HealthCare.gov Sending Personal Information to Tracking Sites

The war over the Affordable Care Act (ACA) is still be waged. Democrats are pointing out that the number of people with health insurance coverage is higher than ever, which isn’t surprising since you’re not required to purchase it by law. Republicans are upset because the ACA is still called ObamaCare and they wanted everybody to call it RomneyCare. Libertarians, rightly so, are asking how a government can force you to buy a product. But there’s a problem with the ACA that has received relatively little coverage. From a privacy standpoint HealthCare.gov is a total fucking nightmare:

EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, it is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from, this would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.

In some cases the information is also sent embedded in the request string itself, like so:

https://4037109.fls.doubleclick.net/activityi;src=4037109;
type=20142003;cat=201420;ord=7917385912018;~oref=https://www.
healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000&step=4?

That’s a referrer link from HealthCare.gov to DoubleClick.net that tells the advertiser that the user is 40 years old, that the user (assuming a value of 1 indicates true) smokes, that the user is not a parent, that the user is pregnant, the user’s zip code, the user’s state, and the user’s income.

You might be curious why a website paid for with taxes is sending health information about its users to an online advertiser. Usually websites only send user data to advertisers if they’re selling it. I wouldn’t be surprised if HealthCare.gov is double dipping by taking tax dollars and selling data to online advertisers. It wouldn’t be a bad money making strategy. First you force everybody to buy your product and then you sell their data.

DoubleClick.net isn’t the only site that HealthCare.gov is sending user health information to. Akamai.net, Chartbeat.net, Clicktale.net, and many more are receiving this data.

Interestingly enough both the Democrats and the Republicans seem entirely unconcerned about this. The only thing they care about is the political dick measuring contest that has been going on between then since forever. But this violation of privacy has real world ramifications, especially since the advertisers receiving this data already have a great deal of data on many Internet users.