Facebook gets sneak peek at NHS site visits

The social-networking site can track when a member visits an NHS site for health advice, leading MP Tom Watson to question why the NHS is sending user data to third parties

The NHS has come under fire for passing data on people browsing its website to Facebook and other companies.

The NHS Choices website allows Facebook and Google to track visits without informing the user, MP Tom Watson said in a letter to health minister Andrew Lansley. The tracking first came to light in a blog post by Garlik researcher Mischa Tuffield, who was looking into the Facebook 'Like' button on the health department's site.

NHS Choices image

The NHS Choices website incorporates Facebook's 'Like' button, in an effort to encourage users to publicise health advice. Screenshot: Tom Espiner

"I write to you to express my concern that the NHS is allowing Google, Facebook and others to track your http://www.nhs.uk/ browsing habits, regardless of the fact that people use the page to seek medical advice," Watson wrote on Tuesday.

Four third-party tracking companies are informed every time a user visits one of the 'conditions' pages on the NHS Choices website, Tuffield said in his blog post on Sunday. The 'conditions' pages give advice on medical conditions, including testicular cancer.

Facebook is informed if a logged-in member goes to the NHS website, while tracking organisations Google Analytics, WebTrends and addthiscdn.com also monitor browser sessions involving the site.

The problem with Facebook arises because the NHS Choices website has social-networking functionality, Tuffield said. The website incorporates Facebook's 'Like' button, in an effort to encourage users to publicise health advice.

Tuffield checked the tracking with a tool called tcpdump, which is used to log internet traffic. Every time a user visits a 'conditions' page, Facebook makes a request to the browser to check for a Facebook cookie. If a cookie is present, the browser tells Facebook that the particular user has visited a given page on www.nhs.uk.

Everytime anyone visits a page with a 'Like' button, various information is sent to Facebook, regardless of whether the button is clicked, said Tuffield.

The social-networking company makes requests for user information from browsers visiting the NHS website and gets it without the user's consent, according to Tuffield.

"What right has the NHS to share any information about the browsing of NHS Choices with Facebook?" Tuffield told ZDNet UK. "The Like button is engineered such that even if it is not clicked, it still passes information about the user to Facebook, if they happen to be logged in to Facebook at the time you visit."

In response, the NHS said the onus is on users to monitor their privacy on Facebook.

"When users sign up to Facebook they agree Facebook can gather information on their web use," the NHS said in a statement on Wednesday. "NHS Choices' privacy policy, which is on the homepage of the site, makes this clear. We advise that people log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer."

A Facebook spokeswoman told ZDNet UK that the company can see technical information about a member when the user is logged into Facebook and visits the NHS site. It can see a user ID, which Facebook can link to a member profile, and the IP address and operating system of the machine being used to browse.

If a person is logged into Facebook and 'likes' a page on NHS Choices, the person will be targeted with adverts that are relevant to the page, said the spokeswoman. The information on the medical interests on the member will not be passed to advertisers, she added.

"Facebook does not share your data with third parties," said the company in a statement. "It is against Facebook's terms to use this data for any purpose other than to create a more personalised experience on the web. In the same way that the NHS would not share your data, Facebook would not either."

The social-networking company has come under repeated fire over the past year over its privacy policies, and at the beginning of November, it suspended a group of application developers for passing user IDs to advertising and data firms.

The data collected by Google Analytics is used only for web analytics purposes, according to the NHS. Google confirmed that the information is not used for advertising.

"The data collected by Google Analytics is not used by Google for anything other than reporting site usage back to site owners who use Google Analytics and helping them improve the efficiency and usability of their website," the company said in a statement.