NHS.uk allowing Google, Facebook, and others to track you

The NHS is allowing Google, Facebook, and others to track your http://www.nhs.uk/ browsing habits, regardless of the fact that people use the page to seek medical advice. It was recently pointed out to me that the NHS Choices website’s social features include the Facebook Like button (see e.g. the page on Testicular Cancer). Due to the fact that the standard method of Facebook Like button deployment is intrusive to say the least, I thought I would look into identifying which third party companies have been given permission to track users on NHS Choices, and my results are rather disconcerting.

In short there are four third-party, advertising/tracking companies which are informed every time a user visits one of the “conditions pages” on the NHS Choices website. These listed below, all get to make a call from the user’s browser, in turn allowing the four companies to access their cookies, tracking the users (explained in a previous blog post of mine, and in Bala’s research). This means, that if one has ever logged into a Google account, or a Facebook account and then visits one of the pages on the NHS site, the company will then know that their user X was just looking at a page about condition Y on the NHS website.

These are the four third party companies that make requests every time a “conditions page” on http://www.nhs.uk/ is viewed by a user:

jambi:~ mt $ grep "Host" tcpdump.ext.20101121.log | sort -u
Host: l.addthiscdn.com
Host: statse.webtrendslive.com
Host: www.facebook.com
Host: www.google-analytics.com

Two of the four third-party sites (facebook.com and addthiscdn.com) are contacted in order to provider the “social functionality” shown in the following screenshot. This intrusive OPT-OUT method of adding social features to the NHS website, in my opinion is NOT acceptable. I would only deem this to be acceptable if NHS has written declarations from the two aforementioned services stating that they WOULDN’T be tracking peoples’ browsing habits on http://www.nhs.uk/.

And the other two sites contacted (webtrendslive.com and google-analytics.com) seemed to be used for analytics purposes. In my view, this task should NOT be outsourced to a third party. If this was a website about pub reviews these third-party services would be acceptable, but due to the nature of the information on the Choices website, I feel the NHS should be hosting their own analytics code. Ok, I understand that the NHS needs to gather statistics about their website usage, but their user’s privacy should be of utmost importance, there do exist a high number of open sourced analytics software which the NHS should run themselves.

In order to show that I am not making this up, I have captured all of the HTTP requests made by my browser when loading the HIV and AIDS information page on NHS Choices.

http://www.nhs.uk/conditions/HIV/Pages/Introduction.aspx

The below two files are logs of all HTTP requests made when loading the HIV page:

http://mmt.me.uk/misc/nhscookies/tcpdump.full.20101121.log

And this cut down log file shows all of the third-party HTTP requests made by one’s browser when loading the aforementioned page:

http://mmt.me.uk/misc/nhscookies/tcpdump.ext.20101121.log

The above logs where captured using the following bash command:
tcpdump -A -s 1024 -i en0 dst port 80

An example:

My colleague Steve captured output from the HTTP trace via the NHS website, it can be found on http://pastebin.com/4TfDRRZJ

The browser (Safari) had it’s history cleared, logged into facebook, the facebook window closed, then sent to the NHS page.

Bits of confidential data replaced with XXXs

GET /plugins/like.php?href=http%3A%2F%2Fwww.nhs.uk%2fConditions%2fHIV%2fPages%2fIntroduction.aspx&layout=button_count&show_faces=true&width=450&action=like&colorscheme=light&height=21 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-gb) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Referer: http://www.nhs.uk/conditions/HIV/Pages/Introduction.aspx
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
Cookie: presence=DJ290173073BchADhA_22112.channelH1L60XXXXXXXXXXXXXXXXX4104WMblcMsndPBXXXXXXXXXXXsbPBtA_5b_5dBfAnullBuctMsA0QBblADacP0VXXXXXXXXXXXX0K290173073QQQ; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php%23%2Fhome.php; xs=976XXXXXXXXXXXXXXXXXXX0e11a0e600; sid=2; sct=12XXXXXX70; made_write_conn=12XXXXXX70; lu=ghXXXXXXXXXXXXXXXXXXYgqQ; datr=12XXXXXXXX-XXXXXXXXXXXf24

Possible Data Protection Violation

It was pointed out to me that I was reference the incorrect ICO filing. The data controller for the NHS Choices website is the Department of Health and not NHS Direct.

Find below, my amended version of this and the following section of this blog post. – Mischa 2010-11-24 11:00:00.

In order to see the NHS’s Data Protection Policy, we had a look at their ICO filing, which led me to the following page:

http://www.ico.gov.uk/ESDWebPages/DoSearch.asp?reg=4693360
http://www.ico.gov.uk/ESDWebPages/DoSearch.asp?reg=4906007

I should start this section by saying that I am not a lawyer. But it seems like sections 6 and 4 purpose 2 are is relevant to my question of “how come the NHS website has third-party tracking enabled, especially given that the tracking is provided by for profit advertising companies?”. Firstly, it should be noted that by contacting facebook and google, data is being sent outside of the European Economic Area. Which is in violation of their Data Protection commitment of “Transfers: None outside the European Economic Area”.

