Data from HSE website users ‘leaked to commercial actors’

Report finds 73 per cent of HSE landing pages contained ‘ad trackers’

The HSE was the worst performing of six national health service websites surveyed by eprivacy firm Cookiebot.

The HSE was the worst performing of six national health service websites surveyed by eprivacy firm Cookiebot.

 

Users of Health Service Executive web pages about sensitive topics such as HIV, crisis pregnancy and cancer mortality are having their data “continuously and invisibly leaked to commercial actors” at a higher rate than similar websites in other European Union countries.

The finding is contained in a study of ‘adtech’ installed on public health service sites, which found that 73 per cent of HSE landing pages contained ‘ad trackers’. Experts said the tracking companies perform similar analysis to controversial British firm Cambridge Analytica.

The HSE was the worst performing of six national health service websites surveyed by eprivacy firm Cookiebot.

Adtech tracks the behaviour of those using websites then compiles it into sophisticated user profiles used for advertising, which in turn are often sold on to third parties. It can monitor which websites users visit, as well as information about what they click on, and other browsing behaviours.

The study identified that the tracking technologies were present in a tool called ShareThis, which featured on all HSE web pages, and is designed to allow users to quickly share the contents of a website on social media.

However, it also acts as a “trojan horse”, releasing trackers from more than 25 companies which gather information on users without their permission. “ShareThis appears to be installed on every single web page of www.HSE.ie. This indicates that a broad spectrum of Irish citizens’ health data is being continuously and invisibly leaked to commercial actors,” according to the study.

Cookie policy

The research found that while the HSE.ie cookie policy, which discloses the terms under which user data is gathered on its site, refers to the ShareThis tool, it makes no reference to the 25 other trackers it loads, which indicates the HSE is not aware of them.

The CookieBot study compiled information on government health service websites that were accessed following searches for health-related terms, such as “I have HIV, now what?” and “I am pregnant, what do I do?”.

The report warned that “behaviour on these sites can be used to infer sensitive facts about [users’] health condition and life situation. This data will be processed and often resold by the ad tech industry.” It found that Google owns several of the most dominant ad-tracking domains found on government and health service landing pages

Sean Blanchfield, an Irish technology entrepreneur who founded and later sold advertising analytics firm PageFair, collaborated with Cookiebot on the report. “I think it’s very serious. It will be alarming to a lot of people in Ireland, ” he said. “The HSE is by quite a distance the worst of all the public health websites [analysed].”

“These companies are in the business of trying to figure out what you’re reading, build a profile of you, attach it to your identity and sell it through partnerships to, typically, marketeers, insurers, credit raters or private detectives.”

Mr Blanchfield said that the use of this sort of information to determine health insurance premiums was more common in the United States than in Europe. He said the companies doing the tracking were similar to Cambridge Analytica, the controversial British firm which was involved in building online campaigns advocating for a leave vote in the 2016 Brexit referendum.

“[They} collect, buy, cross-reference and analyse data about people to either resell or use for personally targeted marketing,” he said. “The only significant difference is the companies in the report don’t specialise in political campaign marketing.”

He urged the HSE to remove the ShareThis tool from its website, and examine the third-party data vendors which are active on its site. However, he warned that much damage had already been done. “It would be maybe impossible to determine what damage has been done to whom. You’re talking about a vast amount of data being sucked up by many companies who have likely been selling the data to other companies”.

Dr Johnny Ryan, chief policy officer with privacy-focused browser Brave, said the research was important in the context of evolving discussions about online privacy. “This is a call to action for governments. These companies must be stopped from inserting themselves between the citizen and the state,” he said.

A HSE spokesman said that it was in the process of redesiging its website and the ShareThis tool is being removed from older versions the HSE website as well. “We take GDPR compliance and our users privacy very seriously and will review this commercial report as part of our continued effort to improve our users’ online experience”.