So I have read this report, but it would be good if there were some example URLs of where this is happening. Take for instance Lambeth's website (https://www.lambeth.gov.uk). I've browsed through a few public facing pages and the council tax payment pages.
The report says Lambeth shows 1 real time bidding, 1 social and 5 Google "trackers".
From my network requests I see:
-> Google Translate and its resources (CSS etc.)
-> Google Font
-> jQuery and a bunch of various modules
-> leafletjs (OSS Map library)
-> Google tag manager
-> The social links at the bottom are just links, no requests or trackers.
Note: None are blocked by PB, only cookies are denied)
Nothing out of the ordinary here (although you could argue against GTM on a council website). I'm not seeing what's at risk here? And according to the report, the above requests should be ignored in the results?
Caveat 1:
> This is not a complete study. Third party tools commonly used by websites for chat bots, designing the page, soliciting email subscription, profiling visitors for the Council’s own user data base, text to speech, CDN, fonts, non-Google analytics, etc. are not counted in this study. (See “table notes” on page 20 for a list of what is counted).
> While these do expose a user’s behaviour to the companies concerned, we exclude them here in order for simplicity.This study highlights what we view as the most dangerous third party data collection and profiling.
To compare, the landing page that this report is hosted on has the following "trackers"/requests:
-> Brave.com Analytics request that is blocked
-> Google Fonts
-> Google Tag Manager
-> Google Analytics (blocked by PB)
-> Mapbox
-> Scorecard research (blocked by PB)
-> Newrelic
-> Slideshare (blocked by PB)
-> Leaderapps
-> Tableau
-> Vimeo (cookies blocked by PB)
Edit: Sorry - PB is Privacy Badger.
As for my personal feelings, "widespread surveillance" makes it appear as though there is some sort of malicious intent here. I have a few friends (and mother) who have previously or currently work for local councils, there is no money for this sort of thing. At worst I believe any actual issues are due to ignorance (which isn't an excuse) but could be easily remedied. This is way too dramatic for what should be a "Hey ICO, these councils are potentially not doing things properly, could you have a look?". Instead you'd think Brave have uncovered a PRISM level conspiracy on the local government level.
I think we would all benefit from an update on your comment correcting it with the new factual information. I too have all the tracking scripts included when loading the page.
None of those really stand out as being problematic.
Google Analytics, Hotjar are measurement tools. CSE is google's custom search endpoint, stats.*.doubleclick.net is a doubleclick for publishers endpoint (Google's ad server) and doesn't mean much by itself, it doesn't automatically show ads from third parties or send your data to anyone.
The Facebook tags are sadly quite popular these days, I do agree those are not ideal but they are literally all over the net with like buttons, share buttons and "sign in with facebook"
The fact that you think the Facebook tag is "not ideal" while all the Google tags are not problematic, just shows how much people has bought in to the original "Don't be evil" motto and unfortunately how easy it is for Google to go under the radar in privacy discussions.
Both Facebook and Google are advertising companies. Both of them have littered the web with their scripts and GIFs making it possible for them to track everything we do. The only difference is how we trust them with our data, and honestly I think they are very equal in this regard. Both of them will track us as much as possible within applicable legislation and their own terms.
GA is absolutely problematic. It's one of Google's main spy mechanisms. I know less about Hotjar, but it's reasonable to be nervous about any analytics package that is sending data off to a third party.
LOL you're in for a treat if you don't know hotjar and think that GA is problematic!
Hotjar tracks(or used to at least) every mouse movement and click on a site so that you could analyze what happened to your clients or perspective ones.
Yes, I'm aware of that aspect of Hotjar. What I meant was that I don't know what Hotjar does with the collected data (beyond what they offer to the sites that use it).
I'm getting these additional requests. They're being blocked, so result in a warning message in the console. Didn't see anything in network requests for them.
It's tracking cookies. I have Google, Facebook and Hotjar cookies set on initial request before even having seen the cookie consent box.
However that's how the vast majority of sites implement the cookie consent regulation, and authorities (like ICO in UK) has decided to not do anything about it.
According to the GDPR even an IP address needs consent, and those are inherently transmitted when loading a third-party library regardless of cookies. Given that social media sharing isn’t a necessary function of the website, they should be asking for consent before loading the libraries, or just using a locally-hosted icon pointing to a sharing link, so that the target social network gets the data only when the button is actually clicked.
You can drop cookies that are “essential to running your business” without consent, the gdpr tcf 1.1 consent management platforms drop a “euconsent” cookie to store your consent choice lol.
Privacy Badger says that "Yellow" sites where it blocks cookies do appear to be trying to track you, but are necessary for the site to work[1]. That makes 5 trackers PB has identified on Lambeth's website.
It doesn't invalidate what I've found though? Also Brave themselves market as being privacy friendly, blocking ads and trackers etc... is it not fair to judge them as well if they are reporting this as egregious?
No it's not fair because what they report as egregious is not the tracking themselves but the context! Council websites are public services. And it says in the report "citizens are entitled to expect that public services do not allow private companies to surveil them on their websites.".
Other than that, you are right that it's hard to find what's wrong with that Lambeth website. However the GTM could be a gateway to any kind of data tracking (visited pages, button clicked, etc.) idk if you can actually find out from the console.
> No it's not fair because what they report as egregious is not the tracking themselves but the context! Council websites are public services. And it says in the report "citizens are entitled to expect that public services do not allow private companies to surveil them on their websites.".
The report says Lambeth shows 1 real time bidding, 1 social and 5 Google "trackers".
From my network requests I see:
-> Google Translate and its resources (CSS etc.)
-> Google Font
-> jQuery and a bunch of various modules
-> leafletjs (OSS Map library)
-> Google tag manager
-> The social links at the bottom are just links, no requests or trackers.
Note: None are blocked by PB, only cookies are denied)
Nothing out of the ordinary here (although you could argue against GTM on a council website). I'm not seeing what's at risk here? And according to the report, the above requests should be ignored in the results?
Caveat 1:
> This is not a complete study. Third party tools commonly used by websites for chat bots, designing the page, soliciting email subscription, profiling visitors for the Council’s own user data base, text to speech, CDN, fonts, non-Google analytics, etc. are not counted in this study. (See “table notes” on page 20 for a list of what is counted).
> While these do expose a user’s behaviour to the companies concerned, we exclude them here in order for simplicity.This study highlights what we view as the most dangerous third party data collection and profiling.
To compare, the landing page that this report is hosted on has the following "trackers"/requests:
-> Brave.com Analytics request that is blocked
-> Google Fonts
-> Google Tag Manager
-> Google Analytics (blocked by PB)
-> Mapbox
-> Scorecard research (blocked by PB)
-> Newrelic
-> Slideshare (blocked by PB)
-> Leaderapps
-> Tableau
-> Vimeo (cookies blocked by PB)
Edit: Sorry - PB is Privacy Badger.
As for my personal feelings, "widespread surveillance" makes it appear as though there is some sort of malicious intent here. I have a few friends (and mother) who have previously or currently work for local councils, there is no money for this sort of thing. At worst I believe any actual issues are due to ignorance (which isn't an excuse) but could be easily remedied. This is way too dramatic for what should be a "Hey ICO, these councils are potentially not doing things properly, could you have a look?". Instead you'd think Brave have uncovered a PRISM level conspiracy on the local government level.
Poor taste IMO.