Scots NHS symptom checker pings Facebook, Google and other ad peddlers
Privacy, what privacy? You can save our lives but you’ll never take our data. Oh, damn, you already have
Exclusive NHS Inform, Scotland’s answer to the NHS 111 Online health symptom checker website, is calling user tracking elements from Google and Facebook.
The trackers from the two American multinational corporations relate to Google’s Tag Manager product, which interfaces with the Google Doubleclick ad network and Google Analytics, and a Facebook user-tracking service, Pixel.
Scots wanting health advice can use the NHS Inform website to answer a series of questions about their illness symptoms before being told what to do. The service is very similar to NHS 111 Online (formerly known as NHS Choices), which does the same thing for the rest of the UK.
On NHS Inform’s “self-help” pages, which are the multiple-question symptom checker, page elements include content from Google Doubleclick, the ad giant’s online self-service ad sales platform, Facebook Pixel, Google Analytics – and a 264 byte GIF from UK ad agency Avid Media, via the agency’s metadsp.co.uk domain.
The NHS Inform page trackers, as gathered from its Self Help Guide: Abdominal Pain page. Click to embiggen
NHS 24, the Scottish version of NHS Digital, told The Register:
All partners that NHS 24 works with are compliant with GDPR regulations around privacy. Google tag manager is used only when working with partner organisations to track effectiveness of health information campaigns which are hosted on our websites and once the campaign is complete the tracking code is removed.
In general, these are not used across the entire site, only at the request of partner organisations to support specific campaign activity. We identify unique visits, but not individuals and do not serve customised adverts to anyone. Our campaigns and those with partners are targeted to the general population of Scotland rather than specific user groups.”
The revelations will cause alarm among those concerned about private corporations gaining access to sensitive health data, especially with the recent announcement that Amazon’s creepy always-on surveillance device Alexa will now be capable of reading out results from NHS 111 Online.
Phil Booth, of campaign group Medconfidential, told The Register: “I think it’s terrible that basically an NHS service is pinging out associated IDs to all these advertisers. What is actually going on here? Certainly with these IDs being pinged around, you’re going to be able to identify an individual and market them based on the pages to which they’re being directed. That’s very bad. Why are they consciously adding code that pings to advertisers? Why was the web development contract not written to deliberately and explicitly exclude any of this advertising?”
NHS 24 said that “all data is anonymised” and cited the Scottish Approach to Service Design in support of its approach. Nonetheless, it remains unclear as to why the NHS Inform site is loading content from adservice.google.com, metadsp.co.uk and Facebook Pixel, particularly as none of the trackers (apart from Google Tag Manager) was present on NHS 111 Online’s site when El Reg visited it and opened up our browser element inspector.
Google Tag Manager is a container for analytics-related content tagging; not necessarily a bad thing. On its own, from the website operator’s perspective, Google Tag Manager can be used to plant Google Analytics code snippets which can be used to tell the site’s managers the number of people coming and going from a particular set of webpages. ®