NHS Blood and Transplant operates websites in the NHS portfolio.
If you want an idea of how bad some of the rest of tne NHS has been, have a look now (26/08/2018) as it still includes a lot of tracking and advertisers. NHS England and NHS Digital have removed some of the similar tracking.
The privacy policy and cookie policy do not explain the extent to which you are tracked and instead go as far as to lie and suggest you are not tracked.
NHS BT has user accounts, and therefore collects user data.
When they collect the data they don’t protect access control from third party advertisers loading JavaScript.
For example, Facebook can not only track that you’ve signed up to blood.co.uk from cookies, they have access to read your email, date of birth, ethnicity, email, name and maybe more (I haven’t explored all features).
Cookies cannot be used to identify you personally: A lie. One of the primary purposes of cookies is identification for authentication purposes.
_Analysing data, anonymously..,” : misleading, as there is a identifiable tracking too
“We hold cookie information for 30 days before the cookie expires.” : but they also state below they know that some cookies are stored for one year.
Cookie details copied from the expanded parts:
Main Cookies
Cookies
Domains
Lifespan
Purpose
_utma, _utmb, _utam, _utmc, _utmz
nhs.uk, blood.co.uk, google.com
Up to six months
NHSBT uses Google Analytics cookies to record information about which pages you have landed on and how you have navigated through the site. This data enables us to understand: - Which pages are most popular - Which pages people visit on the site - Which internet browsers are being used - How visitors prefer to use our websites - The information gathered is not shared with any other third party.
cookie, ASP.NET_SessionID
nhs.uk, blood.co.uk
session (a visit)
This cookie is set to ensure the user does not have any disruption to their user experience while accessing an NHSBT website. This cookie holds no personal information, but helps us provide our users with an uninterrupted journey through the website.
sifrFetch
nhs.uk, blood.co.uk
session (a visit)
This cookie is used for sIFR (Scalable Inman Flash Replacement) to display custom fonts. This cookie indicates whether the browser supports Flash and thus sIFR or not. It is deleted when the browser is closed.
nhsbt_user_cookie
Blood Donation digital service at blood.co.uk
1 year
Remembers a user’s name when someone has logged into their account.
sf
Blood Donation digital service at blood.co.uk
Cookie is deleted on browser closure
Created when a location search is carried out before signing in. This enables the site to continue a search after login.
Purpose: adserver tags from DoubleClick are used to understand how people engage with government digital media campaigns. This functionality allows NHSBT to track clicks on adverts, such as the “sponsored links” found when you search for a subject on Google. The others are used by analytics to record information about which pages you have landed on and how you have navigated through the site. The privacy statements for each of these suppliers is available below:
fs_uid
Owner: Fullstory
Lifespan: session (a visit)
Purpose: FullStory is used to capture and record user experiences across the site helping NHSBT support customers and improve user experience. FullStory uses session replay which captures things like mouse movements, clicks, scrolling and swiping in order to understand behaviour. The FullStory recording script sets a single first-party cookie containing the end-user’s fs_uid (unique identifier) when recording activities on the site.
Google analytics cookies: _ga; _gid; _gat; _gac_<property-id>;
Domains: Google Analytics: Google Analytics is a simple, easy-to-use tool that helps website owners measure how users interact with website content. As a user navigates between web pages, Google Analytics provides website owners JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page. The Google Analytics JavaScript libraries use HTTP Cookies to “remember” what a user has done on previous pages / interactions with the website.
Lifespan: _ga = 2 years; this specific cookie is used to distinguish users in relation to website interactions _gid = 24 hours; this specific cookie is used to distinguish users in relation to website interactions _gat = 1 minute; this specific cookie is not related to user information, it is used to limit the number of requests that are made to the tool. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id _gac_*lt;property-id> = 90 days; this cookie contains campaign related information for the user. If you have linked your Google Analytics and AdWords accounts, AdWords website conversion tags will read this cookie unless the user opts-out
_vwo_uuid_v2
Owner: Visual Website Optimizer
Lifespan: 100 days
Purpose: VWO is a website testing platform. It uses cookies to run tests and to track user information in relation to the tests. The cookies track the test variation a user has viewed and helps to serve the same variation to the user consistently, track goals completed by a user and determine whether a user is a part of the test. This cookie generates a unique ID for every visitor and is used for the report segmentation feature in VWO.
IPRO Cookies
Domain: Doubleclick
Purpose: Used to analyse and segment data for marketing purposes
There are more Cookies than they admit. Including advertising trackers
Facebook has access to user account data including Passwords
By replacing the Facebook JavaScript with a malicious script, I can extract form data.
You can see ethnicity data, date of birth, email address, password, name and blood donation id number are all made available to Facebook.