Not Cool, Guys (updated x2)

No, I'm not gonna go into a "Dental Gate"-style rant against the HHS Dept. about this. Without knowing more details about the information in question or how it's being used, this may be another "nontroversy". Even so, it strikes me as being a bit of an unforced error on the part of the administration:

The government's health insurance website is quietly sending consumers' personal data to private companies that specialize in advertising and analyzing Internet data for performance and marketing,The Associated Press has learned.

The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms.

...There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.

To be honest, in an age where millions of people seem to think nothing of posting their ultrasound videos on YouTube or discussing their colonoscopy in vivid detail on Twitter, I actually don't think this is gonna cause that much of a fuss. AT&T, Verizon, Apple, Google and Facebook know more intimate details about your life than you do these days. That horse has long since left the barn...which, by the way, is also why I suspect that the whole NSA/wiretapping scandal didn't cause more of a brouhaha than it did.

HOWEVER, that doesn't make it right. Even if the info is being kept depersonalized, the HHS Dept. knows damned well that it only takes perhaps a half-dozen key pieces of data to pull off identity theft or other neferious acts.

In a recent visit to the site, AP found that certain personal details — including age, income and smoking habits — were being passed along, likely without consumers' knowledge, to advertising and Web analytics sites.

Third-party outfits that track website performance are a standard part of e-commerce. HealthCare.gov's privacy policy says in boldface that "no personally identifiable information is collected" by these Web measurement tools.

Well yeah, there's nothing wrong with the web analytics stuff. Every site worth it's salt does that; heck, I have tons of data on every visitor to this site as well. However, there's a big difference between that and sending the info out to advertising firms.

Again, this may be much ado about nothing; unless it develops into a bigger story I'll let it go at that. I just don't see why the administration would open themselves up to another potential PR headache for what seems like a pretty unnecessary reason.

UPDATE: OK, here's the official response from the HHS Dept (emphasis mine):

“Protecting consumers’ privacy is a top priority. There is no evidence that consumer information has been misused by any third party. Unlike many retail sites similar to HealthCare.gov, we do not and will not sell a visitor’s information. We will remain vigilant and will continue to focus on what more we can do to keep consumers’ personal information secure.”

Private sector tools – such as Google Analytics and ChartBeat – play a critical role in the operation of a consumer focused website. Without these tools, HealthCare.gov would be unable to effectively respond to system errors, issues that result in a poor or slow web experience, or provide metrics to the public on site visits and/or mobile usage. In addition, consumers would have to continuously resubmit information throughout the process making signing up for insurance more difficult.

The use of these private sector tools is extremely common.

There is no evidence that any consumer information has been misused by a third-party.

OK, if that's all that this is about--using Google Analytics (which I use myself) and ChartBeat (which I don't use, but is similar), then this really is a a bunch of fuss about zilch.

The problem is that the AP story makes it sound like this is more along the lines of reselling personally identifying information (this person living at this address is a smoker, etc.), which is a whole different kettle of fish. If we're just talking about aggregated data, then, in the words of Emily Litella, "never mind..."

UPDATE x2: Hold the phone, here:

EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track.

The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.

In some cases the information is also sent embedded in the request string itself, like so:

https://4037109.fls.doubleclick.net/activityi;src=4037109;
type=20142003;cat=201420;ord=7917385912018;~oref=https://www.
healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000& &step=4?

In the above example, a URL at doubleclick.net is requested by your browser. Appended to the end of this URL is your age, smoking status, preganacy status, parental status, zip code, state and annual income. This URL is requested by your browser after you fill out the required information on healthcare.gov and click the button to view health insurance plans that you are eligible for.

Look, I'm a website developer. I'm well aware that this sort of service is widely used by millions of ecommerce sites, and as noted above, hundreds of millions of people voluntarily post the most intimate details of their lives to Facebook every day, and yes, it's being either sold or just given away to any number of 3rd parties you've never heard of.

However, government sites should be held to a higher standard, and while the embedded data above doesn't give an exact name or address, it doesn't take a hell of a lot to put that info together.

I'm not saying that this is a Huge Deal®, but it certainly sounds like it's more than nothing either.

I'll leave it at that for the moment.

Advertisement