The U.K.’s National Health Service plans to make clearer the privacy policy of its Choices health information Web site, which shares browsing information with Facebook, following complaints from a security expert and a lawmaker, an NHS spokesman said Thursday.
The NHS Choices website incorporates Facebook’s “Like” button, which enables users to share information they find useful on their social networking profile. But the NHS has come under fire over whether users are actually aware of how much information the “Like” button transmits to Facebook, considering that Choices deals with health information.
The brouhaha started with a blog post from Mischa Tuffield, a developer at Garlik, a company that specializes in prevention of identity theft. He found that NHS Choices uses four third-party advertising services or trackers on its health information pages.
Two of the trackers, from Google Analytics and webtrendslive.com, appear to be for analytics purposes. Another is addthiscdn.com, a social bookmarking tool, while the fourth is Facebook’s “Like” button. If clicked, that button shares the content of the Web page carrying it on the visitor’s Facebook profile page.
Attention has focused on the presence of Facebook’s Like button on the site. If a person is logged into Facebook and visits a Choices web page, information about that visit is transmitted to both Facebook and the NHS. Facebook will see a visitor’s Facebook user ID, computer operating system and IP (Internet protocol) address, among other information.
If a visitor clicks the “Like” button, Facebook analyzes the page and focuses on keywords — such as “back pain” — to deliver targeted advertisements to the user, although it says the data on the web pages visited is not shared with advertisers.
Even if a visitor to NHS Choices is not logged into Facebook, the social networking site will still receive the person’s IP address and operating system version, but not their user ID. Facebook will retain that data for 90 days before deleting it, an industry-accepted time frame, according to a company spokeswoman.
The primary question revolves around whether users are actually aware of what’s going on.
NHS Choices explains how the Like button works in its privacy policy, which was last modified in July, around when the Like button was incorporated on its web pages.
“When visiting NHS Choices pages that display a Facebook Like button, information relating to the date and time of your visit, the web page you are on (commonly known as the URL) and other technical information about the IP address, browser and operating system you use will be collected by Facebook,” the policy says. “If you are logged into Facebook, your user ID number will also be associated with the information mentioned above. For more information, read the Facebook privacy policy.”
Tom Watson, Member of Parliament for West Bromich East, wrote to the U.K.’s Secretary of State for Health earlier this week to point out that it could be embarrassing if information collected on users was leaked.
“I understand the demands to offer government service online but this should not be achieved at the price of privacy,” Watson wrote. “I urge you to take steps to ensure that third-party websites should not have access to such information. This could be simply achieved by ensuring all third party interaction is run on an opt-in system, rather than the current opt-out model.”
In response, NHS Choices plans to examine its privacy policy and possibly make changes to make it clearer how visitors are being tracked on a page, a spokesman said.
“Facebook capturing data from sites like NHS Choices is a result of Facebook’s own system,” the NHS said. “When users sign up to Facebook, they agree Facebook can gather information on their web use.”