Categories: AutoGlobal Tech News

AIDS.gov Exposed Confidential Medical Requests to Google, Facebook, and Others

The U.S. federal government claims that it is all about patient privacy — rules that are ostensibly codified under the Health Insurance Portability and Accountability Act of 1986 (HIPAA).  But recent revelations about AIDS.gov are any indication, living up to its lofty claims is pretty low on its priorities list.
 
I. Glaring Privacy Violations
 
The latest black mark on the government’s checkered record is AIDS.gov.  Launched in 2006, this website was under the auspice of the U.S. Department of Health and Human Services’ (HHS).

Quickly achieving a high search index ranking, the government-backed site offered users tools to search for prevention, diagnostic, treatment, and financial aid resources relating to the Human Immunodeficiency Virus (HIV).  The site also promoted itself via a variety of social media and digital advertising campaigns the ostensible of encouraging more widespread testing for the virus.
 
All appeared to be going well.  The site even won the 2008 American Association of Webmasters Gold Award, a peer-reviewed award for excellence in website design and coding.  But things took a questionable turn in 2010 when the site was revamped to feature location-aware services, and location-aware mobile apps were launched.
 
(An interesting side note; according to Alexa.org, it appears the site is more heavily visited by females than males, which may come as a surprise to some.)

According to an investigation by The Washington Post, from 2010 to sometime in 2013, the site recorded users’ location data in unencrypted messages, messages that could easily have been monitored by third parties.  If such lax handling occurred for non-digital medical records it would likely result in serious fines, or even criminal charges.  But in the government’s case, it was conveniently overlooked.
 
The breach was first found by a lawyer — Steve Roosa — who works as a partner at law firm Holland & Knight.  Mr. Roosa was studying websites’ code to examine if government healthcare websites were living up to federal healthcare privacy laws.   The location aware services were added with the launch of mobile apps in 2009. [Image Source: HHS]  
Given the stigma surrounding HIV, Mr. Roosa said he initially expected AIDS.gov to be among the most robust government healthcare sites in terms of privacy protections.  But he quickly discovered that was not the case.  In fact, the site was operating entirely without encryption, exposing users data in an apparent violation of HIPAA laws.  He states:
  It is somewhat shocking, and more than a little ironic, that HHS has opted not to adhere to its own standards here, when the failure to do so puts sensitive health information at risk.  
To make matters worse, the site wasn’t just exposing searchers’ locations.  It was also allowing third-party scripts and widgets from the likes of Google, Inc. (GOOG), Facebook, Inc. (FB), Twitter, Inc. (TWTR), and Adobe Systems Inc. (ADBE).  
 
II. Exposing Your Personal Healthcare Secrets to Corporate Special Interests?
 
These third parties were allowed to install cookies on visitors’ computers.  A cookie is a small unique identifier which sites can use code to peek at to track user visits to their page or affiliate pages.

The site accepted third party cookies from Google, Facebook, and other partners.
[Image Source: Magdex USA]
“If Facebook were inclined to do that [uniquely identify users via watching the unencrypted traffic or via cookies]”, Mr. Roosa warned, “They could do that very easily”
 
Using common de-anonymization techniques, a company like Google or Facebook could have recorded visitors searching for information on HIV infections.  It would not only have access to their IP and name, via the cookie, but also their location, thanks to the unencrypted request structure of the site itself.  This could have enabled them to target embarrassing advertisements at those looking to discretely inquire about testing for the disease.
 
And users would likely not realize the danger, as the site proclaimed that it did not use a cookie.  Indeed the government code for the sites was anonymous, albeit unencrypted.  It did not use cookies.  But buried deep in the fine print of the site’s terms was the allowance of third party cookies.  So users were operating under a false sense of security all along.
 
III. Wanton Disregard for Its Own Laws
 
Many are frustrated that the government would allow such a careless apparent violation of its own medical privacy laws.  That frustration doubles, when civil liberty advocates consider that the U.S. government spends billions taxpayer dollars to spy on millions of Americans.  Clearly it is not for want of sophistication when it comes to security.  In that light the lack of security surrounding AIDS.gov looks less like mere incompetence and more like wanton disrespect for the law, according to digital activists.
 
The director of technology projects for the Electronic Frontier Foundation (EFF), Peter Eckersley, states:
  We should be exasperated at the lack of security competence of so many branches of our government, when clearly that government does employ a lot of people who understand exactly how cyber-security works and how to break it.  
The Washington Post writes that after it began asking questions in 2013, the government revised the site to start using SSL (https) encryption.  Both the website and the AIDS.gov smartphone app were updated to include encryption.

