NHS Choices Response To Facebook Security Issue Is Outrageous

Yet another social networking `feature’ of Facebook – this time apparently allowing Facebook users to be tracked when visiting sites, regardless of whether they clicked “Like”. This feature hit headlines due to privacy violations the feature raises when visiting the NHS Choices Web site.

According to data security specialist Imperva, although the feature raises concerns about social networking sites’ ability to track their users on third-party sites, what is really outrageous about the saga is the response of NHS mandarins to the problem.

The NHS page has included a script that is hosted on Facebook’s server. When the browser is retrieving the script it delivers all Facebook related cookies from the browser up to Facebook. These are correlated to the Facebook identity of the individual accessing the NHS site.

When this is combined with information from the “Referer ” header (which contains information about the actual pages visited), it allows Facebook to track NHS visits of Facebook users even without clicking the `Like’ button or being logged in.

But, when MP Tom Watson reportedly raised the security issue, back came the outrageous reply that the onus is on users to monitor their privacy on Facebook. Against this backdrop, that the NHS’ bald statement that, when users sign up to Facebook they agree the service can gather information on their Web usage, simply does not hold up.

It is outrageous that the NHS has put sole responsibility on the user while it is actually them who are the ones which are providing confidential information. Organisations need to take on some responsibility of privacy and security themselves rather than blaming it all on the users.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads Imperva's internationally recognised research organisation focused on security and compliance. Prior to Imperva, Amichai was founder and CTO of Edvice Security Services, a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Amichai served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.