Back in 2010, Tom Watson MP raised a problem in parliament. https://www.theregister.co.uk/2010/11/24/nhs_connect_facebook_privacy_fears/ That was not resolved: instead, Facebook, Google, WebTrends and many more got and still get a lot of data about your browsing habits on the NHS services online. Do not expect it to be anonymised: I found that the data is often identifiable to your email address or online accounts with the companies. Where they are not, they are often identifiable to a profile about you which is also a breach of your privacy! FYI: I want this to stop as soon as possible so have added created two petitions that you can sign if you wish.
- https://www.change.org/p/uk-parliament-nhs-should-respect-privacy-online (can be petitioned on an international basis, NHS isn't just a service used by UK citizens and provides space to give details)
- https://petition.parliament.uk/petitions/222766 (awaiting review, not such space to describe)
What they gotFacebook and others were told for over 7 years about what concerns you had for your health. The details sent to them were often in context of you, like your Facebook user id. The advertising arms of some of the companies uses this data as "audience" data and whether they filtered NHS or not, their motive for asking for it, was to discriminate on whether you were targeted for marketing campaigns: this is one of the primary reasons why healthcare should be private... if they did use the data, then expect to have suffered adverts for funeral directors when you looked for cancer, ecigarettes when you tried to stop smoking, etc, in an advertising context, this nature of data leaking is quite disturbing and would put people at risk of advertising when they are at most risk.
They put at risk more from what they gotIf these companies wished to, then they had access to a treasure trove of information about significant people in the public. From companies executives and celebrities, to whistleblowers and criminals. Had this data leaked (leaks can easily happen https://www.zdnet.com/article/alteryx-s3-leak-leaves-120m-american-households-exposed/) or been hacked then the risk to not just individuals but what they are involved with could have affected reputations, legal cases and allowed for insider trading.
Protect yourselves from the NHSLook into Tor, Brave Browser, Privacy Badger and similar technologies to stop trackers. Use one off private browsing mode sessions where possible too. Look into alternative healthcare sites... seriously, there might be some other public health bodies, especially from other countries, that may protect your privacy better.
Next StepsWe should take legal action against the NHS. Not because we want to take money out of it, but because they need to stop. The precedent set by allowing the NHS to do this, would be to allow everyone to.
Some backgroundI noticed this last year when trying to make sense of how https://joinpouch.com/ (seriously, do not join them, they were a security nightmare when I looked into this), were able to advertise an e-cigarette company on the NHS Stoptober campaign (their extension matched the nhs page against a dictionary they provided the extension to be sent the advert and captured tracking data on your visit). Whilst investigating I spotted various analytics, tracking and advertising companies loading on the Stoptober page and thought, this can't all be Pouch: they're bad, but not that bad and sure enough, with the extension not installed it turned out the NHS website was a mess of online tracking. Then started months of emails to and fro between NHS Choices/Digital, NHS England and Public Health England: along with my MP, Matthew Hancock's office, the ICO and a few organisations and journalists I've tried to rally to help. The position now:
- NHS England largely agreed, they removed much of the advertisers/social media tracking: I think they can do better
- NHS Digital largely agreed and they removed much advertisers/social media on the NHS Choices pages.
- Public Health England pretty much ignored the complaint and said users have agreed to it.