Sends Personal Data to Dozens of Tracking Websites

Illustration for article titled Sends Personal Data to Dozens of Tracking Websites

EFF researchers have independently confirmed that is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.


In some cases the information is also sent embedded in the request string itself, like so:;src=…type=20142003;cat=201420;ord=7917385912018;~oref= &step=4?

In the above example, a URL at is requested by your browser. Appended to the end of this URL is your age, smoking status, preganacy status, parental status, zip code, state and annual income. This URL is requested by your browser after you fill out the required information on and click the button to view health insurance plans that you are eligible for.

The following is a table showing which third party domains EFF researchers confirmed were receiving the private health data.

DomainPII in referrerPII in request

Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker. Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman's family that she was pregnant before she even told them.


It's especially troubling that the U.S. government is sending personal information to commercial companies on a website that's touted as the place for people to obtain health care coverage. Even more troubling is the potential for companies like Doubleclick, Google, Twitter, Yahoo, and others to associate this data with a person's actual identity. Google, thanks to real name policies, certainly has information uniquely identifying someone using Google services. If a real identity is linked to the information received from it would be a massive violation of privacy for users of the site.

Third-party resources could also introduce additional security risks to the website, with each included third-party resource increasing the attack surface of the site. If an attacker were able to compromise just one of the third party resources included on they could potentially compromise the accounts of every user of The attacker could then sell the Private Health Information or hold it for ransom.


For now, EFF recommends installing software that will block third party tracking, such as EFF's own Privacy Badger. Privacy badger will block the referrers and the connections to third party sites on and protect your personal health information.

Health information is some of the most sensitive and personal information there is. People's private medical data should not be available to third party companies without consent from the user. This practice is negligent at best, and potentially devastating for consumers. At a miminum, should disable third-party trackers for any user that requests an opt out using the DNT header. Arguably, should meet good privacy standards for all its users.


President Obama will give his State of the Union speech tonight, in which he is expected to address cybersecurity issues. If President Obama is really concerned about cybersecurity, he may want to start in his own backyard, by securing

This post first appeared on Electronic Frontier Foundation and republished here under Creative Commons license.




There's a famous saying, "cock-up over conspiracy". Meaning it's more likely that something was just a screw-up than that it was intentional. In this case, I can say that very much applies. The referrer field is sent for various reasons unrelated to personal information (in ad contexts, just to see what client site is requesting the ad, or sometimes to track user movement across these pages). The fact that personal info is getting sent with these the way it is, as a URL query string, makes me think with almost 90% certainty that it wasn't intentional, but rather that when designing the health care website, someone (or multiple people) got lazy and used a GET request rather than a POST request. GET requests are a little bit easier to work with server-side (not much, but a little). In exchange for that ease, though, they put all submitted data directly into the URL. The developers probably didn't even think about how each page's URL is sent off-domain in a referrer field.

So, yeah...not good, but also most likely just a developer's fuck-up.