U.S. Agencies Improve Privacy for HIV/AIDS Sites
November 13, 2014
Two federal government websites that help people locate HIV services have only recently begun to routinely encrypt user data, The Washington Post reported. The newspaper did not report any known breaches of information, but quoted a security expert who cautioned that new privacy measures may not go far enough.
Until recently, these websites had risked exposing the identities of visitors searching for HIV testing and treatment services, according to the Post. It reported that AIDS.gov smartphone apps also transmitted the latitude and longitude of users seeking HIV services.
"The sites and apps did not themselves track visitors, but their data was handled in ways that could have enabled monitoring by employers, universities or others with access to the data flowing between individual devices -- such as computers and smartphones -- and the Internet," Craig Timberg wrote in the Post. "Even using a public wifi signal, offered by a coffee shop or airport, could have allowed a nearby hacker to learn that an individual user, wielding a particular type of smartphone, was seeking treatment for HIV."
Privacy advocates have long argued that routine encryption should be standard for websites and apps handling potentially sensitive information, especially when it relates to personal medical concerns, the article said.
One of the two sites, AIDS.gov, introduced routine encryption on Oct. 22. The website had reportedly been transmitting unencrypted user location data since 2010.
Managed by the U.S. Department of Health and Human Services (HHS), AIDS.gov also added automatic encryption to its smartphone apps, according to the Post article.
A second government website, managed by the Centers for Disease Control and Prevention (CDC), had reportedly been transmitting the ZIP codes of people seeking HIV testing since 2009 without encryption. It adopted automatic encryption last week after months of planning, the Post reports. The Post did not name the website.
The lack of routine encryption on AIDS.gov was first highlighted by security researcher Steve Roosa, a partner at law firm Holland & Knight, who stumbled upon the issue while looking at privacy features for websites that handle information related to personal health concerns, according to the Post.
"He had guessed that AIDS.gov, given the history of stigma for people with the disease, would have protections that could be considered the gold standard in personal privacy," the Post reported. "Roosa soon discovered he was wrong."
Roosa told the paper that he was pleased that privacy concerns had been addressed, but that the new measures may not go far enough.
"Both sites still send queries to sites -- such as hivtest.cdc.gov and locator.aids.gov -- whose Web addresses made clear their purposes to anybody monitoring the traffic," he explained, adding that the nature of the sites could be masked through the use of coded proxy names to give more privacy to information-seekers.
Katherine Moriarty is a consultant and freelance writer, based in Vancouver. She has 10 years of experience in the intersecting fields of public health and community development, with a focus on bloodborne virus policy and programming.
Copyright © 2014 Remedy Health Media, LLC. All rights reserved.
This article was provided by TheBody.
Add Your Comment:
(Please note: Your name and comment will be public, and may even show up in
Internet search results. Be careful when providing personal information! Before
adding your comment, please read TheBody.com's Comment Policy.)