Facebook is able to see a customer’s User ID, IP address and operating system if the customer is logged into Facebook at the time they visit a site that uses certain features of Facebook Social Plug-Ins. Does this sharing pose a serious privacy risk?
“Those who cannot remember the past are condemned to repeat it.” - George Santayana
The world of security research has to be primarily forward-looking. While new twists on old threats are seen all the time, and wheels are constantly reinvented, I seem to spend more time gazing into crystal balls (usually at the request of PR and media people) and extrapolating from recent data than I do looking back at more than twenty years in IT security.
In the past few weeks, though, I’ve found myself looking back to an earlier stage in my career, when my field was medical informatics, though very much with a systems support and security bias. From 2001 to 2006, I was a senior manager in the UK’s National Health Service, where I ran the Threat Assessment Centre and specialized in malware management. A month or two ago I was talking to SC Magazine’s Dan Raywood about that period and, more generally, security and healthcare in the UK, and he subsequently used that conversation as the basis for a lengthy article.
The comments he used for that were mostly based on my experience during that period, of course, since as a researcher in a commercial environment, I don’t have access to NHS insider information. But have things changed? Perhaps less than I’d like, nor at any rate not particularly for the better.
A few days ago, John Leyden of The Register brought to my attention a story about the NHS Choices Web site. I guess you could describe NHS Choices as a portal: it opens onto a wide range of options that include information on hundreds of medical conditions, various medical services, and much more. It claims to be “the biggest and most visited health information website in Europe, with more than 100m visits in the past 12 months alone.”
The story concerns the association of the NHS Choices web site with Facebook. And if you share my concerns at Facebook’s at best ambivalent attitude to privacy and the care of its customers’ data, you too are shielding your eyes from a big, red light. Facebook has its good points, I guess, but its core business is the sharing of its customers information: as Mischa Tuffield, a researcher for Garlik, an online privacy, revealed that the site has been integrated with the Facebook Connect platform, “in order to allow easier sharing and the use of the "Like" button on its pages.” Knowing my interest in and experience of NHS security, John wanted to know if I had any comments. Indeed I did, but I wanted to expand on those comments.
The NHS is bound (or should be) by a range of legislation governing the use of patient and other sensitive data that's specific to UK healthcare: we’re not just talking about obviously relevant legislation such as the Data Protection Act. The DPA isn’t so much about the protection of data from outside attack (though that is addressed by the 7th of eight principles enshrined in the Act): it’s about regulating the processing, storage and sharing of both personal and sensitive data, and is itself required to meet the requirements of the European Data Protection Directive (95/46/EC) with which all member states of the European Union are expected to comply. While the DPA and such supplementary legislation as the Access to Health Records Act aren’t directly related to the story, the message is clear: sensitive information about medical conditions isn’t for sharing.
So why, I have to wonder, would the NHS expose its customers to the attentions of a company whose sole commodity is its customers and whose core business is the sharing of their data rather than its protection? “Information wants to be free”, we are often told, though misinformation has had the freedom of the Internet since before it was called the Internet. Certainly the “share and share alike” culture of Web 2.0 and the social media has permeated every aspect of online life, and Facebook’s record on data protection is wobblier than most. However, the Register tells us that Facebook claimed in a prepared statement that it doesn’t share the data from social plugin partner sites such as NHS Choices with third parties.
• Well, I don’t suppose Facebook is selling on the data from social plug-in partner sites to a third party.
• I dare say that it does believe that “the tie-up ... allows users to more easily share information about disease prevention with their contacts on Facebook.” (That might even be true in some instances.)
• Let’s assume that they’re correct in saying that impression logs (which constitute a record of every time the user clicks on a Like button) are deleted within 90 days and are not shared with advertisers, except as aggregated and anonymized data (though that doesn’t, apparently, stop advertisers targeting people who have “liked” a specific article).
• Let’s assume that Facebook only uses this data to “create a more personalised experience on the web”: you may or may not be happy to have your experience personalised, but if you’re a Facebook user, you know what to expect.
• Let’s also assume that Facebook users are aware that pressing the Like button will be flagged on their News Feed and therefore “brought to the attention of their friends.” And let’s also hope they are aware that they are responsible for ensuring that their privacy settings are in accordance with their expectations of privacy.
Facebook has made it plain that this is standard FB practice, and indeed describes it as “industry standard data”. What’s the problem, then? Facebook says that “In the same way that the NHS would not share your data, Facebook would not either.” But the NHS has shared data with a third party – Facebook, which gets to see the customer’s User ID, IP address and operating system if the customer is logged into Facebook at the time it visits those pages. Does that sharing pose a serious privacy risk? Not if we accept all Facebook’s assurances above. In fact, for once my beef isn’t with Facebook, who will in any event only see User IDs if the customer is logged in concurrently.
It’s not going to surprise anyone that Facebook expects the customer to make the decision as to whether to forgo that “personalised experience." But is it reasonable for the NHS to assume that a Facebook user is making that “informed” decision? It’s probable that someone sensitive about being associated with a topic like genital warts or medical services like addiction support, cancer support, sexual assault referral centres, mental health services, or self-harm support, would not click on any Like buttons. But that might depend on their understanding of who would have access to such data on their Facebook pages, and there’ve been too many occasions where expectations of privacy have been disappointed because users hadn’t checked their privacy settings, or didn’t realize that Facebook had changed their defaults.
Of course there are many occasions where healthcare-related data should be shared with the therapeutic community and other parties with a right to it. The data may be trivial, but why does Facebook have a right to it? The company may not have any interest itself in bingo addiction, but I’m not convinced that it has now learned all the appropriate lessons about inappropriate sharing, or that the NHS would notice if it decided to change the ground rules (again).
Tim Berners-Lee recently published an article in Scientific American called “Long Live the Web: A Call for Continued Open Standards and Neutrality,” in which he argues that “The Web is critical not merely to the digital revolution but to our continued prosperity – and even our liberty. Like democracy itself, it needs defending”. He’s talking about interconnecting “linked” data, and the need to maintain openness rather than maintain borders and establish monopolies. It’s stirring stuff, and he’s not wrong. But he says a lot more about liberty than he does about privacy.
“We should examine legal, cultural and technical options that will preserve privacy without stifling beneficial data-sharing capabilities.”
Well, at least he mentioned it. It’s disconcerting, though, to find the NHS joining the mad rush to share everything with everyone, leaping (on the customers behalf) into a relationship with a company whose whole business model is to some extent anti-privacy. There are ways to measure the popularity of individual pages without sharing pre-anonymised data with a third party.
Santayana didn’t mean, I’m sure, that change is a Bad Thing. But just accepting change and going with the flow rather than looking for the underlying patterns and learning from them is neither progress nor scientific. The words that actually precede that quote are instructive.
“Progress, far from consisting in change, depends on retentiveness. When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual.”
When an organization, especially one with the heavy legal and ethical responsibilities that the NHS bears, forgets where it came from in the rush to conform to a prevailing trend for undiscriminating data disclosure driven by very different commercial considerations, something is very wrong.
Disclosure: SecurityWeek does utilize Facebook sharing features