Does healthcare.gov violate their own privacy policy?

Summary:Developer Ben Simo raises a number of security concerns about healthcare.gov, the Federal health care exchange site. In particular, he describes serious privacy problems in violation of the site's own policy.

Developer Ben Simo is not alone in describing serious security problems in the healthcare.gov web site (a site which nobody is defending at this point). But he has described specifics of privacy problems in clear detail.

Simo shows how healthcare.gov sends personal information to 3rd party analytics and advertising companies. In the traces below of the HTTP traffic he shows his username and password reset code first being sent to "rum-collector.pingdom.net". The domain is owned by Pingdom, an uptime performance monitoring company based in Sweden.

healthcare.gov.analytics.trace.1

The second trace section shows the same data being sent to Doubleclick.

This practice is in violation of the site's privacy policy which says, in part:

HealthCare.gov uses a variety of Web measurement software tools. We use them to collect the information listed in the “Types of information collected” section above. The tools collect information automatically and continuously. No personally identifiable information is collected by these tools.

[Bold in original text on healthcare.gov.]

The FTC has fined Facebook and others for similar practices.

Simo also demonstrates the site returning previously-provided information not needed for the current request. Simo argues that this violates the privacy policy's pledge not to retain information beyond necessary for fulfilling a request. I am not so sure of Simo's interpretation here, but at the very least it's another example of sloppy programming with the potential for disclosure of confidential data.

Obamacare.Marketplace

On another one of his sites, Simo describes more problems he's found:

  • Cookie handling errors, including generating more cookies than it is capable of accepting.
  • Overly-complex and poorly-written client-side JavaScript. Many others have pointed this out and note that such code guarantees future maintenance difficulties.
  • "The site processed an application I did not submit - and that I explicitly told it to not process."
  • Stack traces returned to the browser that reveal information about the internal system components
  • Password reset codes returned to the browser

Topics: Security, Government : US, Health

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.