And as per the ICO filing the potential recipients are: Business associates and other professional advisers, Central Government, Data subjects themselves, Employees and agents of the data controller, Healthcare, social and welfare advisers or practitioners, Local Government, Ombudsmen and regulatory authorities, Other companies in the same group as the data controller, Persons making an enquiry or complaint, Police forces, Relatives, guardians or other persons associated the data subject, Survey and research organisations.

I will like to point out that no where in the ICO filing can one see that the NHS will be sharing data with advertising companies.

It should be noted that the ICO filing does not make it explicit that the Department of Health would not:

  • Sell advertising to patients
  • Sell/Provide user data for third party advertising

Next Steps: FOI

I am about to post off a Freedom Of Information request (tomorrow morning), asking the NHS to please supply the minutes of all policy and technical meetings involved in the decision to deploy iframes referencing non-NHS sites and to use third-party analytics software on NHS choices pages.

Next Steps: Official Complaint

Further to the FOI request I am going to submit an official complaint via the official NHS Choices feedback form :http://www.nhs.uk/aboutNHSChoices/Pages/ContactUs.aspx.

I have the latest copy of the FOI Request updated FOI Request and the Letter of Complaint up in .pdf format on my website.

Note that:

There is a way to deploy the Facebook Like button which would resemble an OPT-IN based user interaction, instead of the intrusive standard iframe based approach. This involves the use of an “onClick” function call in Javascript which would tell Facebook only when explicitly “liked”. Obviously this method of interaction does not display the “social information” such as like counts, and whether or not you would be the first of your friends to “like” a given page. The German social networking site jetzt.de moved from the iframe to the self-hosted version after vigorous backlash from the userbase about being tracked (see for instance http://jetzt.sueddeutsche.de/texte/anzeigen/385237, line 350). This example was given to me by Sören Preibusch from the University of Cambridge.

And Finally…

I would like to thank Steve Harris and Dan Brickley for helping me decide how to take this forward. And I would like to thank Richard Northover for the link.

Amendment 2010-11-24 16:57 Conflict in terms of NHS privacy policy
It has been pointed out to me that in relation to the NHS stating that how only on pages with the Like button…. communications with Facebook.com occurs, this is also not true :

See the following page :

http://www.nhs.uk/livewell/depression/pages/depressionhome.aspx

I see no “Like” button on this page. But according to firebug, There is still an HTTP request made to facebook.com from my browser.

The following quote from the NHS Choices privacy policy states :

“While we only share your information with the Data Processors, when you visit pages on our site that display a Facebook Like button, Facebook will collect information about your visit. For more information, read the relevant section of the Facebook privacy policy.”

Which is NOT true.

The following screenshot illustrates this. People are free to replicate, all you need is Firefox and the Firebug plugin (both free and open source).

Firebug + Firefox + NHS Website + Facebook.com HTTP request + No Like Button

NHS privacy policy

I thought I would cut and paste the NHS’s privacy policy, in case it changes dated 2010-11-25 15:58:00 GMT

“As a government department, we do not share data with other organisations unless the law permits us to do so. We do not sell individual information. We will share it only with our authorised Data Processors, who must act at all times on our instructions as the Data Controller under the Data Protection Act 1998. Before you submit any information, we will notify you as to why we are asking for specific information and it is up to you whether you provide it.

While we only share your information with the Data Processors, when you visit pages on our site that display a Facebook Like button, Facebook will collect information about your visit. For more information, read the relevant section of the Facebook privacy policy.”

Furthermore

It should be noted that it has been pointed out to me that AddThis’ privacy policy reveals they monetise their product through behavourial targeting. Would you be somewhat surprised if you started to received adverts about their ailments on third-party websites.?

54 comments

  1. fred garnett · November 21, 2010

    Great post. I worked on a project for the DfES, called Cybrarian, that produced a prototype Facebook in 2004, which was rejected by the UK govt. One key feature of our interface was that the user controlled the privacy settings. Designed with DP & other UK requirements in mind. How you can run a public ‘utility’ (Zuckerberg) where a corporations controls user settings beats me. Still £500m (?) to get them into East London, but could build a user-centred system for, say £10m. We set up a group called lastfridaymob, then the Learner-Generated Contexts group to discuss issues relating to social media and society, picked up the blog mentioned.

    • Mischa · November 21, 2010

      Thanks for the comment Fred, I will have a look into your Learner-Generated Content group shortly.

      Cheers,

      Mischa

  2. Toby Inkster · November 21, 2010

    Actually, it ought to be possible to display “like counts” while still protecting visitors’ privacy. All that needs to be done is for the NHS to load the facebook stuff from their own HTTP servers which would act as a proxy, not forwarding on any personally identifiable information.

  3. Harry Wood · November 21, 2010

    I’d suggest just complaining initially. Save the FOI request approach later, if you get no satisfactory response. Good things can come from a simple complaint.

    It’s clear what’s happened here. They’ve set out an objective to get lots of traffic to these pages of the site, and the web developer team have identified social media gubbins as a way of achieving this. That is pretty normal web development practice these days after all. And they just haven’t thought about these negative aspects of 3rd party tracking. So a truthful response to your FOI request would not be very interesting. “We don’t have minutes of such meetings”. What you’ll probably get though, is a refusal on some other grounds, to avoid admitting that they didn’t discuss it.

    If they’d spent much time thinking about it, they might’ve noticed that a thumbs up “like” icon on the “Testicular Cancer” page is rather nonsensical, not to mention tasteless, anyway!

  4. Mischa · November 21, 2010

    Hi Harry,

    Thanks for your comment, I may end up following your suggestion and only sending the letter of complaint to begin with. I also agreed that is probably just the web dev team trying to push traffic to the NHS site. I feel that we need some serious education into the trade-offs that exist when adding off the shelf social features.

    Regards,

    Mischa

  5. Mischa · November 21, 2010

    Toby (tobyink on freenode) informed me today that it would be possible to add the social count based information from Facebook without leaking any information. This could be achieved by proxying requests through the NHS website. E.g. client requests the image http://www.nhs.uk/Conditions/Cancer-of-the-testicle/Pages/Introduction.aspx?proxy=likecount which in turn requests the count from Facebook, hence avoiding any leak of information.

    Thanks for the comment Toby.

  6. Mischa · November 21, 2010

    I have submitted my letter of complaint on 2010-11-22T10:55:00Z. I will report back with the NHS’s response.

    Mischa

  7. StewartM · November 21, 2010

    Hi Mischa

    I’m hoping to write an article highlighting your NHS research for PC Pro. Be great to have a chat. If you can drop me an email let’s discuss. Thanks in advance.

  8. Chris · November 21, 2010

    My web-development company has a few NHS clients, so this is really important advice, thanks. Keep going with the complaint, but as always, a lot has already been done by writing such an informative blog post for people like me to read and understand!

    So you haven’t mentioned it specifically, but is this also happening via Google Analytics tracking code? ie. I log into Gmail, then visit NHS Choices webpage about breast cancer, and then google ‘knows’ that I (Chris) have breast cancer? Are they then going to show me advertisements for breast cancer pills next time I browse the web?

    Shouldn’t the first step for any NHS webmaster using GA be (1) go to your google analytics account, (2) click on ‘Edit Account Settings’, (3) click on ‘Do Not Share My Google Analytics Data’ ?

  9. Dave · November 21, 2010

    Are we assuming that facebook and google will use the information they gather maliciously?

    If so, shouldn’t we also be concerned about the datacentres where NHS services are hosted? If google and facebook aren’t to be trusted with our informaiton, then nor are any of the employees at the datacentre. It would be trivial to sniff traffic and find out who a visit is, even where they live!

  10. Chris · November 21, 2010

    @Dave – it’s easy to imagine or be scared of a criminal or malicious use of the data, but more direct concerns for me (a web developer) are:

    (1) Suddenly facebook ‘knows’ that I’ve been visiting pages about cancer, and starts to use that information to show cancer adverts for commercial gain. Facebook is a business, and everyone can opt-out (ie. don’t sign up), but it’s not a great leap to imagine how my tax funded NHS starts providing commercially valuable data to a private company that could, potentially, capitalise on my physical or emotional trauma.

    (2) Lots of websites have privacy policies that expressly state “we don’t share your data” etc. etc., and there are legal obligations as pointed out that could result in fines, court trials, etc. etc. I don’t want my customers going to jail over some complicated backdoor data leakage like this.

  11. Mischa · November 21, 2010

    Hi Chris,

    I have no proof that it is happening via Google Analytics, I have never used it, but thanks for the pointer regarding GA configuration.

    Dave,

    I am not assuming that anyone is doing anything maliciously, for if I was there would be a number of other places which information could be leaked – as mentioned in your comment. I would like to know why the information is being sent to Facebook in the first place. In an ideal world, users should be free to browse the NHS choices website without their information being sent across to “for-profit” advertising companies.

    Thanks for the comments guys!

    Mischa

  12. Tom Watson MP · November 21, 2010

    Hi Mischa,

    I’ve written to Andrew Lansley. Thanks for pointing this out. The letter was hastily written so apologies if I haven’t properly reflected your excellent digital sleuthing in the content.

    http://www.tom-watson.co.uk/2010/11/nhs-site-allowed-to-spy-on-your-visiting-habits/

    Thanks once again.

    • Mischa · November 21, 2010

      That is awesome, thanks for chasing this for me Tom.

  13. Brian Clifton · November 21, 2010

    You make very valid points Mischa and I wanted to thank you for raising the awareness of this.

    In terms of Google Analytics (GA), I wanted to point out a few facts:

    1. GA does not track any personal identifiable information.
    To answer Chris’s comment directly – if you log into Gmail, then visit NHS Choices webpage about breast cancer, and then google ‘knows’ that I (Chris) have breast cancer?

    No, that is not the case and you can verify this by examining the headers sent to Google (for example using the Firefox plugin Firebug).

    In fact, as far as web tracking goes, Google is probably the least invasive because all visitor information reported is not only anonymous but is also in “aggregate” i.e. it is not at the individual level. A number of competitors flag this as a limitation, but in fact it is a deliberate decision by Google not to track individuals with GA.

