Monday, October 14, 2013

Obamacare Website Source Code: "No Reasonable Expectation of Privacy"

    The launch of federal government's Obamacare insurance exchange, Healthcare.gov, has been plagued with delays, errors, and poor website design, prompting USA Today to call it an "inexcusable mess" and a "nightmare".  Now comes another example of why the website's reputation is in tatters.  Buried in the source code of Healthcare.gov is this sentence that could prove embarrassing: "You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system."  Though not visible to users and obviously not intended as part of the terms and conditions, the language is nevertheless a part of the underlying code for the "Terms & Conditions" page on the site.
    After creating an account on Healthcare.gov, users are asked to click an "I accept" button under some routine Terms & Conditions prohibiting unauthorized attempts to upload information or change the website.  Once users click the button, they may proceed to shop for insurance and enter detailed personal information.  However, when the Terms & Conditions page is visible, the hidden sentence mentioned above along with several others can be seen by using a web browser's "View Source" feature.  A screen grab below shows the visible Terms & Conditions page along with a simultaneous view of the code underlying it:

    The full portion of the code which does not appear on the visible page displayed for users reads as follows:
You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system.  At any time, and for any lawful Government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system.  Any communication or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. [The sentence beginning "To continue" also appears again, but is only visible once on the page as displayed for users.]
    It is unclear why these sentences appear in the code at all since they are not displayed, although the code may simply have been copied from another website that does use the full warning.  In this case, the unwanted portion of the warning was rendered inert with HTML coding tags ("<!--" and "-->") usually used by programmers for inserting comments to explain the purpose of a section of code.  However, the code can be rendered "live" again by simply removing those tags, in which case the full text would appear on the screen to users.  However, it is unclear why the paragraph containing "no reasonable expectation of privacy" would ever have even been considered appropriate in this context.
    The phrase "no reasonable expectation of privacy" is actually a stock phrase used in the terms and conditions of many government websites and information systems, but those who are entering personal, medical and financial information at Healthcare.gov may not find that fact reassuring.  An email sent on Thursday, October 10, requesting comment from Department of Health and Human Services, the agency responsible for the website, has not yet been returned.

Note: A version of this article first appeared at The Weekly Standard.

1 comment:

  1. I would advise people to Google the following:

    "no reasonable expectation of privacy" inurl:gov

    And then see the list of government sites that use the same exact legalese.

    And that is what it is, legalese used not just on government sites but on commercial sites as well. This does NOT in any way invalidate HIPAA or any other regulations regarding the handling of that information.

    But for those concerned, they also had best not use any Google services whatsoever because the same legalese also appears there. And that affects millions more than then likely most the gov sites put together.

    There are plenty legitimate criticisms of the site rollout, but the endless rumors or manufactured information is not helping anyone and hurting innocent people. I've seen someone posting false information about Social Security Numbers being send in clear text, and it took two seconds for people in the field to point out the information was already secured with SSL and not only was in a non-issue, but the person was spreading false information.

    As a fellow libertarian-leaning conservative I'm disappointed in this and hope that journalists help set the record straight rather than adding to the confusion.