NHS should stop sharing data about us

0 have signed. Let’s get to 1,000!


On NHS websites you often get tracked.

Not by a nurse or doctor checking your bed notes, but advertising, analytics and social media companies getting to spy on you.

This is unethical, illegal and those responsible for the NHS website should be facing criminal investigations. Medical professionals, working in the NHS, try to protect our privacy and it's sad the website has given it away.

How is explained below, but fundamentally this petition is about who the NHS shares data with...

Two petitions? The UK parliament petition is pending approval and doesn't have space to convey this message in full, so two is best.

The details for those interested...

I've been complaining privately to the NHS and Public Health England about this since October, but other complaints date back further.

Tom Watson MP raised these concerns in Houses of Parliament in 2010 (https://www.theregister.co.uk/2010/11/24/nhs_connect_facebook_privacy_fears/) this issue is not new and someone needs to answer for why Facebook got 7 years of tracking data and they're likely not the only ones.

Since October, my complaints demonstrated that multiple social media, advertising and analytics companies were getting personally identifiable information (which means they could trace it to online accounts, like Facebook, and/or email addresses) on what NHS website users were looking at on the site and in some cases filling out in forms about their health.

My complaints weren't completely in vain, some of the trackers got removed... quite quickly after I showcased how NHS Choices had given Facebook access to NHS Choices accounts. However, much still remains and Public Health England believes it has consent to include tracking. Read their privacy policy: who are the companies mentioned? AppNexus? RadiumOne? https://www.nhs.uk/oneyou/privacy-policy/

Facebook and others still gets data, like if you're interested in donating blood or organs on https://www.blood.co.uk and https://www.organdonation.nhs.uk/
Does the privacy policy explain this? http://www.nhsbt.nhs.uk/privacy/

It is not just what they are sent...

This is the most worrying concern to start with, but the companies executing scripts in the NHS websites, to do tracking, typically have a lot more access. This was showcased earlier this year by another company executing scripts on the NHS to mine bitcoins when they got hacked ( https://www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/ ). These third party companies can do more than just waste your computer's power, they have the access to act as you and steal your data. It is the digital equivalent of leaving your filing cabinets open and  unattended for Facebook and others to go through; it's not acceptable.

Look for yourself

If you work in IT you know what to do: open developer console, watch network traffic, check cookies (easier in Firefox) and referers.

If you don't try a trusted privacy tool to identify what trackers are turned on. Two not for profit tools:

  • Firefox Lightbeam will tell you who is being contacted.
  • Privacy Badger can spot trackers (beware, it learns what tracks you, so browse around for a bit so it can identify what tracks you before you goto the nhs site).

What should the solution be?
As soon as possible, let's just get them removed. The NHS doesn't need trackers from third party servers for analytics, advertisers or social media on it's own site.

  • Social Media campaigns can remain on Social Media; if you don't use social media then I'm guessing you definitely don't want them getting your data anyway.
  • Audience data can be captured in consensual manners: explicit opt ins, questionnaires/surveys, paid user groups. For the NHS, we can all spare a moment to fill out the odd form when we're comfortable too and know they're the only ones getting the data.
  • NHS doesn't need any third party sites to host analytics to maintain their site technically. Metrics are essentially a table of data, storage is a Time Series Database and Visualisation is a graphing engine on top of a statistics engine. In the tech industry there are multiple solutions that can be used for this like ELK, Grafana/Graphite, InfluxDB, Matomo, ... and they're used on large sites and can be completely self hosted, no one else has access.

Further ahead, I hope criminal investigations do start and a public enquiry looks into why foreign companies, outside of healthcare, with a history of invading privacy, were handed so much data about our browsing habits when seeking medical advice online.

The image on this petition is a snapshot of the nature of data the NHS sent to WebTrends. Included in the data sent is heart condition information captured from a questionnaire, with tracking identifiers. Those identifiers can be often be traced to exactly who you are, as companies like Virgin East Coast, who also use WebTrends leaked email addresses to them with the same tracking ids.

WebTrends is just one company and although it might have gotten more than most, many others got identifiable details of the pages you visited and had access to do what they liked on those pages. Browsing NHS pages for help would indicate an interest in the flu, wanting to quit smoking, worrying about a sexual encounter or that you might have cancer. You might not mind adverts for flu afterwards, but what about smoking products when you want to stop or will writing?

I discovered what the NHS were doing when I was investigating how an advertiser for e-cigarettes was able to get get onto the NHS Stoptober page. It was because of a web extension, not the NHS's site, but it does show that companies do target data they can get on NHS website visitors.

Video: https://www.youtube.com/watch?v=2rFO9lvmFUM
This shows the breadth of tracking loaded on just this page. There are more I've uploaded on Youtube and I have captured further information that demonstrates how Facebook tracking worked and identified people by their social media accounts.


For the tech audience, try to understand this video https://www.youtube.com/watch?v=IhrpWhOnVQE to get an idea of what it means to run third party JavaScript from other companies on your website. Facebook could do whatever they liked on pages they were loaded on.



Today: Mark is counting on you

Mark Richards needs your help with “UK Parliament: NHS should stop sharing data about us”. Join Mark and 524 supporters today.