1177.se, patients' privacy and scandalous privacy intrusion through website analytics

- my experience with the Swedish government health website 1177.se and the art of giving away patients private data online

Posted by Mattias Axell on March 17, 2019

Update: The company Cookiebot released their report "Ad Tech Surveillance on the Public Sector Web - A special report on pervasive tracking of EU citizens on government and health service websites" on Monday March 18th which has been written about in The Register and many other news outlets. The text below tells a story connected to the report about a Swedish health government website called 1177.

The 1177-scandal involving the government healthcare advice service became a well-known fact in Sweden some weeks ago. The technical supplier MediCall had done a coincidental "mistake" which leaked sensitive data. Unknowingly for the supplier, hundreds of thousands of people's recorded calls to the support number at the 1177 website was accessible online for anyone without any protection. The supplier provides the phone call support for citizens calling in for medical advice during inconvenient hours (night time in Sweden). They have their call center with nurses to support patients all the way over in Thailand. Apparently someone had connected a backup hard disk drive, out of "coincidence" and "mistake". A so called Networked Attached Storage (NAS), which is supposed to be connected to the Internet, was now connected, and shared all recorded calls online. This disk stored all sensitive recorded calls *without encryption*, which is a huge scandal in itself.

Unencrypted recorded calls is a scandal in itself

This obviously became big news in Sweden, however, only the part that they had unencrypted call recordings connected to the Internet and accessible online without any login credentials. What did not become news is the part that they actually stored and kept the phone calls unencrypted. This NAS and the unencrypted calls were accessible to an unknown amount of people at their office. This itself is a scandal so scandalous it seems to have passed by the debate unnoticed. It also says something about the level of discernment and analysis from journalists and "experts". Too much scandal too handle.

During following weeks is where I start getting confused. The procurer (public sector regional health agencies) said they were unsatisfied with the supplier but at the same time said that they will keep the contract. Quality assurance. Later on, I had caught a cold and suspected it might be something more to it so I head on to the 1177 website. At this point, if I was 1177, with the calls-scandal like this in my backpack, I would oversee and review all of my operations with the aspects of patients safety, privacy, and trust put first. Simply, patient first. Those key aspects are the core work of healthcare. What I figured out is that I care more about thousands of patients' privacy than 1177 does.

Yet another 1177.se scandal

However when I go on to 1177.se I notice that the website is using Google Analytics. For your information, Google is not a Swedish company. As a multi-national company out of the U.S. they also operate with offices in Stockholm, Sweden. The business operations have nothing to offer which is in the best of intentions for Swedish patients. Their intention and business practice is solely to extract the users (patients') data, organize it to their profiling system consisting of millions of people and sell or give access to it for the one who pays. Some developers who use their infrastructure can apparently get access for free. In the case of the common patient in Sweden (and due to the criticized monopolistic control over Android and Chrome browser preconfigured with Google search engine), the patient have most probably used Google's search engine to search for help regarding the symptoms they are experiencing. The patient then probably visits many websites using Google Analytics continuosly building up a profile with sensitive data.

Now the patient head on to 1177.se in which the public healthcare system continue to give away the patient's data. It only requires any of the simple privacy focused Firefox Add-ons like PrivacyBadger, Disconnect, NoScript or AdNaseaum and you can see that Google Analytics is in fact running on the website. It is sharing (i.e. selling) your data from the searches, the pages you visit about medical issues, symptoms you experience and diseases you might have, with Google and their extensive "partner" network. Is that healthcare?

No third-party cookies(?) but Google Analytics third-party tracking

I certainly do not know how many customers or developers connected to Google have used this data, only Google knows that - and another issue is that 1177.se is not informing about their use of Google Analytics, only about their website cookies. I also cannot remember signing up for anything with 1177.se that they would sell my medical data. It says on the 1177.se website "1177 Vårdguiden använder inte så kallade tredjepartscookies." meaning that "1177 Careguide does not use so called third-party cookies" but mentions nothing about the fact that they use commercial third-party tracking (Google Analytics & Tag Manager)

There is of course ways and approaches to protect oneself from this Google Analytics tracking (that no one wished for nor signed up to agree to) but it cannot be expected from every person in Sweden to do that. What one can expect from 1177.se and regional healthcare organizations however, as a part of the abstract "social contract" between citizen and public sector, is that patient safety, security and wellbeing is as important and equal in the digital as the non-digital world. This is certainly not the case with regional healthcare in Sweden today. Why is this and what is this a symptom of?

Why log or track at all - and why not use alternatives?

There is no need to even log the visits of visitors to 1177.se. A reasonable argument is that it goes against Swedish constitutional law with Freedom of Information (offentlighetsprincipen) that government websites log visits with personally identifiable information (such as IP-addresses). It says in the constitution that everyone has the right to take part of government information on a completely anonymous basis. If a government website (or any website for that matter) is to track, log and analyze its visitors, there are privacy friendly alternatives such as Matomo Analytics. It can be configured to consider the privacy aspects for visitors, costs nothing to use and is trustworthy through its free and open source code.

I want to believe that 1177.se and it's owners just are not knowing of the implications of their choices with Google Analytics. I want to believe that there is a organizational discrepancy between the people in the silo running the website, the marketing silo talking about "patient driven healthcare" and the people in the silo working with the patients on a daily basis. I want to believe that the organization just do not know about the damage that they do the trust and relationship between the healthcare system and the patient. Giving away patients' data is not healthcare.