HealthCare.gov gives trackers info on pregnancy, income and more

The U.S. government’s healthcare insurance sign-up site HealthCare.gov is quietly handing over deeply personal information to advertising and social networks, according to a Tuesday Associated Press report.

The Electronic Frontier Foundation (EFF) followed up by checking out what’s being passed on, and discovered it includes things like pregnancy status, income level, zipcode, smoking status, parental status and age. The information is being sent in the referrer header, which lets requested resources linked to from within HeathCare.gov know which page the request is coming from. It’s also sometimes “embedded in the request string itself,” the EFF said.

The EFF found that the information is being sent in both the referrer header and request string to analytics sites [company]Chartbeat[/company] and [company]Optimizely[/company], [company]Google[/company]’s DoubleClick ad service, and Google itself. Personal-data-rich referrer headers are also finding their way to services such as [company]Twitter[/company], [company]Yahoo[/company], [company]YouTube[/company], [company]Akamai[/company] and – according to AP – [company]Facebook[/company]. HealthCare.gov does this even if the user has turned on Do Not Track.

HealthCare.gov spokesman Aaron Albright told AP that outside vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes,” and they’re only there for site performance measurement purposes. There is indeed no evidence of the data being misused.

However, experts questioned why the likes of Facebook and Google had to get this information (Google itself denied allowing its systems to target ads based on medical history information.) As the EFF’s Cooper Quintin pointed out, there are enormous opportunities for a service like DoubleClick to match up the data with other tracking information about the target. He also noted that the use of third-party resources creates more of an “attack surface” that hackers could use to gain access to the site.

Google could face €15M privacy fine in the Netherlands

Google has been threatened with yet another fine in Europe over its cavalier approach to EU privacy laws. However, while previous fines levied by national data protection regulators have maxed out at around €1 million, the Dutch privacy watchdog is talking about a fine of up to €15 million ($19 million) for Google’s illegal combination of user data across various services without properly informing users of what’s being done or asking their permission. It’s still enough for the company (2013 revenues: $16.86 billion) to shrug off, but at least it no longer qualifies as chump change. Maybe it will actually start complying with the law. Or maybe not.

Google’s cars return to German roads, but not for Street View

Yesterday, when I was walking down to my local Berlin food market at lunchtime, I saw a child pointing at a strange but familiar vehicle rolling down the road. It looked like a Google Street View car – which was a surprise, as Google hasn’t been collecting Street View imagery in Germany since 2011.

As I subsequently learned, [company]Google[/company] did indeed put its cars back on German roads this week. However, it’s only using them to keep Google Maps up to date, ensuring that the service is showing the correct street names and routing information. Street View remains off the menu.

Germans can be a tad touchy about privacy, and many objected to the rollout of Street View in the country. Even after Google started automatically blurring faces and number plates, it was forced to give Germans the option of having their houses blurred out as well – something hundreds of thousands of people took the firm up on.

However, this was a costly business, with Google needing to hire temporary workers to manually blur out selected buildings. It also didn’t stop people trying to sue the U.S. company over alleged privacy infringement. So, in 2011, Google said it was giving up on Street View in Germany – the pre-existing images remain online, but they haven’t been updated in three years.

In a recent post, Google said its cars would be back on the road from the start of December in the following cities: Berlin, Hamburg, Munich, Cologne, Frankfurt, Stuttgart, Dusseldorf, Dortmund, Essen, Bremen, Leipzig, Dresden, Hanover, Nürnberg, Duisburg, Bochum, Wuppertal and Bielefeld.

The idea is to expand coverage to other regions of Germany in 2015. However, the post stressed:

We know there is great interest in our camera cars. They are the same cars that we used in the past to take images for Street View. In the coming journeys, we will only use the images to improve Google Maps, and we have no plans to release them.

As much of a privacy fan as I am, I’ve always found the German reaction to Street View to be somewhat over-the-top. If you can see a building façade from the street, I see no reason why it shouldn’t be shown online too, in what is frequently a very useful service.

With the images being so out of date now, they’re frequently useless if you’re trying to remember which restaurant it was you liked so much on that one street. The house-blurring technique that Google tried would also have annoying knock-on effects: If one person in an apartment block wanted the frontage obscured on Street View, everyone else would have to live with that too, like it or not.

Still, Google’s not the only one to find pain in trying to provide useful street imagery. Its Russian rival, [company]Yandex[/company], encountered an amusing conundrum when creating its version of Street View in Turkey. Yandex’s system also automatically blurs out faces, but Turkey is full of images of the statesman Kemal Ataturk, whose visage it is illegal to desecrate. That meant the Russian firm had to go through all of its street imagery to manually un-blur Ataturk’s face wherever they could find it.

Why the EU’s “right to be de-linked” should not go global

Google and other search engines should remove links to out-of-date or unwelcome personal information from all of their search results around the world – not just in specific European countries – when people in Europe ask for them to be taken down and there’s no good reason not to, EU data protection officials have decided.

Salesforce opens first European data center in UK

Salesforce.com has taken the wraps off its first EU-sited data center in Slough, England, little more than a week after Amazon opened up its second European facility in Frankfurt. The SaaS CRM giant will also open two data centers in France and Germany next year, with all three being powered by renewable energy sources. Apart from offering lower latency to European businesses, going local in the EU also makes life easier from a compliance point of view – sensitive customer information, for example, should ideally stay within European borders, or even national borders when it comes to countries like Germany that have strict data protection regimes.