Security Experts:

European Government Websites Are Delivering Tracking Cookies to Visitors

Governments within the European Union appear to be flouting their own GDPR laws. Many official government websites are harboring and delivering tracking cookies from the ad tech industry even though they don't rely on any advertising income. Eighty-nine percent of 184,683 pages delivered tracking cookies. Twenty-five of the 28 member states have websites with tracking cookies -- only the Spanish, German and Dutch sites had no trackers.

To make this more disturbing, a new Cookiebot report (PDF) demonstrates that vulnerable citizens looking for sensitive information are tracked on pages where they should feel safe. For example, the researchers used a search engine to seek answers on subjects including HIV, pregnancy, mental illness, alcoholism and cancer. They then checked the first government landing page found by the search engine. The implication is that anyone seeking advice on, for example, "I have cancer -- now what?" will find that it is not just the government website that now knows he has cancer.

It is the sheer size of the problem that is most disturbing. The researchers found a total of 112 companies sending tracking data to 131 third-party tracking domains. Ten of these companies mask their identity behind domain ownership privacy settings, and do not host a website on their domain.

Cookiebot does not suggest that there is a conspiracy between the governments and the ad tech companies. The likelihood is that the web admins don't realize the cookies are there. "Modern websites," suggests the report, "typically include multiple 3rd party javascript technologies to power various functions, such as video players, social sharing widgets, web analytics, galleries and comments sections. These scripts can act as Trojan horses, opening backdoors to the website code through which ad tech companies can silently insert their trackers."

If this sounds far-fetched, the report also provides examples of the extent to which tracking companies will go to hide their practices, and/or bypass cookie-blocking options. In 2017, Apple released Safari 11 with a new Intelligent Tracking Prevention technology. In October 2018, Facebook introduced a new first-party cookie, '_fbp'. Because it was first-party, it was not removed by Safari -- but equally could not communicate with Facebook.com. 

"Instead," explains the report, "_fbp" stores a unique user ID, which is then forwarded as a URL parameter in the pixel tracker "tr" to Facebook.com, thus allowing Facebook to track users after all."

Google is the biggest tracker, controlling the top three tracking domains found by Cookiebot: YouTube.com, DoubleClick.net and Google.com. YouTube is a bit surprising. Google released a YouTube Privacy Enhanced Mode, ostensibly preventing the delivery of a cookie if the video is not played. In fact, YouTube had simply switched from delivering classic cookies to delivering more obscure Flash cookies. 

"Privacy-Enhanced Mode", explain the researchers, "currently stores an identifier named "yt-remote-device -id" in the web browser's "Local Storage". This allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video -- contrary to Google's claims. Rather than disabling tracking, "privacy enhanced mode" seems to cover it up."

The implication with so many government websites serving tracking cookies is that many other websites will be doing similar around the world. It is unlikely that European regulators will consider taking any action when their own governments are culpable. But it is worth mentioning that GDPR allows non-profit organizations to launch their own actions.

"The AdTech industry is at the very core of today's data exploitation," comments Privacy International's lead technologist, data exploitation program, Eliot Bendinelli. "The industry collects, processes and shares vast amounts of data, yet operates out of the public eye. That's why PI has filed complaints against 7 AdTech companies with three different Data Protection Agencies arguing that they are in breach of GDPR. This new research done by Cookiebot highlights both the industry's pernicious practices to track users and collect personal data as well as the lack of awareness of websites' owners and developers in regard to these trackers"

Related: Firefox 63 Blocks Tracking Cookies 

Related: First Came GDPR, Then Comes ePrivacy - What to Expect in Data Regulations 

Related: How Apple's Safari Browser Will Try to Thwart Data Tracking 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.