    As a sideline, if as an individual you wish to opt-out of be tracked by GA you can install the official opt-out plugin from Google – http://tools.google.com/dlpage/gaoptout

    2. Safe Harbour
    I too am no data protection lawyer, however your point about data being sent outside of the European Economic Area is covered by Safe Harbour agreements – http://www.export.gov/safeharbor/

    Best regards, Brian Clifton
    Former Head of Web Analytics, Google EMEA
    Author, Advanced Web Metrics with Google Analytics

    • Mischa · November 21, 2010

      Hi Brian,

      Thanks for your post, and thank you for clarifying the position with regards to Google Analytics (GA). Firstly, I should stress that I don’t really know much about GA, I have never used it myself, I have only ever used open-sourced analytics software, which I have hosted myself.

      I am happy to hear that GA focuses on aggregate information, and yes Firebug is your friend, I did noticed that GA don’t send cookies back and forth when I accessed the NHS choices website. I thought this could have been because I used Ad-blocker, but you have clarified the position wrt to GA, and for this I am thankful.

      With regards to the Safe Harbour, I should stress that I too am not a lawyer, but I feel that sending information outside goes against the NHS’s ICO filing, which I link to in my blog post.

      Thanks for your post, and all the best.

  14. Anon · November 21, 2010

    Your FOI request is incorrectly addressed.
    NHS Direct is unrelated to NHS Choices.

    • Mischa · November 21, 2010

      Hi Anon,

      Thanks for this link, I will revisit the ico website, will search for the filing for NHS choices.

      Mischa

      • Mischa · November 21, 2010

        It has been pointed out to me that I had incorrectly pointed to the ICO filing for “NHS Direct” where NHS Choices’s data controller is the Department of Health. I apologise for this, as per the NHS Choice’s privacy policy:

        “The Department of Health is the Data Controller for this website under the Data Protection Act 1998.”

        The Department of Health’s ICO filing which I quote here states In Purpose 2: Advertising, Marketing & Public Relations:

        Transfers: None outside the European Economic Area”

        I will make annotated changes to the blog post accordingly.

        • Mischa · November 21, 2010

          I have made annotated changed to the blog post, pointing to the correct ICO filing.

          Thanks Anon!

  15. Sophy Silver, Facebook · November 21, 2010

    Medical privacy is a crucial issue for most of us and following Mischa’s post we’re keen to allay any fears people might have around Facebook’s use of data associated with the Like button, which the NHS Choices website chose to adopt.

    It appears that Mischa is concerned with what Facebook could potentially do with the data it uses to make this experience work. Facebook does not share your data with third parties. It is against Facebook’s terms to use this data for any purpose other than to create a more personalised experience on the web. In the same way that the NHS would not share you data, Facebook would not either.

    The Like button allows people to share information that is important to them with their friends. On the NHS website people are opting to raise awareness around illnesses that affect all of us and the Facebook like button is a great way to help people spread the NHS’s education messages about early detection and prevention of such illnesses.

    Wherever anybody goes on the web your IP address is being registered and nearly every site you visit has content embedded in it that is served from elsewhere. This could be an ad delivered by an adnetwork, a photo or video delivered by a content hosting service, or maps served by a mapping provider. To do this all of this sites register your IP address or use cookies. If a site is using a Facebook plugin such as the Like button, and you are logged-in to Facebook when you visit that site, you will see the total number of ‘Likes’ and whether any of your friends have also liked the same page, giving you a personalised experience. You can only ever see the information relevant to you and information that others have chosen to make public. The fact that you had visited the page wouldn’t be displayed to anyone on the web page unless you have actively clicked on the Like button, not just if you visited the site. If you never want to see this functionality on other websites then you can easily turn off Facebook Platform in your privacy settings.

    Sophy Silver, Facebook Press Office

    • Mischa · November 21, 2010

      Dear Sophy,

      Firstly, thanks for your response, I am happy to hear that Facebook think that medical privacy is crucial issue for most of us.

      When you say that Facebook does not share my data, in the same way that the NHS doesn’t, with third-parties, I am sure this is the case and trust Facebook does not. I have no doubt that Facebook does not share their users personal data. This blog post was intended as a question to the NHS, for I still wonder why Facebook should be getting all of this tracking data, given the intrusive method of user tracking. As a user of the NHS, and as someone which understands web technology I understand the implication of the iframe injected implementation of the Like button. I also trust that Facebook doesn’t trade with third-parties, but I also understand that Facebook makes money by selling targeted advertising to be shown to its users, which is totally fine. I have not seen that many studies, but my bet is that users don’t generally log out of websites, don’t read privacy policies, and regardless of the fact that I feel that the NHS Choices privacy policy doesn’t talk about logging out, and also falsely stated that Facebook tracking only occurs on pages which have the Like button, which I have addressed at the end of the blog post above – I don’t see this decision to be one which favours the end-user. On the topic of privacy policies, Joseph Bonneau and Sören Preibusch from the University of Cambridge have done some great work in this space.

      I also appreciate that only friends of mine in Facebook would know that I have visited a site if I actively click on a Like button, my point was it that Facebook will know that about the user.

