Who's watching you when you log on to healthcare.gov?
If you're like me and don't give much thought to where your internet surfing takes you, perhaps we should start paying more attention. Fox News is reporting on a little-known aspect to the government-created website for Obamacare, healthcare.gov: dozens of companies allowed to gather data on your interests and surfing habits in order to form a profile that can be used to target ads specifically tailored to you.
While it's routine for these companies to lurk in the background of big sites, they aren't supposed to be able to access your name, age, or Social Security number. But even without that specific information, the companies can identify you by other means and target ads specifically suited to your interests.
Third-party outfits that track website performance are a standard part of e-commerce. HealthCare.gov's privacy policy says in boldface that "no personally identifiable information is collected" by these web measurement tools.
But in a recent visit to the site, AP found that certain personal details -- including age, income, and whether you smoke -- were being passed along likely without your knowledge to advertising and Web analytics sites.
Google said Monday it doesn't use that kind of data or allow its systems to target ads based on health or medical history information. "When we learn of possible violations of this policy, we investigate and take swift action," the company said in a statement.
Still, the outside connections surprised a tech expert who evaluated HealthCare.gov's performance for AP.
"Anything that is health-related is something very private," said Mehdi Daoudi, CEO of Catchpoint Systems. "Personally, I look at this, and I am on a government website, and I don't know what is going on between the government and Facebook, and Google, and Twitter. Why is that there?"
Created under the president's health care law, HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job.
Tracking consumers' Internet searches is a lucrative business, helping Google, Facebook and others tailor ads to customers' interests. Because your computer and mobile devices can be assigned an individual signature, profiles of Internet users can be pieced together, generating lists that have commercial value.
Third-party sites embedded on HealthCare.gov can't see your name, birth date or Social Security number. But they may be able to correlate the fact that your computer accessed the government website with your other Internet activities.
Have you been researching a chronic illness like coronary artery blockage? Do you shop online for smoking-cessation aids? Are you investigating genetic markers for a certain type of breast cancer? Are you seeking help for financial problems, or for an addiction?
Daoudi's company -- Catchpoint Systems-- came across some 50 third-party connections embedded on HealthCare.gov. They attracted attention because such connections can slow down websites. They work in the background, unseen to most consumers.
The major problem with these third-party sites is that they are a vulnerable portal for hackers to exploit.
"As I look at vendors on a website...they could be another potential point of failure," said corporate cybersecurity consultant Theresa Payton. "Vendor management can often be the weakest link in your privacy and security chain."
A former White House chief information officer under President George W. Bush, she said the large number of outside connections on HealthCare.gov seems like "overkill" and makes it "kind of an outlier" among government websites.
The privacy concerns come against the backdrop of President Barack Obama's new initiative to protect personal data online, a highlight of his State of the Union message scheduled for Tuesday night. The administration is getting the health care website ready for the final enrollment drive of 2015, aiming to have more than 9 million people signed up by Feb. 15 for subsidized private coverage.
Cybersecurity and privacy issues will become more of a problem as hackers successfully evade efforts to combat them and penetrate our personal and commercial networks. We're in an arms race, and we're losing. The hackers are staying one step ahead of our ability to deny them access – a state of affairs that does not bode well for the future. If we can't stop them from accessing our personal information stored on commercial sites, how long will it be before they are capable of taking down the electric grid, or worse?
Congress has got to get off its duff and begin to address this problem before it's too late.