NHS link to Facebook raises privacy concerns

A website run by the UK's National Health Service sends information on pages visited back to Facebook

The U.K.'s National Health Service plans to make clearer the privacy policy of its Choices health information Web site, which shares browsing information with Facebook, following complaints from a security expert and a lawmaker, an NHS spokesman said Thursday.

The NHS Choices website incorporates Facebook's "Like" button, which enables users to share information they find useful on their social networking profile. But the NHS has come under fire over whether users are actually aware of how much information the "Like" button transmits to Facebook, considering that Choices deals with health information.

The brouhaha started with a blog post from Mischa Tuffield, a developer at Garlik, a company that specializes in prevention of identity theft. He found that NHS Choices uses four third-party advertising services or trackers on its health information pages.

Two of the trackers, from Google Analytics and webtrendslive.com, appear to be for analytics purposes. Another is addthiscdn.com, a social bookmarking tool, while the fourth is Facebook's "Like" button. If clicked, that button shares the content of the Web page carrying it on the visitor's Facebook profile page.

Attention has focused on the presence of Facebook's Like button on the site. If a person is logged into Facebook and visits a Choices web page, information about that visit is transmitted to both Facebook and the NHS. Facebook will see a visitor's Facebook user ID, computer operating system and IP (Internet protocol) address, among other information.

If a visitor clicks the "Like" button, Facebook analyzes the page and focuses on keywords -- such as "back pain" -- to deliver targeted advertisements to the user, although it says the data on the web pages visited is not shared with advertisers.

Even if a visitor to NHS Choices is not logged into Facebook, the social networking site will still receive the person's IP address and operating system version, but not their user ID. Facebook will retain that data for 90 days before deleting it, an industry-accepted time frame, according to a company spokeswoman.

The primary question revolves around whether users are actually aware of what's going on.

NHS Choices explains how the Like button works in its privacy policy, which was last modified in July, around when the Like button was incorporated on its web pages.

"When visiting NHS Choices pages that display a Facebook Like button, information relating to the date and time of your visit, the web page you are on (commonly known as the URL) and other technical information about the IP address, browser and operating system you use will be collected by Facebook," the policy says. "If you are logged into Facebook, your user ID number will also be associated with the information mentioned above. For more information, read the Facebook privacy policy."

Tom Watson, Member of Parliament for West Bromich East, wrote to the U.K.'s Secretary of State for Health earlier this week to point out that it could be embarrassing if information collected on users was leaked.

"I understand the demands to offer government service online but this should not be achieved at the price of privacy," Watson wrote. "I urge you to take steps to ensure that third-party websites should not have access to such information. This could be simply achieved by ensuring all third party interaction is run on an opt-in system, rather than the current opt-out model."

In response, NHS Choices plans to examine its privacy policy and possibly make changes to make it clearer how visitors are being tracked on a page, a spokesman said.

"Facebook capturing data from sites like NHS Choices is a result of Facebook's own system," the NHS said. "When users sign up to Facebook, they agree Facebook can gather information on their web use."

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesUK National Health Servicesecuritysocial networkinginternetprivacyFacebook

More about FacebookGoogleWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place