Earlier this week, it emerged that the White House's health insurance site, HealthCare.gov, was leaking information about visitors to ad networks.
The data sent to ad networks potentially included people's ZIP codes, income levels, and health-related information, like whether they smoked or were pregnant, according to reports by The Associated Press and Electronic Frontier Foundation.
The news understandably sparked controversy. “Health information is some of the most sensitive and personal information there is,” the EFF wrote in a blog post about the issue. “People's private medical data should not be available to third party companies without consent from the user. This practice is negligent at best, and potentially devastating for consumers.”
By today, however, the site was reconfigured so that it's no longer leaking the information, the AP reports.
The leakage -- which might have been accidental -- came via “referer headers,” or the HTTP header information that is often automatically transmitted to ad networks and other third parties.
Even if the transmissions were unintentional, Web developers really shouldn't be surprised that referer headers can compromise privacy. Internet pioneer Tim Berners-Lee warned back in 1999 that referer headers could leak data about users. Ten years later, two computer scientists from AT&T and Worcester Polytechnic Institute caused a stir by reporting that social networking sites leak users' personally identifiable information by including it in the referer headers.
In recent years, consumers have sued Facebook and Google for allegedly violating people's privacy by transmitting information about them via referer headers.
Google agreed to a $8.5 million settlement in that matter, but the deal hasn't yet been approved by the judge overseeing the case. Google also revised its practices. In the past, the company transmitted users' entire queries -- including users' names, if they conducted vanity searches -- when sending traffic to publishers. But Google now encrypts search traffic for all users who click on organic results.
The data-leakage case against Facebook remains pending in federal court in San Jose, Calif.
Meanwhile, browser developer Mozilla said this week it's aiming to come up with a way of reconfiguring with referer headers to better protect users' privacy.
“HTTP Referer provides a wealth of information about where you came from to the sites you visit, but this context isn’t always necessary (or desired),” Mozilla security and privacy engineer Sid Stamm writes on the company's blog. “What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy invasive."
He says that a beta version of Firefox 36 now supports a feature that allows users to better control what data is sent in the referer headers.