Feeds

NHS enables Facebook to track surfers on health info website

Privacy experts say 'ick, germs'

SANS - Survey on application security programs

Privacy experts have expressed dismay at a decision by the NHS to allow Facebook and Google to track users on one of its sites.

The NHS has integrated its NHS Choices site into the Facebook Connect platform, so that surfers can express an interest ("like") for pages on the site and share content with their friends and contacts on Facebook. Google is also able to track the behaviour of individuals on the NHS Choices website, online privacy firm Garlik warns.

Garlik is sharply critical of the designers of the site. Mischa Tuffield, a developer at Garlik, criticised the design decisions as either "ill judged or ill informed".

Most of Tuffield's criticism focuses on the tie-up between the health information site and Facebook Connect which "opens the door to third-party tracking", even in cases where a user is not logged into Facebook at the time of visiting the NHS Choices site.

The site also uses analytics services from Google and Webtrends, something Garlik argues should not be trusted to a third-party supplier, as outlined here. However, it reserves the bulk of its criticism for the tie-up with Facebook.

Tuffield writes: "What right has the NHS to share any information about the browsing of NHS Choices with Facebook? The Like button is engineered such that even if it is not clicked, it still passes information about the user to Facebook, even if they are not logged into Facebook at the time of the visit."1

Garlik, which was the first to warn of the issue, was able to establish that tracking took place using internet logging tools. It knows from this exercise that individually identifiable data is exchanged between NHS Choices and Facebook, but not how it is used.

Users can be expected to be viewing content on NHS Choices that most might normally be expected to want to keep private. Garlik offers an example of a young mother looking for information on post-natal depression, but many others can be imagined.

The sharing is mentioned in the NHS website privacy policy, something few average punters would read, and a point that cuts little ice with Garlik or other critics.

Andy Thomas, Garlik’s managing director, said: "The fundamental issue here is that the NHS believes it is acceptable to share information about users' browsing habits with third parties. This appears to have been a conscious decision, and the NHS believes that a statement buried away in a privacy policy makes it OK."

"NHS Choices has either wilfully decided that sharing the pages visited by all Facebook users with Facebook is acceptable, or has implemented the technology without understanding how it works."

The issue has been taken up by Tom Watson MP, who wrote to the Health Secretary on Tuesday to express his concern that the "NHS is allowing Google, Facebook, and others to track your nhs.uk browsing habits, regardless of the fact that people use the page to seek medical advice".

"The NHS Choices website is used by members of the public in order to find out facts about ailments they may be suffering from and these illnesses could cause an individual embarrassment if the information was leaked," he writes.

Watson wants the link between NHS Choices and Facebook Connect to only exist in cases where users opt in to link the services, rather than (as now) by default.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.