Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday January 23 2015, @02:07AM   Printer-friendly
from the hear's-looking-at-you dept.

Researchers from the EFF (Electronic Frontier Foundation) have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource.

In one example, a URL at doubleclick.net is requested by your browser. Appended to the end of this URL is your age, smoking status, preganacy status, parental status, zip code, state and annual income. This URL is requested by your browser after you fill out the required information on healthcare.gov and click the button to view health insurance plans that you are eligible for.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday January 23 2015, @02:12AM

    by Anonymous Coward on Friday January 23 2015, @02:12AM (#137106)

    subject says it.

    • (Score: 3, Insightful) by Adamsjas on Friday January 23 2015, @02:33AM

      by Adamsjas (4507) on Friday January 23 2015, @02:33AM (#137115)

      Passive income for Google. They own doubleclick.

      Google rushed in to help when healthcare.gov was sobbing on the floor in fetal position, and this is probably their pound of flesh.

      What is mentioned as being sent might be valid search criteria to find plans. But I suspect doubleclick wanted it for advertising on
      the pages served by those plans, and possibly some other nefarious reasons.

      But with other information Doubleclick can deduce by any number of cookies on your machine, they can pretty much nail it down
      to which end of the couch you were sitting on when you submitted your healthcare.gov enrollment.

      • (Score: 1, Interesting) by Anonymous Coward on Friday January 23 2015, @12:02PM

        by Anonymous Coward on Friday January 23 2015, @12:02PM (#137213)

        They probably can... from not only GPS/Wifi position (and if submitted from a tablet compass orientation), were you connected to the TV or watching it (assuming you tweeted or ran queries related to it)... or used google voice search while watching etc.

    • (Score: 3, Interesting) by ikanreed on Friday January 23 2015, @03:34PM

      by ikanreed (3164) Subscriber Badge on Friday January 23 2015, @03:34PM (#137265) Journal

      Actually, the bigger problem here is that while the government has an exemption for HIPAA rules, doubleclick doesn't. They could be about to face a gigantic lawsuit.

  • (Score: -1, Troll) by Anonymous Coward on Friday January 23 2015, @02:19AM

    by Anonymous Coward on Friday January 23 2015, @02:19AM (#137108)

    i like to lean back and forth while standing so my pee pee slaps up against my belly button..

    ...and sometimes it sneaks in.

  • (Score: 1) by cngn on Friday January 23 2015, @02:31AM

    by cngn (1609) on Friday January 23 2015, @02:31AM (#137113)

    I have always blocked that company think from my first days on the internet I had em blocked in my host file...now I have most if not their domain blocked on my router.

    But the slimy bastards I'm sure have other domains and IPs we'll never know about like 2o7.net another bunch of wankers.

    But that doesn't take away from healthcare.gov not knowing better, wtf's up with that, was it by design or accident.

    • (Score: 2) by c0lo on Friday January 23 2015, @02:41AM

      by c0lo (156) Subscriber Badge on Friday January 23 2015, @02:41AM (#137117) Journal

      But that doesn't take away from healthcare.gov not knowing better, wtf's up with that, was it by design or accident.

      Ah... the pleasure of GET-ing the data to the server instead of POST-ing it.
      Such an easy "mistake" to make, the deniabilty is fool-proof (fortunately, the fix should also be easy)

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 0) by Anonymous Coward on Friday January 23 2015, @02:47AM

      by Anonymous Coward on Friday January 23 2015, @02:47AM (#137122)

      Google bought doubleclick like a decade ago.

  • (Score: 3, Interesting) by Runaway1956 on Friday January 23 2015, @03:30AM

    by Runaway1956 (2926) Subscriber Badge on Friday January 23 2015, @03:30AM (#137130) Journal

    Government and business wanted a law passed, with which government and corporations would not only be permitted, but actually required to share data.

    http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act [wikipedia.org]

  • (Score: 2) by GungnirSniper on Friday January 23 2015, @03:36AM

    by GungnirSniper (1671) on Friday January 23 2015, @03:36AM (#137131) Journal

    It is pregnancy not preganacy.

    • (Score: 2) by aristarchus on Friday January 23 2015, @07:01AM

      by aristarchus (2645) on Friday January 23 2015, @07:01AM (#137161) Journal

      It is pregnancy not preganacy.

      I could go for either, so long as they don't know whether my status was smoking or not. That would hurt.

    • (Score: 0) by Anonymous Coward on Friday January 23 2015, @10:39AM

      by Anonymous Coward on Friday January 23 2015, @10:39AM (#137200)

      That spelling still doesn't look right, I think the correct spelling is actually "Abdominal Parasitic Infection".

