sending personal data to Twitter, Yahoo and Google

Privacy advocates warn the data could be misused

Information entered into the US government's health insurance website is being passed to companies such as Twitter, Yahoo and Google, according to a report from the Associated Press.

The data includes zip codes, income levels and information about whether people smoke or are pregnant, which users share on to get an estimate on the cost of an insurance plan.

The AP's findings were confirmed by the Electronic Frontier Foundation (EFF), which conducted its own tests on Tuesday, said Cooper Quintin, an EFF staff technologist, in a phone interview.

The EFF found that personal health information was sent to 14 third-party domains whose tracking programs are embedded in The domains include those for social media and web analytics companies.

The health data is transmitted in two ways. All 14 domains receive the health data in a referrer, Quintin said. A referrer is information sent from a Web browser that lets another website know what site a person last visited.

In some other cases, the data is embedded in a request string that is sent to the tracking programs, Quintin said. For instance, Google's DoubleClick advertising service receives the data in that way, according to a blog post he wrote.

The worry is that those 14 third-party domains could collect the information and use it to identify users across the Internet for purposes such as targeted advertisements.

"This information, I would say, would be gold for any online advertising company," Quintin said.

There is no evidence that the companies that have trackers are misusing the information, however, and it's unclear if the data is being transmitted intentionally or as the result of an oversight by developers.

Quintin said trackers such as Twitter and YouTube may be there for's developers, or to make it easier for people to share content about health care on social media sites.

"I'd say most of these are probably on here just to make life easier for the web developers working on this," Quintin said. "But I think there are better ways to do all of these things which would still retain people's privacy."

The site's developers could make their own sharing button that doesn't link directly to Twitter, or run their own analytics software, Quintin said.

Officials with could not be immediately reached Tuesday evening.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Government use of ITsecuritygovernmentElectronic Frontier Foundation

More about DoubleClickEFFElectronic Frontier FoundationGoogleTechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts