You may not have applied for universal healthcare under the Affordable Care Act, but more than likely you heard about the online marketplace known as Healthcare.gov and the debacle that surrounded its launch. Multi-hour wait times, the “prison glitch“, and other numerous bugs were everyday occurrences experienced by many while government contractors worked around the clock to fix arguably the government’s most important website ever.
Many of the issues with the site have since been resolved, although the main contractor responsible for the launch of the site, CGI, has since been replaced by Accenture as the lead site operator.
But with the main focus on getting the site to function properly, has privacy taken a back seat?
Privacy
Online privacy is increasingly becoming a concern among Internet users. At InfoTrust, the company behind Tag Inspector, we have Enterprise-sized clients that take privacy very seriously. Enough so that some ban the use of third-party tracking tags and pixels on their sites all together. And others have a list of approved third-party tags but block other non-approved tags. And up until recently, US government websites banned third-party tracking services and apps as well.
That has since changed, when, in 2010, the federal government updated the cookie policy for government properties. The policy was updated to allow third-party apps and tags to be used on government sites to bring their functionality into the 21st century. And this certainly isn’t a bad thing. But, and there’s always a but, there is usually some type of trade-off.
Scanning Healthcare.gov with Tag Inspector
We are always looking for ways to utilize Tag Inspector. Typically, it’s to validate a tag management system or web analytics implementation for clients. But, we also use it to evaluate sites for potential privacy issues. And with the publicity surrounding the Healthcare.gov site, we saw it as the perfect opportunity to see what third-party tracking services the site uses.
Results
We were extremely surprised once we scanned the site and saw the results. Tag Inspector found 30 (yes, 30!) third-party tags present on the site. If this isn’t shocking enough, many of these third-party tags were piggybacking off of other tags and therefore only a tool as powerful as Tag Inspector would be able to see this. These tags would be invisible to other tools like Ghostery.
Here is a visualization of how these tags load on Healthcare.gov:
And here is the full Tag Inspector scan results: https://taginspector.com/scan_results/share/0147e105e04f4b0c903f730065e197f3
There are privacy concerns with third-party tags that piggyback off of other third-party tags. Healthcare.gov might not even know that some of these tags are being loaded on their site. And looking through the screenshot above of the piggybacking tags, a few, like BlueKai, raise some eyebrows because of the nature of the third-party service and the sensitivity of the data Healthcare.gov is collecting.
Healthcare.gov’s Privacy Policy includes a list of the visitor information their “Web measurement software tools” collect:
- Domain from which you access the Internet
- IP address (an IP or internet protocol address is a number that is automatically given to a computer connected to the Web)
- Operating system on your computer and information about the browser you used when visiting the site
- Date and time of your visit
- Pages you visited
- Address of the website that connected you to HealthCare.gov (such as google.com or bing.com)
All of that information is available for free from Google Analytics, which the site uses. So where is the data listed that BlueKai collects?
A quick visit to BlueKai’s website shows this is the information BlueKai may know about you (without you providing it):
What we MAY KNOW about you:
- Age Range
- Gender
- Marital Status
- Military Status
- Language you speak
- Education level
- Occupation
- Age range, gender and approximate number of children in your household
- Health and Wellness information (if you express an interest in yoga, or healthy living)
- Housing information (rent, own, etc.)
- Financial information (if you have a mortgage, pay your bills online, looking for a car loan, etc.)
Source: http://bluekai.com/consumers_privacyguidelines.php
Obviously, you can see there is some disconnect between those two lists. So what does it mean exactly? To be honest, I’m not entirely sure. I don’t know how Healthcare.gov uses third-party tools like BlueKai or if they even know BlueKai is present on their site. And in no way am I pointing a finger at BlueKai as an example. I haven’t had the pleasure of using their tool, but I’m confident their tools are safe and secure.
However, Healthcare.gov needs to be more transparent about the amount of third-party tags on their site and what data those third-party tools in fact collect.
Herein lies the power of Tag Inspector. It can be used by many audiences, for many different purposes. Happy scanning!
Concerned about what third-party tags might be loading on your site or others? Run a free Tag Inspector scan today!
Blog post by Andy Gibson.
