New Privacy Updates/Improvements at HealthCare.Gov

A couple of weeks ago I wrote about a "new" Scary Headline® story from the AP about cybersecurity at the federal ACA exchange, HealthCare.Gov.

My entry was about how the AP utterly misrepresentated the actual security situation a year ago, then compounded their mistake (I'll be gracious and assume it was done out of ignorance, not malice) a year later in their follow-up story. As for the actual HC.gov security situation, the short version was:

• As part of a security audit over a year ago, the U.S. Inspector General's office had "white hat" hackers attempt to break into HC.gov.
• NONE of the attempts worked; they were all blocked by the system's defenses.
• However, they did find some other security issues and make various recommendations about best practices, etc. to tighten things up.
• Their major recommendations/improvements were made at HC.gov within a few weeks of the initial report.
• A year later, the final Inspector General report stated that all of their recommendations had been fully implemented.

...which brings me to this press release from Kevin Counihan, CEO of HealthCare.Gov, via the CMS Dept. blog this morning (emphasis mine):

Protecting Your Information at HealthCare.gov
OCTOBER 9
By Kevin Counihan

The third year of Open Enrollment is just around the corner. Starting November 1, you’ll be able to enroll or re-enroll in quality and affordable coverage at HealthCare.gov. Over the last several months, we’ve been working hard to make the consumer experience even better this year – learning about what information you need to make decisions and how to improve the help and support we provide throughout the enrollment process. An important part of that is continuing to protect your privacy when you’re shopping for health coverage.

We’re committed to providing you with the opportunity to personalize your experience. Here are a few of the updates you can expect from HealthCare.gov. Today, we launched a simple way to give you more control over the information you choose to share with us – a new privacy manager. We’re also supporting the Do Not Track browser setting for our digital advertising. And, you can check out our updated privacy notice to learn more about these tools and to understand the steps we’ve taken to protect your privacy. We tried to make the policy easy to navigate while also being a lot more specific.

CLARIFICATION: It's important to note, as Scott Belsky noted, that security and privacy, while connected, aren't quite the same thing. The security story up top relates to protecting HC.gov data from being accessed by unauthorized third parties. The privacy features announced today have to do with controlling what sort of data HC.gov itself receives when you visit their website.

(As an aside, Do Not Track is an optional setting which you have to enable on your browser; here's info on how to enable it on your browser. Note that it doesn't always work, but it's still a good thing that HC.gov is supporting it). As Google Chrome's browser notes:

Enabling "Do Not Track" means that a request will be included with your browsing traffic. Any effect depends on whether a website responds to the request, and how the request is interpreted. For example, some websites may respond to this request by showing you ads that aren't based on other websites you've visited. Many websites will still collect and use your browsing data - for example to improve security, to provide content, services, ads and recommendations on their websites, and to generate reporting statistics.ˆ

We know privacy is important to you when you use the web. In the process of signing up for health care coverage, you may provide us with personal information. For instance, you may enter your email address so that you can stay up to date with announcements and alerts from HealthCare.gov and learn about your affordable health coverage options. When you sign up for health care coverage, you provide information such as your name, Social Security number, and income so that we can verify your eligibility to purchase coverage. We take protecting this type of personal information very seriously and only use it to help you get – and keep – your coverage.

Like all other websites, we receive some information automatically when you read, browse, or download information from HealthCare.gov. This is information that your web browser sends when you browse the internet – such as your domain, IP address, type of device, and date and time you visited. We use this information to better understand how the site is being used – and to learn about how we can make it more helpful.

We also employ commonly used web tools like Google Analytics to analyze HealthCare.gov’s technical performance, as well as to facilitate, enhance, and measure the effectiveness of our digital advertising outreach efforts. These tools can help us do things like understand which pages on our website need improvement, to increase the speed and functionality of HealthCare.gov and make the site more useful to consumers. You can learn more about each of the third-party tools currently in use by reviewing our privacy notice.

It's depressing that the Mr. Counihan felt the need to explain that the above information (and more) is automatically provided to every website you visit. Depressing because plenty of those opposed to the ACA have attempted to turn this simple truth of the internet into some sort of "invasion of privacy!" scandal. The truth is, aside from personally-identifying info such as social security numbers, birthdates and the like, I probably have nearly as much general information about visitors to ACASignups.net as CMS does on visitors to HC.gov.

For instance, here's an ACASignups.net visitor, picked completely at random, from a couple of days ago:

I've blurred the IP address given the circumstances, but as you can see, someone in the Oval Office (yes, it even includes the latitute & longitutde) visited this site at 6:36pm EST on Wednesday, 10/7/15. They were referred to the site from a Washington Post article by Greg Sargent and spent about 1 minute reading my blog post, using a Windows 7 machine running Google Chrome version 45.0, with a moniter resolution of 1680x1050.

This sort of information is available to most website developers/hosting providers from most of their visitors. Some of the info can be masked by using various tools on the visitor side, but the point is that there's absolutely nothing "scary" or unusual about it regardless of whether it's a one-man blog or a complex government website.

There’s one tool, our new privacy manager, which we want to make sure you know about. This simple tool makes it easy for you to opt-in or out of the different types of third-party tools used by HealthCare.gov – Advertising, Analytics, or Social Media. If you choose to opt-out, you’ll still have access to everything on the site, but we won’t use information from your visit to analyze the site’s technical performance or use digital advertising to remind you about helpful information like deadlines. You can check out the privacy manager now by clicking on “Privacy Settings” at the bottom of HealthCare.gov.

I tried out the new "privacy manager". I was actually a bit confused about where to find it; I assumed it would be listed in my Profile Settings after I logged in, but it turns out that it's purely browser-related; the (very small) link is at the very bottom-right corner of the home page at HealthCare.Gov itself:

When you click it, you're given the option to turn session visit data for three different areas: Advertising, Web Analytics and Social Media:

Note that I'm pretty sure this will only apply to that particular browser on that particular computer, and if you ever have to clear your browsers cookies/etc, you may have to reset these...if it's really that big of a deal to you, which for most people it likely won't be.

In addition, if you have Do Not Track enabled in your browser, we’ll automatically observe your preferences related to digital advertising from HealthCare.gov.

The internet is constantly changing, and we have an obligation to keep evolving alongside it. We’ll keep reevaluating our own privacy notice, the tools we use, and how they intersect with the evolving landscape of privacy on the web. We are committed to protecting the information you entrust with us at HealthCare.gov.

We wish you a great shopping experience this year.

This sort of improvement may not seem like much, but it's another sign that the HC.gov team has learned a tremendous amount over the past two years. Kudos to them.