Updated August 21, 2020.
When EU citizens visit their governments online, or when they access public health service resources about sensitive issues such as pregnancy, sexual health, cancer or mental illness, more than 100 commercial companies are systemically and invisibly tracking them.
Once collected, this data can be resold via data brokers to organizations both in- and outside the advertising industry.
“I have HIV, now what?”, “I want to terminate my pregnancy”, “Signs of being an alcoholic”, “Insurance for cancer patients”.
These are queries that vulnerable citizens might pose to their government’s or public sector websites in the search for help and answers.
Despite the GDPR, EU citizens’ sensitive data is being wormed out by lingering 3rd parties in the online spaces where they should feel most safe: public sector websites in the European Union.
Almost ten months into the enforcement of the GDPR, we scanned the EU governments’ websites with Cookiebot technology, detecting all cookies and trackers in operation on these sites.
Need to refresh how cookies and the GDPR are connected? Read our blogpost: GDPR & cookies.
We also inserted queries like the ones above into search engines to identify the specific health service landing pages that EU citizens would realistically visit to get official advice.
Then, we scanned these landing pages too. The result is alarming:
The vast majority of the official government websites in the EU harbour data tracking third parties. Over half of the public health sites are unknowingly facilitating tracking.
This means that when vulnerable citizens turn to their governments and public health sector sites to seek information and help on sensitive matters, ad tech companies* are listening in and harvesting the data.
*In the report, the term "ad tech" is used to jointly describe the commercial tracking of website users and the companies behind this, notwithstanding that some of this tracking may be carried out for commercial purposes other than to directly display advertising.
Infographics from the report: Ad Tech Surveillance on the Public Sector Web.
Once the data has been intercepted by the trackers, it could in theory be used for anything by anybody. The data is out of the user’s and even of the website’s control.
Most probably, it is being circulated in the trillion-dollar industry that is the data economy, where it is combined with other data in order to build dauntingly rich personal profiles, that are resold by data brokers to ad-networks in real-time bidding auctions.
Profiling is commonly used to target advertisements, sell you products, propagate ideas, customize everything from user experience to the actual pricings you are shown, and predict future actions. In the wrong hands, it may be used to determine whether or not you are entitled to insurance, and whether or not a potential employer should hire you…
Personal profiling may include…
This knowledge is intricately assembled while you are scrolling and clicking on the internet or moving around in the physical world, device in pocket, by means of invisible and apparently harmless cookies and similar tracking technologies, in place as third parties on websites and apps, and, as our report shows, even on official public websites of the EU countries.
That is, at its essence, the logic of surveillance capitalism. Surveillance capitalism is a term coined to describe the era in which we have inadvertently arrived. In surveillance capitalism, as described by Shoshana Zuboff in “The age of surveillance capitalism”, the more data one has, the more one owns the markets.
Surveillance capitalism is the result of 20 years of a vastly unregulated internet, and the GDPR and the soon-to-come ePrivacy Regulation are reactions to this, attempting to restore rights and online privacy to internet users.
Once intercepted, your personal data is out of your control and can in theory be used for anything. Find out the workings of the ad tech industry and who is in power in our report.
In the report, we demonstrate that 89 % of official government websites of EU member states and 52 % of the scanned landing pages on national health services facilitate third party ad tracking.
The interesting part here being, that not only do these websites represent the EU member countries that are enforcing the GDPR, they also are public sites that do not rely on revenue from advertising.
So, what are the trackers even doing there, and how do they get in?
The short answer is that they get in through embedded services such as video players, social sharing widgets, web analytics, galleries and comments sections.
Why? Many free third-party website plugins earn revenue by smuggling in trackers. They can act as Trojan horses, opening backdoors to the website so that ad tech companies can silently insert their trackers.
To sum up, although many of these third-party technologies are supposedly free, they do have a price: users’ privacy.
The report proves how widespread tracking is on government and public websites that are not funded by ads.
These results indicate that many other non-ad funded websites probably also are unintentionally serving as platforms for online surveillance.
The good news being: it can be prevented and stopped.
When including third-party components on your website, take these steps to stay compliant and protect the privacy of your users:
Worried about the tracking in course on your website? Try our website audit and find out if you are compliant right away.
Ireland’s public health service, the Health Service Executive (HSE) have installed the popular social sharing tool ShareThis on their web pages. ShareThis automatically adds buttons to each page to make it easy for visitors to share information across social media platforms.
As a free service, ShareThis may seem like a gift to many website operators, but it is more like a Trojan horse that releases trackers from more than 20 ad tech companies into every webpage it is installed on.
By analysing web pages on HSE.ie, we found that ShareThis loads 25 other trackers, which track users without permission.
This result was confirmed on pages linked from search queries for “mortality rates of cancer patients” and “symptoms of postpartum depression”.
Although website operators like the HSE do control which third-parties they add to their websites, they have no direct control over what additional “4th parties” those third-parties might smuggle in.
ShareThis appears to be installed on every single webpage of www.HSE.ie. This indicates that a broad spectrum of Irish citizens’ health data is being continuously and invisibly leaked to commercial actors.
On Ireland’s public health service site, ShareThis acts like a Trojan horse, giving 25 trackers access to highly sensitive personal data.
Across both government and health service websites, we found 112 data-tracking companies, sending data to a total of 131 third party tracking domains.
Two aspects are especially worrying:
1. Ten of these companies actively mask their identity, because no website is hosted at their tracking domains, and their domain ownership records are hidden by domain privacy services. Who are these trackers?
Who is tracking you from behind these masked identities?
2. Google performs more than twice as much tracking as any other company. Google controls the top three trackers found in this study: YouTube, DoubleClick and Google.com.
Through the combination of these services, Google can track website visitors to 82% of the EU’s main government websites and 43% of the scanned health service landing pages.
Given its control of many of the internet’s top platforms such as Google Analytics, Google Maps, YouTube, etc., it is no surprise that Google has greater success at gaining tracking access to more webpages than anyone else.
It is of special concern that Google is capable of cross-referencing its trackers with its first-party account details from popular end-user services such as Google Mail, Google Search, and Android apps (to name a few) to easily associate online actions with the identities of real people.
Figure 1: Top 5 trackers on EU government domains
Figure 2: Top 5 trackers on public health service landing pages
In this blogpost, we have described some of the findings in our report, published March 18, 2019.DOWNLOAD REPORT
This report was done out of exasperation. With our scanning technology, we can witness the rising epidemic of uncontrolled online surveillance that thrives all across the internet.
For some readers, the findings and conclusions might be shocking news. To others, it might be old news.
To both, our message is that it can be prevented and stopped.
We urge all website owners – public and private alike – to take responsibility for the tracking that is taking place on your websites in line with the requirements of the GDPR and other legislations.
Create transparency – both for yourselves and for the users of your website – and give your users a genuine choice as to how the data generated about them on your website is being used for commercial purposes.