  • (Score: 0) by Anonymous Coward on Friday January 23 2015, @08:08AM

    by Anonymous Coward on Friday January 23 2015, @08:08AM (#137172)

    Wow, this level of collusion is amazing! The only conclusion we can draw is actually these 3rd parties aren't: the corporations are the government.

  • (Score: 4, Insightful) by PizzaRollPlinkett on Friday January 23 2015, @11:55AM

    by PizzaRollPlinkett (4512) on Friday January 23 2015, @11:55AM (#137210)

    This story has me perplexed, because I can't understand why the government would use an advertising service like doubleclick on one of its web sites. There's just no reason at all. How did this ever get approved? Who approved it? Who signed off on using a scammy, scummy ad service on a government web site like this? The buck has to stop somewhere.

    --
    (E-mail me if you want a pizza roll!)
    • (Score: 2) by Runaway1956 on Friday January 23 2015, @03:19PM

      by Runaway1956 (2926) Subscriber Badge on Friday January 23 2015, @03:19PM (#137261) Journal

      “Increasing America’s debt weakens us domestically and internationally. Leadership means that ‘the buck stops here.’ Instead, Washington is shifting the burden of bad choices today onto the backs of our children and grandchildren. America has a debt problem and a failure of leadership. Americans deserve better. I therefore intend to oppose the effort to increase America’s debt limit.”

      http://www.washingtonpost.com/blogs/fact-checker/post/annotating-obamas-2006-speech-against-boosting-the-debt-limit/2013/01/14/aa8cf8c4-5e9b-11e2-9940-6fc488f3fecd_blog.html [washingtonpost.com]

    • (Score: 3, Interesting) by pnkwarhall on Friday January 23 2015, @06:00PM

      by pnkwarhall (4558) on Friday January 23 2015, @06:00PM (#137344)

      [W]hy [would] the government use an advertising service like doubleclick on one of its web sites?

      As a supposed "public service", it's arguable what benefits healthcare.org (and whatever federal department runs the service) should be able to get out of visitors signing up for insurance via the site. But to answer your question about why they would use an advertising service, my own experience shows that one use of doubleclick is for re-marketing on Google-owned sites like Youtube. After visiting healthcare.gov a couple of times, I was being served frequent demographically-targeted ads (for a few weeks after) about the importance of purchasing health insurance. And I want to emphasize "targeted" -- using Google's data, I would assume -- the ad was for a college-educated male who skateboards (or at least watches skateboard-related content on Youtube :)

      I think that Soylent-users can come up with plenty of "conspiracy theories" about why the US government would want you to sign up for health insurance via the federal website. But more important is the understanding/realization that there is no separation of "business and state" in the US -- the question about doubleclick usage betrays no understanding of this lack of separation. For instance, HIPA laws may protect some individuals' privacy, but in the end the process of taking massive sets of personal medical data and private companies using them to market to demographic groups (of these privacy-conscious individuals) **is the whole goal** of that law, from the context of the corps and lobbyists who supported it.

      --
      Lift Yr Skinny Fists Like Antennas to Heaven
    • (Score: 2) by MichaelDavidCrawford on Friday January 23 2015, @08:49PM

      by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Friday January 23 2015, @08:49PM (#137411) Homepage Journal

      There are many good reasons for government agencies to keep track of those who avail themselves of government services.

      Quite likely some clueless web designer fulfilled a specification checkbox by using a web bug.

      If lots of people use your agency's service, then you have an argument that it should receive continued funding.

      If not, then the patriotic thing would be to request of the President that he ask Congress to cancel your funding.

      --
      Yes I Have No Bananas. [gofundme.com]
  • (Score: 3, Interesting) by MrGuy on Friday January 23 2015, @04:08PM

    by MrGuy (1007) on Friday January 23 2015, @04:08PM (#137282)

    HIPAA [wikipedia.org] and friends apply to "business associates" of health care entities that have health care data that can identify an individual, and Doubleclick can hardly claim not to have sufficient information to link any health data they have to an individual.

    That makes Doubleclick subject to massive oversight in their data and disclosure policies, and subject to EXTREMELY significant penalties for disclosing it except in certain very specific cases, even inadvertently. Advertising to you based on your status almost certainly falls under the notion of "disclosing" private medical data. Even if they want to build a database with this data, they can't use it without (in the vast majority of cases) falling afoul of the law. And even a case that's arguable is a massive legal headache.

    I've consulted with several health care companies, and one constant is you NEVER want PHI data living in any system of yours, even transiently or inadvertently. ESPECIALLY if you can potentially tie it back to an individual. The legal headaches are varied and many. IANAL, but I know enough of the law around health data to make very very sure I don't run afoul of it.

    I totally get that having some health data like this is potentially the holy grail to certain advertisers, and certainly large advertising companies aren't particularly invested in the law if there's money to be made. But I personally wouldn't want to mess with health care data law - it's the only real data protection with teeth in the US, and it bites.