      Finally, regarding my statement regarding how Facebook could track user when they are logged out. After having a look at the facebook cookies sent across HTTP when both logged in and logged out, I noticed that there was some sort of unique identifier, which I am led to believe is a browser/os footprint of some sort. Browser footprints, IP address, and the fact that a given browser X at IP address Z was userid Y in the past, I would imagine that is it technically possible to guess, with quite a high probability, which userid the given logged out user is. On this topic, the EFF have done some excellent work on the uniqueness of browser footprints, which is worth a mention.

      Once again, I am not having a dig at Facebook as I understand that you are in the business of collecting personal information about your users so that you can give them a more personalised web experience, what I am not clear about is why my NHS browsing habits should be utilised by Facebook, allowing Facebook to improve their ability to provide their service.

      Regards,

      Mischa

  16. js · November 21, 2010

    Mischa

    Thanks for your interesting post but i think you should take care not cause others to conflate the tracking of web pages about health subjects with an individual’s personal health information. Also government sites should not be seen as a class apart.

    The NHS site you mention does not hold personal health records for anyone, let alone allow them to be tracked by others. It has general health information pages on everything from backpain to HIV just like millions of other websites round the world. One would not worry about a Facebook Like button on an AOL page on HIV, so why worry about a similar page on the NHS site. The information passed on simply indicates that the user may have an interest in that subject. Nothing more.

    I think this is important for two reasons: first, people’s knowledge of health is v poor in many communities around the globe and many millions of lives could be improved, indeed saved, if only that knowledge was better distributed. Social networking sites have a major role to play in this and it is important not to scare people off using them.

    Second, it is not helpful to consider government site’s as a class apart. Indeed much of the reason governments around the globe have been so slow in disseminating vital information for citizens via digital means is because they have become unnecessarily paranoiac about security. This in turn undermines government services and efficiency. In the end that undermines democracy.

    In the real world, the major risks to people’s personal privacy still revolve round physical things like paperwork, phones and credit cards which can easily be targeted and lifted. The NHS, for example, still sends test results in the post rather than via encrypted and password protected email systems such as gmail. The later is clearly much more secure but governments do not use them because of worries about digital security. I’m not saying such worried are unimportant but they need to be put in perspective. For example, how many instances are there of letters being “lost” in the post, compared to say Facebook hacks of named users browsing data? And which is likely to do more damage in privacy terms?

    • Mischa · November 21, 2010

      Hi JS,

      Thank for your comments, I will try to address your points below.

      Firstly, I would like to state that I have never tried to conflate the concept of tracking user on web pages about health conditions with that of tracking of peoples’ personal health records. And I have never brought up anything to do with “Facebook hacks of named users browsing data” in any of my communications on this topic.

      With regards to your view of not treating government websites as a class apart, sadly I do not share your convictions here. I will explain why, there are certain things about government which I would not expect from a commercial entity. For example, take the recent data.gov.uk initiative where public data is being released so people can scrutinise data that influences policies made by the government. From my point of view, this is both very exciting, and is something which I would not expect a commercial entity to do. In the same way, I feel that our public run health services should be set out to serve and protect the peoples of the United Kingdom. I would much prefer a health service which would acknowledge that sometimes health issues can be embarrassing and that users of their services should have their anonymity preserved where possible, and would have to opt-in to have their data sent to a commercial third-party, intentions of the third-party aside. I have never implied that there would be any Facebook related data breaches or that facebook may be selling this data on to third parties, I just questioned why the NHS decided to allow for this invasive method of social networking to be forced onto users of the NHS website. Expecting users to read privacy policies to know that their data could be shared with Facebook to get social features, and to have the a prior knowledge that one has to make sure they log out Facebook before turning up the conditions pages on NHS Choices to stop that data being sent to facebook.com, is something I felt should bring up.

      Your comment about democracy, once again, sorry I don’t follow it. I don’t feel oppressed in anyway living in the UK, and I value my ability to voice my concerns regarding the deployment of technologies on national services such as the NHS Choices website.

      I have no educated views regarding the physical risks to personal privacy I am not aware of any statistics regarding the amount of post reported lost/stolen; but I am guessing that it probably happens a lot. I bet you could find that information if needed. With regards to reports describing the amount of personal information accidentally disclosed/stolen in the public domain, I can link to some work we have in this space extent to which the UK public is at risk of unintentionally exposing personal information online and Garlik’s UK Alert Map October 2010. But once again, I don’t think the point addressed in this last paragraph has anything to do with the contents of this blog post.

      Cheers JS,

      Mischa

  17. Mischa · November 21, 2010

    I have added a further point to the end of my blog post. With a screenshot to illustrate :

    “It has been pointed out to me that in relation to the NHS stating that how only on pages with the Like button…. communications with Facebook.com occurs, this is also not true :

    See the following page :

    http://www.nhs.uk/livewell/depression/pages/depressionhome.aspx

    I see no “Like” button on this page. But according to firebug, There is still an HTTP request made to facebook.com from my browser. “

  18. _Zam_ · November 21, 2010

    Hi Misha,

    thanks for raising this issue and amending the post according to the new the emerged facts.

    GA is usually installed on the website to track visitors’ behaviour within the website with the view of getting some actionable insights and improving users’ website experience.

