Yet another social networking `feature’ of Facebook – this time apparently allowing Facebook users to be tracked when visiting sites, regardless of whether they clicked “Like”. This feature hit headlines due to privacy violations the feature raises when visiting the NHS Choices Web site.
According to data security specialist Imperva, although the feature raises concerns about social networking sites’ ability to track their users on third-party sites, what is really outrageous about the saga is the response of NHS mandarins to the problem.
The NHS page has included a script that is hosted on Facebook’s server. When the browser is retrieving the script it delivers all Facebook related cookies from the browser up to Facebook. These are correlated to the Facebook identity of the individual accessing the NHS site.
When this is combined with information from the “Referer ” header (which contains information about the actual pages visited), it allows Facebook to track NHS visits of Facebook users even without clicking the `Like’ button or being logged in.
But, when MP Tom Watson reportedly raised the security issue, back came the outrageous reply that the onus is on users to monitor their privacy on Facebook. Against this backdrop, that the NHS’ bald statement that, when users sign up to Facebook they agree the service can gather information on their Web usage, simply does not hold up.
It is outrageous that the NHS has put sole responsibility on the user while it is actually them who are the ones which are providing confidential information. Organisations need to take on some responsibility of privacy and security themselves rather than blaming it all on the users.