Federal sites leaked the locations of people seeking AIDS services for years

By Craig Timberg

Two federal government Web sites that help people find AIDS-related medical services have begun routinely encrypting user data after years in which they let sensitive information -- including the real-world locations of site visitors – onto the Internet unprotected.

Until the change, these sites had risked exposing the identities of visitors when they used search boxes to find nearby facilities offering HIV testing, treatment and other services, such as substance abuse and mental health counseling, say security experts. Government smartphone apps associated with one of the Web sites, AIDS.gov, also transmitted the latitude and longitude of users seeking services, after collecting those details from the phones of users.

The sites and apps did not themselves track visitors, but their data was handled in ways that could have enabled monitoring by employers, universities or others with access to the data flowing between individual devices – such as computers and smartphones – and the Internet. Even using a public wifi signal, offered by a coffee shop or airport, could have allowed a nearby hacker to learn that an individual user, wielding a particular type of smartphone, was seeking treatment for HIV or drug addiction.

Privacy advocates long have argued that routine encryption – using a popular protocol called SSL – should be standard for Web sites or apps handling potentially sensitive information, especially when it relates to personal medical concerns. Government officials, in response to questions posed by The Washington Post, said they came to agree that their sites created privacy risks for those seeking AIDS-related services.

more
http://www.washingtonpost.com/blogs/the-switch/wp/2014/11/07/federal-sites-leaked-the-locations-of-people-seeking-aids-services-for-years/