    However, after reading your post, it sounded like Google Analytics is the tracking evil which has been used for some financial benefit like any other commercial websites like Facebook do.

    Only after reading all the comments I saw Brian’s comment and your acknowledgement of Google’s neutrality approach, but not many would read all these comments and will keep thinking that GA is evil. Also your post has been re-posted, so even less people will see Brian’s reply.

    These posts like yours are great and harmful at the same time.

    • Mischa · November 21, 2010

      Hi Zam,

      I was very careful do not be too damning of GA, and like I said, even though I know what it does, and have seen people fly it before, I was not that damning. I am not passing judgment or saying that people which are tracking for advertising revenue are evil, I am well aware it happens a lot, and it one of the reasons why we have so many great services on the web.

      I acknowledged Brian’s comment, as like I said I am not that clued up on GA, and Brian seemed to know what he talking about.

      I am sad that you find my post harmful, I still believe I have raised an important issue around: the NHS Choices website, and the OPT-OUT nature of the Facebook Like tracking, which is touched upon in some privacy policy. I still wonder how many users read privacy policies, and how many users are aware that not logging out of facebook.com means that facebook.com will know that they are currently on some random page with a Like button, regardless of whether you click the Like button or not.

      I am sorry that you feel that my blog is harmful, I mean I have no grudge against facebook.com, I have a facebook profile, I like what they have done with the open graph protocol, but I don’t think the NHS should be hosting the Like buttons.

      Regards,

      Mischa

  19. js · November 21, 2010

    Hi Mischa

    Thanks for getting back and I accept you are not trying to conflate health records with general health information but I do think you are at risk of causing others to do so.

    For example, you jsaid:

    “I would much prefer a health service which would acknowledge that sometimes health issues can be embarrassing and that users of their services should have their anonymity preserved where possible, and would have to opt-in to have their data sent to a commercial third-party, intentions of the third-party aside.”

    This is polemic and implies the NHS does not acknowledge that health issues can be embarrassing/personal and does not care about anonymity, which is not the case. In fact the opposite is true – so much so that it is preventing it and other arms of government from innovating in the digital space. How many great transactional services have been proposed by Directgov only to be killed off over minor but news-headline friendly worries about digital security? My guess is that it’s quite a few…

    Also, your use of “their data” implies the data you are talking about is somehow highly sensitive and personal and in a different class than other browsing data but this is not the case. It’s simply a string of URLs on general health information pages. And it remains anonymous unless you actively decide to actively log in (ie opt-in) to a Facebook type account. Even then it is protected by a strict privacy policy the individual has signed-up to, not to mention laws.

  20. _Zam_ · November 21, 2010

    Hi Misha,
    Thanks for repying.
    “This means, that if one has ever logged into a Google account, or a Facebook account and then visits one of the pages on the NHS site, the company will then know that their user X was just looking at a page about condition Y on the NHS website.”

    The phrase above made me think the opposite to what you replied.

    If you read the post from Tom Watson here: http://www.tom-watson.co.uk/2010/11/nhs-site-allowed-to-spy-on-your-visiting-habits/

    It says NHS allowed Google and Facebook to spy on your visiting habits which sounds more like the information has been given to a third party.

    When you call NHS you will hear the message that the calls will be recorded which means that the phone company will the access to the records and phone numbers, however no one talks about the privacy at that moment.

    People indeed do not read privacy policies, but it’s their choice no to read it.

    Do you think having the line in the footprint with the directions to opt-out would change the situation, or you would rather not have any tracking on the website at all?

  21. Toby Inkster · November 21, 2010

    Actually, FWIW the Google Analytics case is somewhat less invasive.

    It uses a separate domain name google-analytics.com, which browsers will treat as a separate “Origin” in terms of cookies. This means that your google.com cookies will not be visible to google-analytics.com and vice versa.

    It’s not especially difficult for two origins to figure out cookies that correspond to each other. (e.g. Origin A loads an iframe from origin B and sticks origin A’s cookie data in the iframe document’s query data – after a “?” mark. The origin B iframe then references an image loaded from origin A with similar query string trick. Thus both origins find out the cookies associated with each other.) However, this sort of thing requires at least some effort from the controllers of both sites, and doesn’t happen by default.

  22. David Gale · November 21, 2010

    A brave move! Welcome to the world of the Great Unwashed – people who have told it like it is, in spite of pressure not to rock the boat with government. You may anticipate hard times ahead as the ranks close against anyone that dares to inform the Emperor of his sartorial gaff.

    • Mischa · November 21, 2010

      Awesome Stuff Pete,

      Thanks for the link :)

  23. Lynda B · November 21, 2010

    Am just pleased as chuff that I don’t bother with the likes of Facebook – primarily for the reason of privacy. OK, so I guess we can all decide how ‘invasive’ social media is in our lives but for what you do online to be ‘tracked’ just as Phorm tried to smacks of Big Brother. I, for one, do not need a Nanny, digital or otherwise, to censor or observe what I do or do not do. Here’s to the whole tracking system being either scrapped or, at the very least, re-released on the presumption that folks want to opt OUT, and have to checkbox whether to opt IN or not.

