The Magazine

Bye-Bye, Privacy

The other problem with HealthCare.gov.

Nov 18, 2013, Vol. 19, No. 10 • By JONATHAN V. LAST
Widget tooltip
Audio version Single Page Print Larger Text Smaller Text Alerts

Those are just the problems concerned with how HealthCare.gov handles your account and whatever information is contained therein. And however worrisome these failures are, presumably they can be fixed. (Some already have been.) The rest of the iceberg is much scarier.

For instance, like many websites, HealthCare.gov doesn’t just push information back and forth between itself and individual users. In certain circumstances, it allows third parties to participate, too. For example, HealthCare.gov uses third-party clients to keep analytics on usage of the site. HealthCare.gov’s privacy statement explicitly says that “no personally identifiable information” will be shared with these third-party vendors. But Simo found that when you activate an account or reset your password, your information is sent to the third parties, too.

And the flow of information with third-parties is a two-way street. Not only does HealthCare.gov share information about users with some third parties​—​either by accident or design, who knows?​—​but when a HealthCare.gov user is on another site, that site may take their information and share it with HealthCare.gov. As the Obamacare website warns users, “If you have an account with a third-party website and choose to ‘like,’ ‘friend,’ follow, or comment, certain [personally identifiable information] associated with your account may be made available to HealthCare.gov based on the privacy policy of the third-party website and your privacy settings within that website.” The love affair between Big Silicon and Big Government continues apace.

Simo acted as a true white hat in all of this: Every time he uncovered a breach, he alerted HealthCare.gov’s customer service. He even went to the trouble of finding a back channel to the HHS web team so that he could get information directly to them. And as a public service, he posted extensive accounts of all the problems he found. It was the kind of beta testing HealthCare.gov should have undergone last year. For his trouble, during her congressional testimony, when Sebelius was asked about the problems Simo had uncovered, she dismissed him as a “skilled hacker” who had tried to attack the site.

The reason Simo was so persistent is that if a malicious hacker had gained access to a HealthCare.gov account, he would gain access to an enormous amount of personal information: your name, address, email, phone number, birth date, income, marital status, and much, much more.

All of these privacy problems are technical in nature, the result of both poor design and poor execution. Yet the biggest privacy concern is systemic: By sending your information hither, thither, and yon​—​from HealthCare.gov to the state exchanges to individual plans, each of which will use third-party applications​—​users have geometrically increased the exposure of their information. And not just to hackers. As Michael Astrue put it in The Weekly Standard when he first sounded the alarm:

With HHS’s convoluted patchwork of contractors, including the data centers of “the cloud,” tens of thousands of people have now gained access to our personal data. The churning of marginal employees through the lowest bidders of “the cloud” particularly increases the risk of massive disclosures like those that Edward Snowden recently inflicted on the intelligence community and Bradley Manning inflicted on the military. Our greatest vulnerability may not be the hardware or the software, but the integrity of the contractors who use these tools.

There is a saying in the programming world: With 10,000 eyes, all bugs are shallow. This little Zen koan gets at one of the immutable rules of writing code: If you have enough testers and programmers, you can untangle any mistake. HealthCare.gov may be the exception that proves the rule.

Jonathan V. Last is a senior writer at The Weekly Standard.

Recent Blog Posts