Yesterday, Mischa Tuffield, of Garlik, highlighted an important issue about how the NHS is allowing Google and Facebook amongst others, to track the behaviour of individuals on the NHS Choices website.
The story has quickly spread and was picked up by the MP Tom Watson.
We have also received a number of inquiries from journalists, and so have decided to post the answers to some of the key questions Mischa has been asked. Without sounding too inflammatory this episode just shows how the privacy of everyone of us is being compromised by the ill judged or ill informed actions of those in real positions of trust. In this specific case the individuals who designed and built NHS Choices.
Q: What are your privacy concerns about this third party tracking?
A: What right has the NHS to share any information about the browsing of NHS Choices with Facebook? The Like button is engineered such that even if it is not clicked, it still passes information about the user to Facebook, even if they are not logged into Facebook at the time of the visit. Given the average user spends 55 mins every day logged into Facebook. http://www.digitalbuzzblog.com/facebook-statistics-facts-figures-for-2010/ (as per : http://www.facebook.com/help/?faq=17512) then there is a pretty good chance of that happening. So a young mother is logged on to Facebook talking to friends and is also looking for some advice about depression on NHS Choices and bingo – although she doesn’t know it – Facebook now know she has looked at this page. Facebook says that it does not target ads using this information and they will throw it away after 90 days apart from the stuff they use for statistical analysis.
If I walked into a doctor’s surgery and said … “Oh hi, that guy of about 30 who just came in the door, what advice leaflets did he pick up?” … there is no way on Earth that they would tell me. Online, the NHS are sharing this information out liberally and the users don’t know it and can’t opt out of sharing even if they did.
Q: How did you test the tracking?
A: Regarding the tracking, we can only prove that Facebook is tracking Facebook users on www.nhs.uk. This was checked using a tool called tcpdump, which is used to log internet traffic. The outcome of the captured internet traffic is linked to from the blog post:
Linked to from : http://mmt.me.uk/blog/2010/11/21/nhs-and-tracking/.
A Facebook request is made, whereby the user’s browser ships across a Facebook cookie, which from a technical perspective means that Facebook has just been informed that a given Facebook user, has just visited a given page on www.nhs.uk. It is this interaction, which allows the Like button to state things such as “Be the first of your friends to like this page”.
Furthermore, it should be noted that the test browser was heavily locked up, with a lot of security measures to avoid being tracked by advertising companies, and as a result it probably does not have cookies for the other third-party sites in question. We have no evidence that www.google-analytics.com or statse.webtrendslive.com or addthiscdn.com are doing any tracking.
A: Are these companies tracking individual users, or are they aggregating the data for statistical purposes?
There is only evidence for Facebook’s tracking from out test. We are happy to say that Facebook is tracking, and that this is at a user level. There is no way of knowing what companies do with the data upon collection in terms of aggregation and so on.
Q: Have you contacted the NHS?
A: Yes, they were contacted on 22nd November, we were given a ticket number, stating that someone will get back to us on this as soon as possible. We are waiting to hear back from them.
Q: Have you contacted the ICO?
A: No, not yet, we will wait to hear back from the NHS, before contacting the ICO.