  24. Justin · November 21, 2010

    This post is interesting and all, however what deeply concerns me is that your petition is worded in a way that is intentionally misleading.

    What makes matters worse is that this explanation article, although presenting the complete facts, is far too technical for most people to understand – the next result is at best an incredibly irresponsible portrayal of the facts.

    I strongly believe that you should re-word the petition in a way that makes it clear that users medical records are not being shared.

    • Mischa · November 21, 2010

      Hi Justin,

      Thanks for posting your view. I don’t think my language is intentionally misleading at all. I do NOT mention anything about “medical records” anywhere, please link me to where I have if you disagree. I am sad that you have misunderstood my blog post and and that you are so upset, but I do still feel strongly about this, and do feel that I have done a good job of making my views explicit. Furthermore, what petition?

      Regards,

      Mischa

  25. Mischa · November 21, 2010

    I have just come across an awesome blog post by about ad tracking systems on the web :

    http://blog.ouseful.info/2010/05/17/personal-declarations-on-your-behalf-why-visiting-one-website-might-tell-another-you-were-there/

  26. David Gale · November 21, 2010

    @Justin – There’s little merit in aiming a techncial communication at the lowest common denominator. If you don’t have the understanding – move on.

  27. Mischa · November 21, 2010

    David Gale,

    Whoever you are you rule !

  28. Publicity Shy · November 21, 2010

    How much commercial new business will Garlik generate through your clever PR stunt…. I note you are not simply a worthy evangelist but a business that sells products in this market.

    • Mischa · November 21, 2010

      Hi Publicity Shy,

      You are welcome to your opinion, and in vain of transparency I am accepting all comments to this post which are not spam.

      All I can do in response to your criticism is to state my point of view on this matter. I have been pursuing this work for a while now, of course I have become more interested in this field due to the environment I work in, and the web developer community I am actually actively engaged with and I will state that this is nothing for me to be ashamed of. I am a web technologist and have been an active researcher in this space since 04, I have no experience in PR, and would never consider myself as one which excels in it.

      I wrote this work up on my own blog, and initially posted it stating no affiliation to my current employer. With regards to Garlik selling products “in this market”, we have a product in the market which is in the space of protecting people from accidental/malicious disclosure of personal information, it has nothing to do with the matter at hand. Their is no information leakage in the story at hand, my issue is with the NHS’s decision to implement this social feature as reported.

  29. RobD · November 21, 2010

    Hi Mischa,

    I work as Information Governance officer for a commercial third party (CTP) supplier of IT services to NHS organisations.

    Thought I might bring the NHS Connecting for Health Information Governance Toolkit to your attention. https://www.igt.connectingforhealth.nhs.uk

    Here is an example requirement on a CTP “Consent is appropriately sought before personal information is used in ways that do not directly contribute to the delivery of care services and objections to the disclosure of confidential personal information are appropriately respected”

    Consent models are only considered robust with express opt-in.

    Happy to dig around for you. Drop me a mail. BW, Rob

  30. duchurea · November 21, 2010

    “Save the FOI request approach later, if you get no satisfactory response. Good things can come from a simple complaint.”
    You can out more?

  31. Mischa · November 21, 2010

    A former colleague of mine, Christopher Gutteridge, knocked up a page on totl.net highlighting what information can be gathered about a user from a domain which is hosting an iframe on a given web page.

    This highlights how much information both addthis.com and facebook.com get their hands on everytime anyone turns up to a page on the NHS Choices website:

    http://data.totl.net/page-about-something-embarrassing.html

  32. Adams · November 21, 2010

    I notice that this interesting exchange is still alive.
    Sophy Silver says ‘Facebook does not share your data with third parties. It is against Facebook’s terms to use this data for any purpose other than to create a more personalised experience on the web. In the same way that the NHS would not share you data, Facebook would not either.’
    As far as I understand this is disingenuous at best.
    It is well known that Facebook do not share any data directly with third parties who purchase their services. What Facebook do is act as gate keepers to the underlying data pool, which they wrap as packages to third parties. The third party does not access the data, they request a package that would make use of certain data.
    The third party cannot use the data directly. But that protects Facebook business interests.
    The pool of data is improved by the sources of data at Facebook’s disposal. Sophy gives no reason to believe that data gathered from the NHS web sites is not also used in this pool. It is anonymised and is not directly available to the third party, any way.
    But this begs the question of whether this data should be made available to Facebook in the first place.
    We must assume that would be advertisers can be pretty specific in their bundle requests, i.e. for very specific demographics, categories hugely enriched by the ‘free research data’ that Facebook is in receipt of from the NHS.

  33. RobD · November 21, 2010

    The FOI request was responded to on 22 December 2010.

  34. Mischa · November 21, 2010

    Thanks for that RobD. I didn’t think that there would have been any comms between fb and NHS Choices when it was developed. But I don’t agree with their rants about user experience, or how it would require more clicking by the user, but I will respond to them on this soon.

    One a related but humorous note check out this honest privacy policy :

    http://www.itworld.com/print/129778

  35. Pingback: Quora
  36. superkhan333 · November 21, 2010

    A former fellow of mine, Christopher Gutteridge, knocked up a tender on totl.net light what content can be concentrated virtually a individual from a area which is hosting an iframe on a assumption web writer.

