Does healthcare.gov violate their own privacy policy?

Does healthcare.gov violate their own privacy policy?

Summary: Developer Ben Simo raises a number of security concerns about healthcare.gov, the Federal health care exchange site. In particular, he describes serious privacy problems in violation of the site's own policy.

SHARE:

Developer Ben Simo is not alone in describing serious security problems in the healthcare.gov web site (a site which nobody is defending at this point). But he has described specifics of privacy problems in clear detail.

Simo shows how healthcare.gov sends personal information to 3rd party analytics and advertising companies. In the traces below of the HTTP traffic he shows his username and password reset code first being sent to "rum-collector.pingdom.net". The domain is owned by Pingdom, an uptime performance monitoring company based in Sweden.

healthcare.gov.analytics.trace.1

The second trace section shows the same data being sent to Doubleclick.

This practice is in violation of the site's privacy policy which says, in part:

HealthCare.gov uses a variety of Web measurement software tools. We use them to collect the information listed in the “Types of information collected” section above. The tools collect information automatically and continuously. No personally identifiable information is collected by these tools.

[Bold in original text on healthcare.gov.]

The FTC has fined Facebook and others for similar practices.

Simo also demonstrates the site returning previously-provided information not needed for the current request. Simo argues that this violates the privacy policy's pledge not to retain information beyond necessary for fulfilling a request. I am not so sure of Simo's interpretation here, but at the very least it's another example of sloppy programming with the potential for disclosure of confidential data.

Obamacare.Marketplace

On another one of his sites, Simo describes more problems he's found:

  • Cookie handling errors, including generating more cookies than it is capable of accepting.
  • Overly-complex and poorly-written client-side JavaScript. Many others have pointed this out and note that such code guarantees future maintenance difficulties.
  • "The site processed an application I did not submit - and that I explicitly told it to not process."
  • Stack traces returned to the browser that reveal information about the internal system components
  • Password reset codes returned to the browser

Topics: Security, Government US, Health

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • It figures

    They should have just hired two college kids that could have developed a product ten times better over a 3 day weekend. Probably could have just paid them with a twelve pack of beer and a bag of Doritos.
    Hemo2
    • No they couldn't

      Clearly you don't know much about software development. Frankly, it's amazing that healthcare.gov works as well as it does. Are there major issues? Sure. Could it have been better? Definitely. However, just getting such a complex site up in the time they did is still impressive.
      Twilight23
      • Who Pays?

        When the inevitable breach occurs, who will pay the damages to the user? Ultimately it is the site owner responsibility to ensure it is secure.
        Linux_Lurker
      • Impressive?

        That would have been if it worked.
        Bill4
      • You might be easily impressed.

        The cost to develop the website is cited to be at the low end is $300,000,000 and $600,000,000 at the high end. What ever the real number is, no one disagrees it is going up at exponential rate not that it has failed and heads will roll if it does not fixed.

        If I might quote Andrew Couts

        "Facebook, which received its first investment in June 2004, operated for a full six years before surpassing the $500 million mark in June 2010. Twitter, created in 2006, managed to get by with only $360.17 million in total funding until a $400 million boost in 2011. Instagram ginned up just $57.5 million in funding before Facebook bought it for (a staggering) $1 billion last year. And LinkedIn and Spotify, meanwhile, have only raised, respectively, $200 million and $288 million."

        So impressed, I am not.
        YaBaby
    • oh, sure.

      since you clearly have great wisdom, why not nominate yourself to replace Sebelius.

      was there anything in the article you understood?
      BitBanger_USA
  • What do you expect?

    Once the head lemming (Obama) set the course, everyone jumped off the cliff after him. Nobody in the government questions a Custer decision, to do so means to seek work elsewhere. So, bogus timelines, CYA and scapegoating is what you get.
    M.M.Grimes