Two federal government Web sites that help people find AIDS-related medical services have begun routinely encrypting user data after years in which they let sensitive information — including the real-world locations of site visitors – onto the Internet unprotected.

Until the change, these sites had risked exposing the identities of visitors when they used search boxes to find nearby facilities offering HIV testing, treatment and other services, such as substance abuse and mental health counseling, say security experts. Government smartphone apps associated with one of the Web sites, AIDS.gov, also transmitted the latitude and longitude of users seeking services, after collecting those details from the phones of users.

The sites and apps did not themselves track visitors, but their data was handled in ways that could have enabled monitoring by employers, universities or others with access to the data flowing between individual devices – such as computers and smartphones – and the Internet. Even using a public wifi signal, offered by a coffee shop or airport, could have allowed a nearby hacker to learn that an individual user, wielding a particular type of smartphone, was seeking treatment for HIV or drug addiction.

Read more