    This highlights how much assemblage both addthis.com and facebook.com get their hands on everytime anyone turns up to a author on the NHS Choices website.

    • Mischa · November 21, 2010

      Hi, yes I too know Chris, I did a PhD at the university of southampton. Chris put his example up on totl.net after reading my blog post, highlighting what was going on ;) Cheers!

  37. John Manning · November 21, 2010

    Looks like it has been put to a simple link on the NHS Choices web site now.

    • Mischa · November 21, 2010

      Hi John,

      Indeed they seem to have implemented less intrusive social features on the NHS Choices website, hats off to the team at Choices. Saying that though, there are still a hell of a load of 3rd party cookies dropped in my browser when I access the LiveWell depression page. It should be noted that my browser is configured to send the “Do Not Track” header supported by FF4 and IE9. These can be seen below:

      receive.inplay.tubemogul.com
      _tmid=nsL2IwFXdAnS-KckpqPU; Domain=.tubemogul.com; Expires=Fri, 28-May-2021 08:08:12 GMT; Path=/

      rcv-srv36.inplay.tubemogul.com
      _tmid=blocked; Domain=.tubemogul.com; Expires=Fri, 28-May-2021 08:08:13 GMT; Path=/
      note that: the above subdomain of tubemogul seems to respect my Do Not Track header, but their “receive.inplay.tubemogel.com” subdomain does NOT.

      statse.webtrendslive.com do NOT seem to care about my Do Not Track header either – bad webtrendslive.com
      aramsHeadersResponseCache
      Response Headersview source
      Connection close
      Date Tue, 31 May 2011 08:17:57 GMT
      Server Microsoft-IIS/6.0
      X-Powered-By ASP.NET
      Location /dcss9yzisf9xjyg74mgbihg8p_8d2u/dcs.gif?dcsredirect=126&dcstlh=0&dcstlv=0&dcsdat=1306829876670&dcssip=www.nhs.uk&dcsuri=/livewell/depression/pages/depressionhome.aspx&WT.co_f=241b45db4deb44e8fe21300705429388&WT.vtid=241b45db4deb44e8fe21300705429388&WT.vtvs=1306829281392&WT.tz=1&WT.bh=9&WT.ul=en-US&WT.cd=24&WT.sr=1280x800&WT.jo=Yes&WT.ti=Living%20with%20depression%20-%20Live%20Well%20-%20NHS%20Choices&WT.js=Yes&WT.jv=1.8&WT.ct=unknown&WT.bs=1057x632&WT.fv=10.2&WT.slv=Not%20enabled&WT.tv=8.6.2&WT.dl=0&WT.ssl=0&WT.es=www.nhs.uk/livewell/depression/pages/depressionhome.aspx&WT.cg_n=Live%20well&WT.cg_s=Depression&WT.sv=NHC10WEB02PRP&WT.vt_f_tlh=1306829291&RealUrl=/livewell/depression/Pages/Depressionhome.aspx&Server=NHC10WEB02PRP
      Content-Length 0
      Set-Cookie ACOOKIE=C8ctADE4OC4yMjAuNDEuMTEwLTEwNjI2NTY1MTIuMzAxNTQ2MDMAAAAAAAABAAAAGV8AADWk5E01pORNAQAAAIsnAAA1pORNNaTkTQAAAAA-; path=/; expires=Thu, 10-Dec-2015 10:27:34 GMT
      P3P CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
      Request Headersview source
      Host statse.webtrendslive.com
      User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
      Accept image/png,image/*;q=0.8,*/*;q=0.5
      Accept-Language en-us,en;q=0.5
      Accept-Encoding gzip, deflate
      Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive 115
      DNT 1
      Connection keep-alive
      Pragma no-cache
      Cache-Control no-cache

      Where as google-analytics.com seems to respect my Do Not Track Header by not dropping any cookies, but it does send a lot of information as CGI arguments back to google’s servers :

      utmac UA-9510975-1
      utmcc __utma=108719325.1143327356.1306829880.1306829880.1306829880.1;+__utmz=108719325.1306829880.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
      utmcs UTF-8
      utmdt Living with depression - Live Well - NHS Choices
      utmfl 10.2 r152
      utmhid 219190485
      utmhn www.nhs.uk
      utmje 1
      utmn 597194919
      utmp /livewell/depression/pages/depressionhome.aspx
      utmr -
      utms 1utmsc 24-bit
      utmsr 1280x800
      utmu D~
      utmul en-us
      utmwv 4.9.4

      It should also be noted that the above google-analytics GET request is sent both over SSL and over port 22, I wonder why this should be sent encrypted at all, SSL based connection to google should suffice …

  38. Pingback: Flicage marketing : Facebook, Twitter, Linkedin, Gouv.fr dans le même sac « Carla Noirci's Log
  39. SEO Services · November 21, 2010

    I’m hearing that the UK government in the shape of Jeremy Hunt are trying to insist Google ignores entire sites accused of copyright infringement. This is bullshit – all the government’s doing is paving the way to demand the closing of any and all sites critical of government. It would be an end to free speech on the Internet.