undefined | Better HN

0 pointsscintill7611y ago0 comments

Here's the full URL, which was embedded into another URL:

  https://www.healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000&step=4

Looks like a plausible search URL from a <form> element with GET. Putting it into the querystring instead of a POST body is a bit surprising, but I think not utterly negligent. Then some Javascript code (maybe not even healthcare.gov's in-house code) looked at window.location.href and put it into another URL, and nobody noticed or stopped it. That is negligent, but more understandable, and fair to presume as unintentional, I think.

There's plenty to be legitimately upset about here, but your comment ("specifically code the application to concatenate") seems to imply the code has something outrageous like "&pregant="+currentUser.pregnant+"&smoker="+currentUser.smoker somewhere, without you giving any evidence that's the case.

0 comments

8 comments · 1 top-level

Turing_Machine11y ago· 7 in thread

"Putting it into the querystring instead of a POST body is a bit surprising, but I think not utterly negligent."

Putting sensitive data into query strings has been considered bad practice for a very long time. To name just one problem among many, it goes into the browser history.

nikcub11y ago

You see it all the time though - it is either implemented that way from the outset, or when setup with a proper POST then someone in testing files a feature request or bug that says "when I bookmark the search page or email the link the search results reset - we need to be able to link to a results page" and wa-la.

It suggests that this data was surfaced accidentally and DoubleClick may not have been interpreting the actual parameters. Either way, it is horrible - there shouldn't be any ad networks or third-party requests within a domain scope that is handling health data.

err4nt11y ago

   "when I bookmark the search page or email the link the search results reset - we need to be able to link to a results page" and wa-la.

Wallah = 'By Allah's Name' in arabic

Voilà = Literally 'See' + 'There' in French

Only Americans seem to confuse these two words.

2 more replies

scintill76OP11y ago

Yes, it's hard to argue against that. I didn't focus on it because the privacy harm of leaking to third parties seems greater than that caused by the URL going into browser history or server logfiles (the most relevant concerns I see.)

This doesn't excuse them, but it's interesting to consider that probably tens of thousands of sensitive Google, etc. searches per day go into query strings. I guess the difference is that Google doesn't know if your freeform search is sensitive, whereas a "Pregnant?" checkbox is known to be sensitive. But maybe general search engines should not be using query strings either, just in case.

Turing_Machine11y ago

Browser history could be a problem if, say, family member #1 (pregnant, but hasn't disclosed it) signs up right before family member #2 (who doesn't know about the pregnancy, and who family member #1 doesn't want to know about the pregnancy).

Then there's the issue of public computers, which people signing up for Obamacare may well be more likely to use (I don't know that for a fact, but it seems plausible... I know in my area they've had workshops where you come in and someone helps you sign up using a public machine).

skwirl11y ago

Given that these requests are using HTTPS (not that a non-secure POST is any better than a non-secure GET in that regard), could you give some other issues aside from the browser history issue?

zaroth11y ago

Query parameters are public data. They are sent along with every single request from your browser to 3rd parties which is launched from the page! Analytics, image downloads, click-throughs, everything. I think browser history and server logs are actually the lesser evil here.

These query parameters in particular are not search terms, they are PHI you enter to determine the rates you will pay for health insurance. They are basically all the key parameters besides the age of household members which determine the price you will pay for a given insurance plan.

Turing_Machine11y ago

The other big one (as another poster noted below) is server log files. Those may be accessible to someone who shouldn't necessarily have access to the data.

j / k navigate · click thread line to collapse

0 comments

8 comments · 1 top-level

Turing_Machine11y ago· 7 in thread

"Putting it into the querystring instead of a POST body is a bit surprising, but I think not utterly negligent."

Putting sensitive data into query strings has been considered bad practice for a very long time. To name just one problem among many, it goes into the browser history.

nikcub11y ago

err4nt11y ago

   "when I bookmark the search page or email the link the search results reset - we need to be able to link to a results page" and wa-la.

Wallah = 'By Allah's Name' in arabic

Voilà = Literally 'See' + 'There' in French

Only Americans seem to confuse these two words.

2 more replies

scintill76OP11y ago

Turing_Machine11y ago

skwirl11y ago

Given that these requests are using HTTPS (not that a non-secure POST is any better than a non-secure GET in that regard), could you give some other issues aside from the browser history issue?

zaroth11y ago

Turing_Machine11y ago

The other big one (as another poster noted below) is server log files. Those may be accessible to someone who shouldn't necessarily have access to the data.

j / k navigate · click thread line to collapse