NHS provided advertisers, analytics and social media companies with data about your health concerns

Back in 2010, Tom Watson MP raised a problem in parliament https://www.theregister.co.uk/2010/11/24/nhs_connect_facebook_privacy_fears/

That was not resolved: instead, Facebook, Google, WebTrends and many more got and still get a lot of data about your browsing habits on the NHS services online.

Do not expect it to be anonymised: I found that the data is often identifiable to your email address or online accounts with the companies.

Where they are not, they are often identifiable to a profile about you which is also a breach of your privacy!

FYI: I want this to stop as soon as possible so have added created two petitions that you can sign if you wish.

• https://www.change.org/p/uk-parliament-nhs-should-respect-privacy-online (can be petitioned on an international basis, NHS isn't just a service used by UK citizens and provides space to give details)
• https://petition.parliament.uk/petitions/222766 (awaiting review, not such space to describe)

This is illegal, privacy is a requirement for healthcare and has been long before GDPR, but there are three things to take away:

What they got #

Facebook and others were told for over 7 years about what concerns you had for your health. The details sent to them were often in context of you, like your Facebook user id. The advertising arms of some of the companies uses this data as "audience" data and whether they filtered NHS or not, their motive for asking for it, was to discriminate on whether you were targeted for marketing campaigns: this is one of the primary reasons why healthcare should be private... if they did use the data, then expect to have suffered adverts for funeral directors when you looked for cancer, ecigarettes when you tried to stop smoking, etc, in an advertising context, this nature of data leaking is quite disturbing and would put people at risk of advertising when they are at most risk.

They put at risk more from what they got #

If these companies wished to, then they had access to a treasure trove of information about significant people in the public. From companies executives and celebrities, to whistleblowers and criminals. Had this data leaked (leaks can easily happen https://www.zdnet.com/article/alteryx-s3-leak-leaves-120m-american-households-exposed/) or been hacked then the risk to not just individuals but what they are involved with could have affected reputations, legal cases and allowed for insider trading.

They got access to do a lot more! #

Most of the companies execute JavaScript on the NHS website. This capability allowed them to follow mouse movements, keyboard presses, read content on the pages and even load other pages on the NHS website with access to do any of those too (thanks to iframes in the web sharing a security context if from the same origin). They could also manipulate content, add in username/passwords fields or ask for any data they liked with the appearance that the NHS was asking. This isn't just hypothetical postulation, the security access was compromised when one of the third parties was hacked to use the NHS website (not all of the site used Browsaloud) for cryptomining on people's web browers https://www.tsg.com/blog/security/ico-nhs-among-thousands-websites-hacked-sneaky-crypto-mining-code

Protect yourselves from the NHS #

Look into Tor, Brave Browser, Privacy Badger and similar technologies to stop trackers.

Use one off private browsing mode sessions where possible too.

Look into alternative healthcare sites... seriously, there might be some other public health bodies, especially from other countries, that may protect your privacy better.

Next Steps #

We should take legal action against the NHS. Not because we want to take money out of it, but because they need to stop. The precedent set by allowing the NHS to do this, would be to allow everyone to.

Some background #

I noticed this last year when trying to make sense of how https://joinpouch.com/ (seriously, do not join them, they were a security nightmare when I looked into this), were able to advertise an e-cigarette company on the NHS Stoptober campaign (their extension matched the nhs page against a dictionary they provided the extension to be sent the advert and captured tracking data on your visit).

Whilst investigating I spotted various analytics, tracking and advertising companies loading on the Stoptober page and thought, this can't all be Pouch: they're bad, but not that bad and sure enough, with the extension not installed it turned out the NHS website was a mess of online tracking.

Then started months of emails to and fro between NHS Choices/Digital, NHS England and Public Health England: along with my MP, Matthew Hancock's office, the ICO and a few organisations and journalists I've tried to rally to help.

The position now: #

• NHS England largely agreed, they removed much of the advertisers/social media tracking: I think they can do better
• NHS Digital largely agreed and they removed much advertisers/social media on the NHS Choices pages.
• Public Health England pretty much ignored the complaint and said users have agreed to it.

• Next: Reset Password Links are a Security Failure according to the HTTP RFC
• Previous: Facebook JavaScript SDK is often illegal