[Image Source: Avii/Dreamstime] 
The site’s director, Miguel Gomez, remarks:
  We started requiring SSL for the [services] Locator because we understood that information should be encrypted to protect privacy.  
The director says the site’s switch to SSL was planned and not a result of the media inquiry. There is some evidence that it’s telling the truth.  Even after the inquiry, a subsite (locator.aids.gov) which linked users to HIV treatment centers continued to transmit users’ zip codes in unencrypted intersite messages, raising the potential that third party widgets or malicious hackers could snoop on that traffic for profit or form more malicious ends.  That site finally turned on encryption last Tuesday, in what a spokesman said was a planned update.
 
Most banks and online shopping websites have operated encrypted for years.  It’s unclear what excuse the government has for not meeting the industry standard — and arguably its own laws.
 
IV. Criticicism for Slow Response, Ongoing Flaws Continues
 
Even search engines have been switching to encrypted traffic, in light of government spying.  Suffice it to say that the HHS’s IT staff is behind the times on this issue.

A spokesperson for Whitman-Walker Health, a Washington, D.C.-based health center specializing in AIDS treatment issued a criticism of the lax federal handling of patients’ confidential medical details.  Spokesman Shawn Jain states:
  In this day and age, we don’t see any reason for HIV or STI service searches on government websites to be subject to a different privacy standard than searches related to other health conditions, such as searching for mammography or colonoscopy facilities, or information on treatment for cancer or mental health.  
And there are still arguably some issues with the site’s protection of patient privacy, even after the recent SSL rollout, according to Mr. Roosa.  Commenting on the SSL rollout he stated, “I’m tickled. I think it’s great.”
 
But he points out that even though location data is now protected by encryption, snoopers can still see the site the user is sending the message too.  AIDS.gov communicates with the subsite locator.aids.gov and with a sister site maintained by the Centers for Disease Control and Prevention (CDC), hivtest.cdc.gov.  Mr. Roosa suggests that to fully protect users’ privacy, the government should utilize codenamed proxy servers to make it less obvious the patient is seeking information on AIDS diagnosis or treatment.
 
V. How Secure is AIDS.gov Now?
 
Based on our own inspection of the site, we’d like to put forth a couple more findings.
 
First, while the site does not appear to be using cookies, it is using Javascript based tracking to collect the page the user game from.  It does that by running a script (FederatedAnalytics.js) by the U.S. government’s Digital Analytics Program (DAP).  The DAP script does appear to anonymize the user’s IP, as promised, though.
 
AIDS.gov is also running ga.js, a Google Analytics script.  The Google Analytics script appears to respect the https of the locator document (although it may expose the IP still in the case of the bare ‘http’ redirect).  

The government site contains Google Analytics, Add This, and Federate Analytics scripts.  (Federated Analytics is a federal government data mining project.)
Also to clarify, when visiting the site from a search engine hit, it does not automatically redirect to an https (SSL encrypted page).  Rather it feeds the messages to Google Analytics through an https.  But the site itself lacks encryption in many areas.
 
A CloudFlare hosted script (3698.js) does not appear to have any sort of SSL and redirects traffic to unencrypted Google Searches.  Also the script related to the “Add This” button (add_this_widget.js) appears to keep the requester’s encryption or lack thereof, so if we read this correctly, that traffic should be unencrypted, as well.
 
The button interfaces with email, StumbledUpon, Digg, Delicious, Conde Nast’s Reddit, Twitter, Facebook, and other sites.  Another script (descriptively named “script.js”) appears to be exposing users’ IP in identifiable fashion to Pinterest.  The catch is that the user has to click to share via one of these third parties.

 
Probably the most glaring and needless remaining security flaw is that the search box at the top of the screen appears to direct search queries through an unencrypted Google Search.  This essentially reveals the user (to Google, at least) if they’re browsing from a personal device Google has location/IP information on.

 
Most page scripts do redirect to locator pages with https.  We did find one that didn’t, but the good thing is the page it directs to redirects to SSL locator pages, as far as we could see.

Recent Posts

AMD Dual-Core Optimization Utility Available

AMD Dual-Core Optimization Utility Available

Improving dual-core compatibility for gaming

5.7″ ZTE ZMAX “Phablet” Coming to T-Mobile Sept 24 for $252

ZMAX will come with a Snapdragon 400 processor and 720p display

100 Northern California Households to Receive Plug-in Priuses

UC Davis dares to go where Toyota won't with the Prius

Apple on Microsoft Ads: PCs Are “No Bargain”, Macs Are “Cool”

An Apple spokesperson fires back over Microsoft's latest commercials

Update: 13.3″ Dell XPS m1330 Notebook Details Leaked

Engadget gets the scoop on Dell's latest "ultra-portable" notebook