It's hardly news that most of the UK government websites, either at the local or national level, report all your activity to foreign corporations, particularly google analytics.
I've raised this with the website creators through their helpdesk system, and on here when they've posted, but been either told that it's fine (they anonymise the data! We trust them!) or just ignored. It doesn't seem to sink in that giving such a company complete and unfettered access to details on how the UK public interacts with its own government might be a problem.
I've just taken a look around my local councils site. I've gone onto the benefits pages, the disability pages, and a few random pages.
There are literally zero trackers here. I have a first party cookie set to the value "1". All images and JS are served first party, with the exception of typekit (adobe) fonts. All images and JS are, without a deep dive, benign.
Ha, this came up the other day. Non technical guy suggests we just insert 'Test' into the distinguished name of certificates we want to mark as 'not for production'.
We pointed out that one of the many reasons that's a terrible idea is that the Test Valley exists.
Humorous solution:
Add test_not_the_valley to all non-prod certificates.
I'll see myself out.
On a more serious note:
Add "testing", "dev", "qa", "internal", or "non-prod" instead. At least those are my goto's for establishing multi-environment separation of configuration data through namespace separation.
It isn't an inherently bad way of going about things as long as you keep it consistent and do your best to automate it.
I prefer to make sure we use a different signing authority, just to be sure. But I didn't give enough context to clue in the reader that that was an option :)
Perhaps my turn of phrase was less than ideal there.... but yeah, I've been pissed off about this for a while but got nowhere.
Some of the stuff in this report is worse, of course, than just including GA.
(edit - Just looked at test valley site there, it brings in google analytics, though seems clean otherwise. Also Hey neighbour! I'm based in Southampton at the moment)
Ahh, the part after the hyphens is something I wrote after the initial comment I didn't mean it to sound so abrupt.
Notably my test method was completely and utterly flawed - I used a Firefox Private Browsing window forgetting it blocks content-trackers (like GA). Still, having now visited it properly it is as you say.
I've raised this with the website creators through their helpdesk system, and on here when they've posted, but been either told that it's fine (they anonymise the data! We trust them!) or just ignored. It doesn't seem to sink in that giving such a company complete and unfettered access to details on how the UK public interacts with its own government might be a problem.