The NHS has been criticised for apparently allowing Google and Facebook to track the behaviour of individuals on its Choices website.
According to Mischa Tuffield, who calls himself a 'semantic web hacker' and an interested party in personal information and digital trails left by people on the internet, the NHS is allowing the likes of Google and Facebook and other sites to track users' NHS browsing habits, regardless of the fact that people use the page to seek medical advice.
He said: “It was recently pointed out to me that the NHS Choices website's social features include the Facebook Like button. Due to the fact that the standard method of Facebook Like button deployment is intrusive to say the least, I thought I would look into identifying which third party companies have been given permission to track users on NHS Choices, and my results are rather disconcerting.
“In short there are four third-party advertising/tracking companies which are informed every time a user visits one of the 'conditions pages' on the NHS Choices website. These all get to make a call from the user's browser, in turn allowing the four companies to access their cookies, tracking the users. This means that if one has ever logged into a Google account, or a Facebook account and then visits one of the pages on the NHS site, the company will then know that their user X was just looking at a page about condition Y on the NHS website.”
Two of the four third-party sites (Facebook and addthiscdn.com) are contacted in order to provide the 'social functionality'. Tuffield said that this 'intrusive opt-out method of adding social features to the NHS website, in my opinion is not acceptable'. He said that he would only deem this to be acceptable if NHS has written declarations from the two aforementioned services stating that they wouldn't be tracking peoples' browsing habits.
The other two sites contacted (webtrendslive.com and google-analytics.com) seemed to be used for analytics purposes. He also said that in his view, this task should not be outsourced to a third party, as if this was a website about pub reviews these third-party services would be acceptable, but due to the nature of the information on the Choices website, he felt the NHS should be hosting their own analytics code.
“Okay, I understand that the NHS needs to gather statistics about their website usage, but their user's privacy should be of utmost importance, there do exist a high number of open sourced analytics software which the NHS should run themselves,” he said.
He said his next step would be to post a Freedom Of Information request asking the NHS to supply the minutes of all policy and technical meetings involved in the decision to deploy iFrames referencing non-NHS sites and to use third-party analytics software on NHS Choices pages. Further to this he planned to submit an official complaint via the official NHS Choices feedback form. Based on that response, he would decide whether or not to submit a complaint to the Information Commissioner's Office.
Tuffield's employers Garlik commented on the independent research. It said: “Without sounding too inflammatory, this episode just shows how the privacy of every one of us is being compromised by the ill-judged or ill-informed actions of those in real positions of trust. In this specific case the individuals who designed and built NHS Choices.”
The research led Tom Watson, MP for West Bromwich East, to write a letter to health secretary Andrew Lansley MP, expressing his concern over the incident. In the letter he said: “The NHS Choices website is used by members of the public in order to find out facts about ailments they may be suffering from and these illnesses could cause an individual embarrassment if the information was leaked.
“We've seen how newspapers like the News of the World have used the digital age to hack into the phones of UK citizens. It would be very embarrassing if people less scrupulous than Sergei and Larry of Google were to know the individual health fears of the nation.
“I understand the demands to offer government service online but this should not be achieved at the price of privacy. I urge you to take steps to ensure that third-party websites should not have access to such information. This could be simply achieved by ensuring all third-party interaction is run on an opt-in system, rather than the current opt-out model.”