Two federal government Web sites that help people find AIDS-related medical services have begun routinely encrypting user data after years in which they let sensitive information -- including the real-world locations of site visitors – onto the Internet unprotected.
Until the change, these sites had risked exposing the identities of visitors when they used search boxes to find nearby facilities offering HIV testing, treatment and other services, such as substance abuse and mental health counseling, say security experts. Government smartphone apps associated with one of the Web sites, AIDS.gov, also transmitted the latitude and longitude of users seeking services, after collecting those details from the phones of users.
The sites and apps did not themselves track visitors, but their data was handled in ways that could have enabled monitoring by employers, universities or others with access to the data flowing between individual devices – such as computers and smartphones – and the Internet. Even using a public wifi signal, offered by a coffee shop or airport, could have allowed a nearby hacker to learn that an individual user, wielding a particular type of smartphone, was seeking treatment for HIV or drug addiction.
Privacy advocates long have argued that routine encryption – using a popular protocol called SSL – should be standard for Web sites or apps handling potentially sensitive information, especially when it relates to personal medical concerns. Government officials, in response to questions posed by The Washington Post, said they came to agree that their sites created privacy risks for those seeking AIDS-related services.
“We started requiring SSL for the [services] Locator because we understood that information should be encrypted to protect privacy,” said Miguel Gomez, director of AIDS.gov. The site had been transmitting unencrypted location information of users searching for healthcare providers on the Web site since 2010. It had offered encryption as an option, for those who knew how to activate it, since last year.
Gomez said the site started automatically using encryption for all of its users on Oct. 22, the same day the Post first inquired about the issue, prompting an internal reconsideration of the site’s encryption practices. The site, run by the Department of Health and Human Services, also updated its related smartphone apps, adding automatic encryption to them as well.
Another site, which helps users locate HIV testing sites and is run by the federal Centers for Disease Control and Prevention, switched to automatic encryption on Tuesday, after months of planning, officials said. It had been transmitting the Zip codes of people seeking nearby test sites since 2009 without encryption. A spokeswoman said a planned upgrade of the site offered “an opportunity to add extra security controls.”
The security upgrades pleased privacy advocates, but they also expressed frustration that government sites handling potentially sensitive medical inquiries waited until 2014 to begin offering automatic encryption – something that for several years has been routinely available for online banking, shopping and many other online services. Federal rules governing healthcare privacy typically require the use of encryption when private institutions, such as hospitals or insurance companies, transmit personal medical information over the Internet.
The lack of routine encryption on AIDS.gov was first highlighted by security researcher Steve Roosa, a partner at law firm Holland & Knight, who discovered the issue when he was studying what privacy features are common for Web sites that handle information related to personal health concerns. He had guessed that AIDS.gov, given the history of stigma for people with the disease, would have protections that could be considered the gold standard in personal privacy. Roosa soon discovered he was wrong.
In an October report on the issue provided to the Post, Roosa noted that Department of Health and Human Services enforces federal healthcare privacy rules – under the Health Insurance Portability and Accountability Act of 1986 – when personal medical information is handled by private entities. “It is somewhat shocking, and more than a little ironic, that HHS has opted not to adhere to its own standards here, when the failure to do so puts sensitive health information at risk,” Roosa wrote.
AIDS.gov was communicating with users “in the clear,” as unencrypted Internet traffic is called. That meant anybody monitoring the traffic could see the IP address of the device requesting information and also the subject matter. The “service locator” function on the Web site encouraged users to enter their Zip codes and also in some situations requested location information directly from users’ computers or other devices. The smartphone apps also collected location data from users' devices and transmitted it over the Internet.
The Web site did not use a cookie – a unique string of letters and numbers placed in browsers to track users – but it did allow the deployment of cookies by others that had widgets on the page. That included Facebook, Twitter, Google and Adobe, which provided links to social media sites, analytics and mapping services.
Roosa said that some of the cookies could have allowed outsiders with access to the Internet traffic to potentially identify individual users through a process called “de-anonymization.” That would have been particularly easy for the companies that placed the cookies, such as Facebook, he said.
“If Facebook were inclined to do that, they could do that very easily,” said Roosa during a demonstration of the vulnerabilities on AIDS.gov in October, before automatic encryption was added. The site stopped placing cookies for Facebook and others at the same time encryption was activated for all users.
When told that AIDS.gov had fixed these issues after the Post’s inquiry, Roosa said, “I’m tickled. I think it’s great.” But he also cautioned that the new privacy measures may not have gone far enough. Both sites still send queries to sites --such as hivtest.cdc.gov and locator.aids.gov -- whose Web addresses made clear their purposes to anybody monitoring the traffic. It would be easy, he said, to mask the nature of those sites by adopting coded proxy names, giving users more privacy when they seek information.
Providers of AIDS-related health services said they were concerned about the privacy of those seeking care but believed the same standards should apply, no matter the condition that prompts inquiries. “In this day and age, we don’t see any reason for HIV or STI service searches on government websites to be subject to a different privacy standard than searches related to other health conditions, such as searching for mammography or colonoscopy facilities, or information on treatment for cancer or mental health,” said Shawn Jain, a spokesman for Whitman-Walker Health, a Washington-based health center that specializes in treating AIDS and related health issues.
Privacy advocates, however, were appalled that a federal government that includes some of the world’s most advanced teams of cyber-warriors was often lax at adhering to basic security principles when it came to protecting its own systems – especially in those situations in which the privacy of users was at risk.
“We should be exasperated at the lack of security competence of so many branches of our government, when clearly that government does employ a lot of people who understand exactly how cyber-security works and how to break it,” said Peter Eckersley, technology projects director for the Electronic Frontier Foundation, a civil liberties group in San Francisco.