Facebook gets sneak peek at NHS site visits

Facebook gets sneak peek at NHS site visits

Summary: The social-networking site can track when a member visits an NHS site for health advice, leading MP Tom Watson to question why the NHS is sending user data to third parties

TOPICS: Security

The NHS has come under fire for passing data on people browsing its website to Facebook and other companies.

The NHS Choices website allows Facebook and Google to track visits without informing the user, MP Tom Watson said in a letter to health minister Andrew Lansley. The tracking first came to light in a blog post by Garlik researcher Mischa Tuffield, who was looking into the Facebook 'Like' button on the health department's site.

NHS Choices image

The NHS Choices website incorporates Facebook's 'Like' button, in an effort to encourage users to publicise health advice. Screenshot: Tom Espiner

"I write to you to express my concern that the NHS is allowing Google, Facebook and others to track your http://www.nhs.uk/ browsing habits, regardless of the fact that people use the page to seek medical advice," Watson wrote on Tuesday.

Four third-party tracking companies are informed every time a user visits one of the 'conditions' pages on the NHS Choices website, Tuffield said in his blog post on Sunday. The 'conditions' pages give advice on medical conditions, including testicular cancer.

Facebook is informed if a logged-in member goes to the NHS website, while tracking organisations Google Analytics, WebTrends and addthiscdn.com also monitor browser sessions involving the site.

The problem with Facebook arises because the NHS Choices website has social-networking functionality, Tuffield said. The website incorporates Facebook's 'Like' button, in an effort to encourage users to publicise health advice.

Tuffield checked the tracking with a tool called tcpdump, which is used to log internet traffic. Every time a user visits a 'conditions' page, Facebook makes a request to the browser to check for a Facebook cookie. If a cookie is present, the browser tells Facebook that the particular user has visited a given page on www.nhs.uk.

Everytime anyone visits a page with a 'Like' button, various information is sent to Facebook, regardless of whether the button is clicked, said Tuffield.

The social-networking company makes requests for user information from browsers visiting the NHS website and gets it without the user's consent, according to Tuffield.

"What right has the NHS to share any information about the browsing of NHS Choices with Facebook?" Tuffield told ZDNet UK. "The Like button is engineered such that even if it is not clicked, it still passes information about the user to Facebook, if they happen to be logged in to Facebook at the time you visit."

In response, the NHS said the onus is on users to monitor their privacy on Facebook.

"When users sign up to Facebook they agree Facebook can gather information on their web use," the NHS said in a statement on Wednesday. "NHS Choices' privacy policy, which is on the homepage of the site, makes this clear. We advise that people log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer."

A Facebook spokeswoman told ZDNet UK that the company can see technical information about a member when the user is logged into Facebook and visits the NHS site. It can see a user ID, which Facebook can link to a member profile, and the IP address and operating system of the machine being used to browse.

Read this

Schneier: Facebook kills privacy for profit

Social-networking sites such as Facebook are eroding privacy to sell content to advertisers, according to BT chief security technology officer Bruce Schneier

Read more+

If a person is logged into Facebook and 'likes' a page on NHS Choices, the person will be targeted with adverts that are relevant to the page, said the spokeswoman. The information on the medical interests on the member will not be passed to advertisers, she added.

"Facebook does not share your data with third parties," said the company in a statement. "It is against Facebook's terms to use this data for any purpose other than to create a more personalised experience on the web. In the same way that the NHS would not share your data, Facebook would not either."

The social-networking company has come under repeated fire over the past year over its privacy policies, and at the beginning of November, it suspended a group of application developers for passing user IDs to advertising and data firms.

The data collected by Google Analytics is used only for web analytics purposes, according to the NHS. Google confirmed that the information is not used for advertising.

"The data collected by Google Analytics is not used by Google for anything other than reporting site usage back to site owners who use Google Analytics and helping them improve the efficiency and usability of their website," the company said in a statement.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Disgraceful, absolutely outrageous. This just makes me angry. A further breach of trust and privacy. Who reads, or even understands, the gobbledygook contained in privacy statements. Bare in mind that the majority of users do not really understand the implication of what they are doing on the Internet and, interestingly enough, the young people are not taught about any of this in School, just how to use Microsoft products.

    We have already come through a period of government snooping and micromanagement, now we found out about this. There is nothing more personal and private than one's health issues and I think we should have expected, and have a right, to trust the NHS. Now we find we have to trust Facebook and Google with potentially intimate details.

    Targeted advertising - where's the privacy in that - there's a trail now directly to the individual which we have not knowingly agreed to, and over which we have no control.

    What next?
    The Former Moley
  • It probably isn't the NHS sharing the data, but a company providing the service on behalf of the NHS or Department of Health. One assumes they either have express permission to do this or will soon have slapped wrists if they are doing something wrong. If all it is doing is publicising NHS services, there's nothing really wrong, is there? If, though, you've gone to find your nearest Sexual Health clinic, you really wouldn't want that appearing in your Facebook time-line. Of course, no-one would click "Like" who didn't already know that by doing so you'd get lots of information about it posted on your wall and those of your friends thereafter.
  • @dme. You seem to have missed the point.
    The Former Moley
  • It's funny how Facebook keeps telling us they do not share our information with third parties. Yet, when you think about Facebook being able to gather information about user activities from third party sites - they are actually giving out these information by using what users are going on third party sites to direct advertisements, etc.

  • It's funny, there's this wonderful thing that's been around ever since the web started which means you *opt in* to giving your data when you choose to perform an action (which you have to actually do) - it's called a *link*.

    You can try it here (if you're signed into Twitter): http://twitter.com/?status=hello

    That didn't require anything to be sent to Twitter until you clicked it. You won't know how many of your "friends" have posted it but do you really need to validate what you read by knowing how many others have read it too?

    Far too much goes on in the background when you visit sites - it's almost impossible to know who's getting your data without a fair knowledge of what's going on behind the scenes.
  • It will be disastrous for NHS to share information on Facebook. The "like" button is really dangerous and should be used as less as possible. There are too many privacy concerns on Facebook. It has become too insecure to use now and I am really excited about the upcoming launches of Diaspora and MyCube. Both seem very promising and I hope they can make social networking secure
  • For those telling us not to be so stupid as to click the 'like' button,I think the original news item suggested that there was no need to click on the 'Like' button to have privacy compromised. Read the news item more carefully.
    The Former Moley
  • Disgracefull misuse of privacy for profit. Thank God they are being found out! Trust Facebook at your peril!!! I am glad I refused to ever use it. They should be closed down. Whatever happened to the Data Protection Act???
  • It is reported elsewhere that the the ICO will be investigating. It will be interesting to see the outcome.
    The Former Moley