The NHS is allowing Google, Facebook, and others to track your http://www.nhs.uk/ browsing habits, regardless of the fact that people use the page to seek medical advice. It was recently pointed out to me that the NHS Choices website’s social features include the Facebook Like button (see e.g. the page on Testicular Cancer). Due to the fact that the standard method of Facebook Like button deployment is intrusive to say the least, I thought I would look into identifying which third party companies have been given permission to track users on NHS Choices, and my results are rather disconcerting.
In short there are four third-party, advertising/tracking companies which are informed every time a user visits one of the “conditions pages” on the NHS Choices website. These listed below, all get to make a call from the user’s browser, in turn allowing the four companies to access their cookies, tracking the users (explained in a previous blog post of mine, and in Bala’s research). This means, that if one has ever logged into a Google account, or a Facebook account and then visits one of the pages on the NHS site, the company will then know that their user X was just looking at a page about condition Y on the NHS website.
These are the four third party companies that make requests every time a “conditions page” on http://www.nhs.uk/ is viewed by a user:
jambi:~ mt $ grep "Host" tcpdump.ext.20101121.log | sort -u
Two of the four third-party sites (facebook.com and addthiscdn.com) are contacted in order to provider the “social functionality” shown in the following screenshot. This intrusive OPT-OUT method of adding social features to the NHS website, in my opinion is NOT acceptable. I would only deem this to be acceptable if NHS has written declarations from the two aforementioned services stating that they WOULDN’T be tracking peoples’ browsing habits on http://www.nhs.uk/.
And the other two sites contacted (webtrendslive.com and google-analytics.com) seemed to be used for analytics purposes. In my view, this task should NOT be outsourced to a third party. If this was a website about pub reviews these third-party services would be acceptable, but due to the nature of the information on the Choices website, I feel the NHS should be hosting their own analytics code. Ok, I understand that the NHS needs to gather statistics about their website usage, but their user’s privacy should be of utmost importance, there do exist a high number of open sourced analytics software which the NHS should run themselves.
In order to show that I am not making this up, I have captured all of the HTTP requests made by my browser when loading the HIV and AIDS information page on NHS Choices.
The below two files are logs of all HTTP requests made when loading the HIV page:
And this cut down log file shows all of the third-party HTTP requests made by one’s browser when loading the aforementioned page:
The above logs where captured using the following bash command:
tcpdump -A -s 1024 -i en0 dst port 80
The browser (Safari) had it’s history cleared, logged into facebook, the facebook window closed, then sent to the NHS page.
Bits of confidential data replaced with XXXs
GET /plugins/like.php?href=http%3A%2F%2Fwww.nhs.uk%2fConditions%2fHIV%2fPages%2fIntroduction.aspx&layout=button_count&show_faces=true&width=450&action=like&colorscheme=light&height=21 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-gb) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Accept-Encoding: gzip, deflate
Cookie: presence=DJ290173073BchADhA_22112.channelH1L60XXXXXXXXXXXXXXXXX4104WMblcMsndPBXXXXXXXXXXXsbPBtA_5b_5dBfAnullBuctMsA0QBblADacP0VXXXXXXXXXXXX0K290173073QQQ; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php%23%2Fhome.php; xs=976XXXXXXXXXXXXXXXXXXX0e11a0e600; sid=2; sct=12XXXXXX70; made_write_conn=12XXXXXX70; lu=ghXXXXXXXXXXXXXXXXXXYgqQ; datr=12XXXXXXXX-XXXXXXXXXXXf24
Possible Data Protection Violation
It was pointed out to me that I was reference the incorrect ICO filing. The data controller for the NHS Choices website is the Department of Health and not NHS Direct.
Find below, my amended version of this and the following section of this blog post. – Mischa 2010-11-24 11:00:00.
In order to see the NHS’s Data Protection Policy, we had a look at their ICO filing, which led me to the following page:
I should start this section by saying that I am not a lawyer. But it seems like
sections 6 and 4 purpose 2 are is relevant to my question of “how come the NHS website has third-party tracking enabled, especially given that the tracking is provided by for profit advertising companies?”. Firstly, it should be noted that by contacting facebook and google, data is being sent outside of the European Economic Area. Which is in violation of their Data Protection commitment of “Transfers: None outside the European Economic Area”. And as per the ICO filing the potential recipients are: Business associates and other professional advisers, Central Government, Data subjects themselves, Employees and agents of the data controller, Healthcare, social and welfare advisers or practitioners, Local Government, Ombudsmen and regulatory authorities, Other companies in the same group as the data controller, Persons making an enquiry or complaint, Police forces, Relatives, guardians or other persons associated the data subject, Survey and research organisations.
I will like to point out that no where in the ICO filing can one see that the NHS will be sharing data with advertising companies.
It should be noted that the ICO filing does not make it explicit that the Department of Health would not:
- Sell advertising to patients
- Sell/Provide user data for third party advertising
Next Steps: FOI
I am about to post off a Freedom Of Information request (tomorrow morning), asking the NHS to please supply the minutes of all policy and technical meetings involved in the decision to deploy iframes referencing non-NHS sites and to use third-party analytics software on NHS choices pages.
Next Steps: Official Complaint
Further to the FOI request I am going to submit an official complaint via the official NHS Choices feedback form :http://www.nhs.uk/aboutNHSChoices/Pages/ContactUs.aspx.
It has been pointed out to me that in relation to the NHS stating that how only on pages with the Like button…. communications with Facebook.com occurs, this is also not true :
See the following page :
I see no “Like” button on this page. But according to firebug, There is still an HTTP request made to facebook.com from my browser.
Which is NOT true.
The following screenshot illustrates this. People are free to replicate, all you need is Firefox and the Firebug plugin (both free and open source).
“As a government department, we do not share data with other organisations unless the law permits us to do so. We do not sell individual information. We will share it only with our authorised Data Processors, who must act at all times on our instructions as the Data Controller under the Data Protection Act 1998. Before you submit any information, we will notify you as to why we are asking for specific information and it is up to you whether you provide it.