Feeds

NHS enables Facebook to track surfers on health info website

Privacy experts say 'ick, germs'

Beginner's guide to SSL certificates

Privacy experts have expressed dismay at a decision by the NHS to allow Facebook and Google to track users on one of its sites.

The NHS has integrated its NHS Choices site into the Facebook Connect platform, so that surfers can express an interest ("like") for pages on the site and share content with their friends and contacts on Facebook. Google is also able to track the behaviour of individuals on the NHS Choices website, online privacy firm Garlik warns.

Garlik is sharply critical of the designers of the site. Mischa Tuffield, a developer at Garlik, criticised the design decisions as either "ill judged or ill informed".

Most of Tuffield's criticism focuses on the tie-up between the health information site and Facebook Connect which "opens the door to third-party tracking", even in cases where a user is not logged into Facebook at the time of visiting the NHS Choices site.

The site also uses analytics services from Google and Webtrends, something Garlik argues should not be trusted to a third-party supplier, as outlined here. However, it reserves the bulk of its criticism for the tie-up with Facebook.

Tuffield writes: "What right has the NHS to share any information about the browsing of NHS Choices with Facebook? The Like button is engineered such that even if it is not clicked, it still passes information about the user to Facebook, even if they are not logged into Facebook at the time of the visit."1

Garlik, which was the first to warn of the issue, was able to establish that tracking took place using internet logging tools. It knows from this exercise that individually identifiable data is exchanged between NHS Choices and Facebook, but not how it is used.

Users can be expected to be viewing content on NHS Choices that most might normally be expected to want to keep private. Garlik offers an example of a young mother looking for information on post-natal depression, but many others can be imagined.

The sharing is mentioned in the NHS website privacy policy, something few average punters would read, and a point that cuts little ice with Garlik or other critics.

Andy Thomas, Garlik’s managing director, said: "The fundamental issue here is that the NHS believes it is acceptable to share information about users' browsing habits with third parties. This appears to have been a conscious decision, and the NHS believes that a statement buried away in a privacy policy makes it OK."

"NHS Choices has either wilfully decided that sharing the pages visited by all Facebook users with Facebook is acceptable, or has implemented the technology without understanding how it works."

The issue has been taken up by Tom Watson MP, who wrote to the Health Secretary on Tuesday to express his concern that the "NHS is allowing Google, Facebook, and others to track your nhs.uk browsing habits, regardless of the fact that people use the page to seek medical advice".

"The NHS Choices website is used by members of the public in order to find out facts about ailments they may be suffering from and these illnesses could cause an individual embarrassment if the information was leaked," he writes.

Watson wants the link between NHS Choices and Facebook Connect to only exist in cases where users opt in to link the services, rather than (as now) by default.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.