Scots NHS symptom checker pings Facebook, Google and other ad peddlers NHS Inform, Scotland’s answer to the NHS 111 Online health symptom checker website, is calling user tracking elements from Google and Facebook. The trackers from the two American multinational corporations relate to Google’s Tag Manager product, which interfaces with the Google Doubleclick ad network and Google Analytics, and …
Google Analytics code snippets which can be used to tell the site's managers the number of people coming and going from a particular set of webpages
Gosh, if only it was possible for web servers to keep some sort of record -- a log, if you will -- that could permit site operators to count the mumber of people coming and going from a particular set of webpages. Oh well, a man can dream I suppose.
> The crucial difference between the NHS health symptoms checker website and El Reg is...
When the health website goes "TITSUP" it might actually be a self-examination technique?
[That's a white coat I'll have you know.]
Yeah, but you don't read El Reg to find out about the dangers of Viruses you may have contracted and the spreading of such infections around your population
I don't but my friend has a few questions about an embarrassing medical complaint.
Not only, as other people noted, the content here is much less sensitive. But if there is a complex navigation tree each page can tell something about the answers given by the user. If you add that as usual people navigate on the site while somewhere else they are (or they were) logged in to gmail, facebook or similar the identity can be also verified by correlating the IPs.
Without charge? Didn't know that.
In Spain we get whatever drug is necessary regardless of cost at the standard prescription charge, the NHS limits the cost so won't prescribe many expensive drugs even though they do a better job. At least that is what I am told by a senior nursing sister, I have yet to visit a doctor here, though most of the expats I talk to have good things to say about the system here.
In Wales you can also get a private prescription from an accredited nurse of doctor (after paying them) and pay for the cost of the POM (pharmacy only medicine) at the pharmacy. It is amazing how much some of it costs!
I think it's more astonishing what people outside the UK can purchase direct from a pharmacy without going through a doctor. Some of the stuff would get you in serious trouble if you were caught with it in the UK without it being prescribed.
Of course they outsource the creation of these websites. Do you think even Scots myrmidons have the ability to do it themselves?
The question is: do Google et al pay off the third-party website creators to add all this spycruft? It would explain why it crops up everywhere.
"Not in my experience, no. Usually added by client request (probably because it gives them some pretty visuals to wow their senior management with)."
Back in the day when I built and managed a few website, I just had a script to pull the logs down daily and ran Webalizer on them to produce pretty graphs for those who wanted them.
Is that not the sort of granular information the data fetishists want these days?
Bollocks. If you're logged into Google or Facebook (some people do, I hear...) and browse that website, they've just found out what medical/insurance ads to target you with.
There are two possibilities, either lying or incompetence, which is it this time?
I cannot see the anonymizeIp setting for Google Analytics in the page source. Does anyone know whether it can be turned off without having that? Its a while since I last did it and I cannot remember what the options were.
IN any case they are loading a lot of stuff from other Google sites and a lot of other places so your IP is going to be revealed anyway. We know that FB, for one, tries to track users on other sites
"We identify unique visits, but not individuals"
To do that, they must be recording IP's, which ... didn't someone somewhere recently determine that the IP was personally identifiable information?
https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases
..well, they could do cookies, I suppose.
"PII" is not a defined term under the GDPR. Personal data as defined in the regulation need not be able to identify you on its own, but may do so if accumulated with other information (also not necessarily able to identify you on its own). And none of it need put a name to you to be subject to the requirements of the GDPR. Consequently a web access history tied to a single IP address may be personal data if it's unique (as it probably will be) even if no action is taken to attach a name to the IP address.
Consequently, just for example, facebook widgets on multiple independently hosted web pages might create a browsing profile at facebook that would constitute personal data under the regulation - indeed, depending on the context of the pages viewed, even sensitive personal data requiring data subject consent under Article 9. The nature of the site in question here could quite possibly cause such a profile to fall into this category.
It should be borne in mind by any site owner authorising or allowing allowing such automated tracking that they probably become a joint controller with the tracking organisation, and thereby jointly responsible with that organisation for any breach of the regulation, and it would be no defence to assert ignorance on the basis that web site creation was outsourced.
So if any one of these trackers were to breach your rights under the regulation, the Scottish NHS would be jointly liable, and remember that it's your human rights under the European Convention that are protected, not just your GDPR rights in respect of the data.
They just add the magic word "Scottish" because they can't be seen to be doing the exact same thing as the neighbours, no, no, no...
...a very very similar thing, with a quick lick of tartan paint, perhaps, but not at all the same thing, you understand.
And it keeps a few more civil servants needlessly busy (and paid) while they go through this process, of course.
(In the interests of equality, a similar process has sometimes been known to occur in a southwards direction, when Scotland came up with the idea first.)
I feel a grumpy letter to my MSPs coming on, and I would recommend fellow citizens of Scotland to do likewise.
Thanks for highlighting this: I have noticed so much similar spyware on many health/govt websites, but have never got around to complaining (not least because, before data privacy started to become a big thing over the past couple of years, few politicians would even have understood what quite what the issue was).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
