Over Easy: The Latest Website Tracking You? HealthCare.gov
The HealthCare.gov website was created as part of the Affordable Care Act, and provides online access to the government-subsidized private insurance for those who do not have employer-provided health care benefits. It is used by consumers in the 37 states that do not operate their own insurance exchanges.
On Tuesday the Associated Press revealed that the Affordable Care Act’s enrollment website is secretly sending consumers’ personal data to private companies that specialize in advertising and analyzing Internet data, for both performance and marketing purposes. The Electronic Frontier Foundation has been all over the story.
EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.
In some cases the information is also sent embedded in the request string itself, like so:
healthcare.gov/see-plans/85601/results/?county=04019&age=40& smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000& &step=4?
In this example (see bold text) a URL at doubleclick.net is requested by the browser. Appended to the end of this URL is the individual’s age, smoking status, parental status, pregnanacy status, zip code, state and annual income. General information also transmitted can include the individual’s computer IP address, which can be combined with other collected information to identify a person’s name or address. The browser requests this URL after the individual fills out the required information on HealthCare.gov and clicks the button to view their eligible health insurance plans.
Third-party sites embedded on HealthCare.gov can’t actually see someone’s name, date of birth, or Social Security number, but may be able to correlate Internet browsing habits with the fact that the computer accessed HealthCare.gov. Embedded trackers could correlate a HealthCare.gov visit with other visits to sites with information about a specific illness like diabetes or glaucoma. They could identify whether the individual shops online for certain health-related aids, or is seeking information about heart disease or breast cancer, or visits sites that offer information and assistance with financial problems, drug addiction, or quitting smoking.
A table showing which third party domains EFF researchers confirmed were receiving the private health data includes some familiar names: Akamai.net, Doubleclick.net (owned by Google), Google, Twitter, Yahoo, and YouTube.
According to the EFF, in addition to tracking, third-party resources could introduce additional security risks to the HealthCare.gov website itself. The more times data is replicated to different servers, the more opportunities for security breaches. If an attacker compromised only one of the third party resources hiding in HealthCare.gov, they potentially could compromise the accounts of every user of HealthCare.gov. Even if vendors don’t profit from HealthCare.gov data, hackers just might.
The EFF offers a tracking blocker called Privacy Badger, which adds even more functionality than popular blockers like AdBlock Plus or Ghostery. Privacy Badger will block the referrers and the connections to third party sites on HealthCare.gov (and other sites) and protect your personal health information. Both Firefox and Chrome versions are offered, and they’re free. Safari appears to not be supported.
The EFF concludes,
Health information is some of the most sensitive and personal information there is. People’s private medical data should not be available to third party companies without consent from the user. This practice is negligent at best, and potentially devastating for consumers. At a minimum, healthcare.gov should disable third-party trackers for any user that requests an opt out using the DNT header. Arguably, healthcare.gov should meet good privacy standards for all its users. If President Obama is really concerned about cybersecurity, he may want to start in his own backyard, by securing healthcare.gov.
THURSDAY NIGHT UPDATE TO LAST WEEK’S POST
It appears that in response to the ProPublica revelations about zombie cookies, Turn is suspending the practice, at least temporarily.
‘Zombie’ Cookie ID to be suspended pending re-evaluation
Anyone feel like we are playing whack-a-mole?
FRIDAY UPDATE, THANKS TO MARYM IN THE COMMENTS!
White House makes reversal over release of personal data from Healthcare.gov