facebook.

Tuffield writes: "What right has the NHS to share any information about the browsing of NHS Choices with Facebook? The Like button is engineered such that even if it is not clicked, it still passes information about the user to Facebook, even if they are not logged into Facebook at the time of the visit."1

Garlik, which was the first to warn of the issue, was able to establish that tracking took place using internet logging tools. It knows from this exercise that individually identifiable data is exchanged between NHS Choices and Facebook, but not how it is used.

Users can be expected to be viewing content on NHS Choices that most might normally be expected to want to keep private. Garlik offers an example of a young mother looking for information on post-natal depression, but many others can be imagined.

The sharing is mentioned in the NHS website privacy policy, something few average punters would read, and a point that cuts little ice with Garlik or other critics.

Andy Thomas, Garlik’s managing director, said: "The fundamental issue here is that the NHS believes it is acceptable to share information about users' browsing habits with third parties. This appears to have been a conscious decision, and the NHS believes that a statement buried away in a privacy policy makes it OK."

"NHS Choices has either wilfully decided that sharing the pages visited by all Facebook users with Facebook is acceptable, or has implemented the technology without understanding how it works."

The issue has been taken up by Tom Watson MP, who wrote to the Health Secretary on Tuesday to express his concern that the "NHS is allowing Google, Facebook, and others to track your nhs.uk browsing habits, regardless of the fact that people use the page to seek medical advice".

"The NHS Choices website is used by members of the public in order to find out facts about ailments they may be suffering from and these illnesses could cause an individual embarrassment if the information was leaked," he writes.

Watson wants the link between NHS Choices and Facebook Connect to only exist in cases where users opt in to link the services, rather than (as now) by default.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.