Sunday, November 3, 2013

Obamacare Website Source Code Revised to Remove "No Reasonable Expectation Of Privacy" After Sebelius Testimony

    When Kathleen Sebelius testified at a Congressional hearing on Wednesday, she acknowledged the presence of a worrisome statement included in the source code of Healthcare.gov and promised that work was already underway to remove it.  A search of one portion of the code later on Wednesday revealed that the revision was at least partially complete.  The "no reasonable expectation" statement is gone from a large section of code where it had previously appeared.  Repeated attempts on Wednesday to verify that the code had been revised on the specific page where users are asked to accept the privacy policy were unsuccessful due to a system outage at Healthcare.gov for much of the day. However, Thursday morning, a successful logon revealed the statement has been removed there as well:


    As THE WEEKLY STANDARD first reported two weeks ago:
Buried in the source code of Healthcare.gov is this sentence that could prove embarrassing: "You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system."  Though not visible to users and obviously not intended as part of the terms and conditions, the language is nevertheless a part of the underlying code for the "Terms & Conditions" page on the site.
    Representative Joe Barton (R-TX) confronted Cheryl Campbell, senior vice president of CGI Federal Inc., one of the main contractors responsible for coding the site, about the language last week and she declined to take responsibility for including it, but said that it was a matter for the Centers for Medicare and Medicaid Services (CMS) to address.  Wednesday, Rep. Barton took up the question with Sebelius, the head of Health and Human Services (HHS) of which CMS is a part.  The Washington Free Beacon reported on Sebelius's response:
“It is my understanding that that is boilerplate language that should not have been in this particular contract because there are — the highest security standards in place and people have every right to expect privacy,” Sebelius said to Rep. Joe Barton (R., Texas). 
Sebelius assured Barton that the language would be removed saying, “we have had those discussions with CGI [Federal] and it is underway. I do absolutely commit to protecting the privacy of the American public and we have asked them to remove that statement.”
    Sebelius's response is a tacit admission from the federal government that the inclusion of the statement posed a legitimate privacy concern, a position not shared by Rep. Frank Pallone (D-NJ) who uttered his widely reported "monkey court" remark in response to Rep. Barton's inquiry at last week's hearing.
    The removal of the inappropriate privacy-related code is not the only revision made recently at the Obamacare website.  Earlier this week, copyright language was restored to an open-source script that was used by programmers at Healthcare.gov without proper attribution.  The change followed a mid-October report by THE WEEKLY STANDARD on the license violation.


Note: A version of this article first appeared at The Weekly Standard.

No comments:

Post a Comment