Outrage as NHS allows Facebook tracking of website users

Research shows NHS Choices passes browser information to Facebook

Stewart Mitchell
23 Nov 2010

Online identity experts have expressed outrage that an NHS website is allowing Facebook to track users on one of its sites, where information such as which pages they have visited can be harvested by the social network.

Research from online privacy company Garlik discovered that the NHS had integrated the NHS Choices site with the Facebook Connect platform, in order to allow easier sharing and the use of the "Like" button on its pages.

However, that also allows Facebook to track users across the site, where citizens are encouraged to research potentially embarrassing ailments.

The NHS is sharing this information out liberally and the users don’t know it and can’t opt out of sharing even if they did

“What right has the NHS to share any information about the browsing of NHS Choices with Facebook?” asked Mischa Tuffield, the Garlik software developer that made the discovery. “The NHS is sharing this information out liberally and the users don’t know it and can’t opt out of sharing even if they did.”

The researcher also found that the NHS has associations with three other tracking companies – including Google - but could only prove that Facebook was actively receiving user data.

“So a young mother is logged on to Facebook talking to friends and is also looking for some advice about depression on NHS Choices and bingo – although she doesn’t know it – Facebook now knows she has looked at this page,” Tuffield said.

A spokesperson for the Department of Health admitted the relationship with Facebook, and justified it by saying the data exchange was mentioned in its privacy policy.

"The privacy policy, which is on the homepage of site, makes clear that when certain features from partners are used, like Facebook's 'Like' button, information relating to the date and time of your visit and other technical information will be collected by Facebook,” the spokesperson said.

Logging out

Incredibly, the spokesperson put the onus on web users, saying they should log out of social networks before accessing the NHS Choices website.

"People should log out of Facebook properly, not just close the window, to ensure no inadvertent data transfer," the spokesperson said.

However, the NHS's stance cuts little ice with Tuffield, who said the inclusion of details in the privacy policy merely highlighted the fact that management knew of potential problems.

“The sharing is mentioned in the NHS web site privacy policy, which means the NHS made a conscious decision to do this 'sharing' and that is even more astounding,” he said.

To make matters worse, according to Tuffield, the information given out regarding logging off is inaccurate.

Unless a user has cleared cookie information from their browser, Tuffield said, the cookie would still be active and let Facebook track users across pages with its 'Like' button built in.

"If you have ever visited and logged into www.facebook.com from your browser, they will drop a cookie on you," Tuffield said. "Regardless of whether you are logged in or logged out, every page with the iframe based implementation of the 'Like' button will see this cookie."

"This is not common behaviour for your average website, to be frank," Tuffield said. "I think that your average web user has no idea what a cookie is and they can't be expected to delete their cookies before turning up to the NHS website."

We are waiting for Facebook to come back to us on whether NHS Choices users can be traced by the social network even when they are not logged in.

Read more about: