Outrage as NHS allows Facebook tracking of website users
By Stewart Mitchell
Posted on 23 Nov 2010 at 14:55
Online identity experts have expressed outrage that an NHS website is allowing Facebook to track users on one of its sites, where information such as which pages they have visited can be harvested by the social network.
Research from online privacy company Garlik discovered that the NHS had integrated the NHS Choices site with the Facebook Connect platform, in order to allow easier sharing and the use of the "Like" button on its pages.
However, that also allows Facebook to track users across the site, where citizens are encouraged to research potentially embarrassing ailments.
The NHS is sharing this information out liberally and the users don’t know it and can’t opt out of sharing even if they did
“What right has the NHS to share any information about the browsing of NHS Choices with Facebook?” asked Mischa Tuffield, the Garlik software developer that made the discovery. “The NHS is sharing this information out liberally and the users don’t know it and can’t opt out of sharing even if they did.”
The researcher also found that the NHS has associations with three other tracking companies – including Google - but could only prove that Facebook was actively receiving user data.
“So a young mother is logged on to Facebook talking to friends and is also looking for some advice about depression on NHS Choices and bingo – although she doesn’t know it – Facebook now knows she has looked at this page,” Tuffield said.
A spokesperson for the Department of Health admitted the relationship with Facebook, and justified it by saying the data exchange was mentioned in its privacy policy.
"The privacy policy, which is on the homepage of site, makes clear that when certain features from partners are used, like Facebook's 'Like' button, information relating to the date and time of your visit and other technical information will be collected by Facebook,” the spokesperson said.
Logging out
Incredibly, the spokesperson put the onus on web users, saying they should log out of social networks before accessing the NHS Choices website.
"People should log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer," the spokesperson said.
However, the NHS's stance cuts little ice with Tuffield, who said the inclusion of details in the privacy policy merely highlighted the fact that management knew of potential problems.
“The sharing is mentioned in the NHS web site privacy policy, which means the NHS made a conscious decision to do this 'sharing' and that is even more astounding,” he said.
To make matters worse, according to Tuffield, the information given out regarding logging off is inaccurate.
Unless a user has cleared cookie information from their browser, Tuffield said, the cookie would still be active and let Facebook track users across pages with its 'Like' button built in.
"If you have ever visited and logged into www.facebook.com from your browser, they will drop a cookie on you," Tuffield said. "Regardless of whether you are logged in or logged out, every page with the iframe based implementation of the 'Like' button will see this cookie."
"This is not common behaviour for your average website, to be frank," Tuffield said. "I think that your average web user has no idea what a cookie is and they can't be expected to delete their cookies before turning up to the NHS website."
We are waiting for Facebook to come back to us on whether NHS Choices users can be traced by the social network even when they are not logged in.
From around the web
What?
Why do the NHS think this is a good idea?
Sharing of personal health information across a social networking site is not something that can be simply covered by inclusion in it's privacy policy.
By greemble on 23 Nov 2010 
What possible benefit did the NHS think adding "Like" buttons would give its users? Seriously - "Dave likes Syphillis"?
By flyingbadger on 23 Nov 2010
really dont get all the fuss with tracking/peoples data!! i couldnt care less what data people hold of me unless its financial!! im all for id cards etc if it means it makes it harder for terroists to operate within our country. The people who are scared are usually those who have sumthing to hide!!
By martinburman on 23 Nov 2010
@martin
Not the old "you've nothing to fear ...." arguement? Just report to the police station 4 times a day and carry this camera to record everything you do and wear this tracking device and our IT never goes wrong well there was that occasion last week where we locked a few people up and....
Might as well give in to the terrorists now. Police state whichever way you look at it.
By JohnHo1 on 23 Nov 2010
@PCPro
Are these "martinburman" people real? Or is PCPro buying them in by the pound to make the Comments feature more enticing? I despair of the readership ... Please God, it's just *another* comments hacker on the loose.
By mikelaye on 23 Nov 2010
lol seriously guys wouldnt comment on here they might capture your ip and track you down :O kill me now its the end of the world!! get the data security police in hahaha!!
By martinburman on 23 Nov 2010
NHS = No Health Secrecy
@martin, you're obviously very young and don't understand that other people are different to you (like they can spell). Just ask your grandmother if she'd like her health secrets on the internet for anyone to see.
The NHS are crazy thinking this sort of info is fit for a social networking site.
By SwissMac on 23 Nov 2010
Do not feed the troll
We've seen enough examples to know a teenager when it appears
By greemble on 23 Nov 2010
Don't hate me
But I kind of agree. I'm a Crohns sufferer and have no issues talking about it on Facebook. All my friend know I have it and I'm a member of support groups on Facebook. If I was on the NHS site (or any other site using Facebook Connect) and ALLOWED it to connect to Facebook then it's my choice. It's not like it's being done on the sly. I've no issue with personal data being online except financial data. Anything online about me is there because I put it there. If it was done behind my back then yes I'd have an issue.
By EddyOS_2K9 on 24 Nov 2010
... but it IS 'on the sly'!
The information IS passed on the sly, that's the point. YOU may not mind YOUR health problems passed to Facebook, but other people probably don't want theirs shared.
"im all for id cards etc if it means it makes it harder for terroists to operate within our country"
It doesn't.
By nelviticus on 24 Nov 2010
Adding my few cents...
Just a few points I wanted to raise here
1. Info passed onto Facebook wont be shared elsewhere, and also will not be shared on facebook publicly unless you directly 'Like' an article. Just to be clear Facebook wont actually track every user visiting the NHS page, they'll only track if you hit 'Like'
As a subpoint I believe the NHS should have used the 'Recommend' button rather than 'Like' but that's a different discussion.
2. The majority of websites you visit have analytics packages and cookies installed so they can track how you visit their sites and will re-target you with ads when you drop out of a purchase. (Including this one)
3. By commenting on these posts you've all signed up to give Dennis Publishing access to your name, email location and mobile number. Which will then be used to send you product messages from advertisers. Ironic, no?
By Gougher on 24 Nov 2010
access to your name, email location and mobile numbe
What name - Greemble?
Access to an e-mail address used solely for PC Pro / Dennis publications?
Umm... Mobile number? No, that I've not given them
By greemble on 24 Nov 2010
@ Greemble
I just had to sign up to comment, and it wouldn't let me proceed with registering until I'd provided all of the below.
Email address
Name (actual name)
Screen name
City where I live
Post code
Mobile number
Therefore, unless they've changed their registering process, in order for you to have a profile as Greemble you will have had to provide all of the above info.
Quite a lot of data i'd say. In fact probably more than most people make public on Facebook
By Gougher on 24 Nov 2010
Totally transparent...
Nothing against EddyOS_2K9... but the fact that someone interested and educated enough in these issues to be on this site commenting on this story could have such a fundamental misunderstanding seems to me a good illustration of how ridiculous it is to suggest that average users would be sufficiently enlightened due to the presence of some small-print in a privacy policy.
Just to clarify in case anyone still missed it; when you view a page that has a 'like' button, that button is a mini facebook page loaded in an iframe. The request being made to facebook to load the page is enough to tell facebook that you have visited the host page. Of course they don't publish that information, but they do receive it.
By ptodd1 on 24 Nov 2010
I think someone needs to more checking, Facebook have confirmed the following:
The Like button is engineered such that even if it is not clicked, it still passes information about the user to Facebook, even if they are not logged into Facebook at the time of the visit.
Also, from Facebook itself:
"When a person is logged into Facebook and visits a partner site that is using a social plugin, Facebook can see technical information such as a person’s User ID, IP address and operating system. Note: we will still receive their IP address, operating system even if the user is logged out; we just won’t know their User ID"
By Ex_Sailor on 24 Nov 2010
Sign up details
Yes, it has changed.
However - none, other than the e-mail for validate your registration, is checked to ensure they are "real". By the way, it doesn't ask the city, only the country.
Of course, unless you live within the UK, you're not going to have a postcode, so that field can be blank, too
The mobile number field is not even compulsory, so can be left blank.
Aside from this, it's not of the same sensitivity as that of the NHS
By greemble on 25 Nov 2010
Somebody in the NHS obviously loves Facebook far too much.
It's banned in my household.
By monsieurtechnica on 27 Nov 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
