Websites surreptitiously tracking and reporting on visitors

As a privacy and data protection legal advisor, we do occasionally monitor major websites compliance with data protection regulations. We have previously wrote about website compliance and cookies requirements of information, transparency and consent request where applicable. The French Data Protection Authority, CNIL, has played a lead role in clarifying the regulation. The expectation would be that French websites would have benefited from the guidances produced, using the two years of preparation and the first year of GDPR application to comply. Sadly, this has not always been the case. Even pointing the issues to some web owners has not had much effect. Compliance with cookie laws should not be that hard : a cookie banner based on opt in giving visitors the option of accepting tracking, a privacy notice with required information to offer full transparency.

To ensure our observations on the website were correct, we requested several IT and security experts to double check the reports found. One particular recognised expert, Allen Woods, retired today, kindly accepted to have a look to further analyse one of these websites. The result is eye opening. We knew about website tracking but this website analysis threw the light to a whole different dimension on the depth of tracking, profiling and fingerprinting, data sharing with third parties not only via cookies but Java Script codes used by the web developers. We invite anyone involved with data protection, IT security and cybersecurity to carefully read this document with full attention. Please share your views and observations.

Initially Allen Woods confirmed that ‘the use, by second, third and fourth parties of cookies constitutes an extension of the organisation boundary of site owners tracking the movements of devices and therefore their owners, with a considerable degree of accuracy’

Allen Woods then proceed to further scrutiny to add into his report :

‘with the sample URL taken from an apparently autogenerated module with the file name : “7D1mEqsUJEn.js. Both beacon and file name appear to be automatically generated at run time on a basis similar to GUID identifiers. The direct impact of the module is an embedded call back to the react.js CDN web site (part of the Facebook estate) with the effect of forcing a regular Facebook monitoring presence on any page using or calling the react.js sub components or code functions concerned.’

You wonder how many lawyers, even IT lawyers advising Data Protection compliance, or website owners understand what this means. Let’s be honest, We are just starting to pierce the mystery of coding thanks to Allen and few other security experts around.

It’s important to note that for Allen the hidden JavaScript codes on the website ‘represents a multiple risk in that source and components can be inserted for tracking or any other purpose malicious or otherwise but without making the client side users aware.’

‘In the authors opinion, the owners of the site under review have lost control of data flow into and out of the site concerned and should consider a complete rebuild using components that have been vetted in terms of their functionality and capabilities with a view to reversing that loss of control. ‘

Secondly, a review of the reasoning behind the need to collect and analyse visitor traffic should be carried out and an alternative to the use of Google Analytics should be seriously considered.’ This is important as many many websites use Google Analytics to measure their web traffic trough the IP address. IP address, identification number entering the definition of ‘personal data’ as in the Article 4 GDPR.

‘As a matter of due diligence, when commissioning a site, site owners should take an active role in approving which components are going to be used by whoever it is that is commissioned to build their web site. If the author was asked to approve any of the components provided by major platforms generally, but particularly social media platforms like Twitter, Google and Facebook and external template platforms like WORDPRESS, that those suggesting the use of such components should guarantee site owners as to the reliability and robustness of the code in respect of compliance and furthermore prove that the code concerned had been forensically reviewed to confirm reliability and robust compliance.’

Disclaimer here : this DataRainbow website itself is build on a WordPress template, and uses Google’s Gutenberg’s font but no analytics, we are looking to change this.

Knowing how much users’ behaviour is tracked gives a tough burden and liability to website owners as data controller unless there is a certification assuring web developers real competences and not simply a ‘lego block’ assembler expert. Increasingly web developer use templates such as WordPress that comes out of users control tracking behaviour and location. Based on the GDPR, they are two level of liability. One for the data controller, basically whoever decides the means and purposes of the data processing, and the data processor, acting under the guidance and on behalf of the data controller. The European Court of Justice Advocate General opinion in the FashionID case where embedded Facebook ‘like’ button capable of gathering data such as IP addresses and browser identification where Facebook is considered data controller, held that the hosting websites should be considered as joint data controller sharing proportional liability. The Facebook Fanpage decision had already created co-controllership between Facebook and the admin of the Facebook page. The website owner which receives anonymous statistics is deemed to be data controller by permitting third party scripts as the data they allow to be collected is not anonymous from the perspective of the analytics providers. A detailed picture of users is build to target advertising to users. ECJ in the Jehovan todistajat held that in order to have joint control and joint responsibility, it is not required that each of the controllers must have access to (all of) the personal data concerned. Many web owners are in total ignorance of such a shared liability.

Facebook is in close competition with Google, Amazon, Microsoft or Twitter. A privacy regulation might find challenging to combat this kind of behaviour as it’ has become an anti-trust issue of over grown corporations. GAFAM’s seems to have become too big to any regulator to combat.

Facebook users cannot avoid location-based ads, investigation finds. Facebook  ‘There is no combination of settings that users can enable to prevent their location data from being used by advertisers to target them, according to the privacy researcher Aleksandra Korolova. “Taken together,” Korolova says, “Facebook creates an illusion of control rather than giving actual control over location-related ad targeting, which can lead to real harm.”. In reality, users tracking goes above simple users geolocation. Many websites using free Facebook codes librairies track users geolocation and browsing on all kind of websites.

Helen Dixon, The Irish Data Protection Commissionner, in a recent interview announced potential first fines in the next few weeks : “It would be a most surprising outcome if, of the 20 big tech investigations we have underway, fines were not a feature of the process,” Dixon said in an interview in London, after speaking at Bloomberg’s Sooner Than You Think technology conference. Simply fining GAFAMs wont stop them, there need to be combined by injunction to stop the fingerprinting and delete all data illegitimately collected.

Ad Tech GDPR complaint is extended to four more European regulators. Complainants consider Real-Time Bidding a “vast scale personal data leakage by Google and other major companies” in the behavioural advertising industry. ‘GDPR complaints about Real-Time Bidding (RTB) in the online advertising industry were filed today with Data Protection Authorities in Spain, the Netherlands, Belgium, and Luxembourg.  The complaints detail the vast scale of personal data leakage by Google and other major companies in the “Ad Tech” industry. This week marks one year since the introduction of the GDPR.  The new complaints have been filed by Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch), David Korteweg (Bits of Freedom), Jef Ausloos (University of Amsterdam), Pierre Dewitte (University of Leuven), and Jose Belo (Exigo Luxembourg). Today’s filings extend the complaints initially filed in Ireland, the UK and Poland, to a total of seven EU countries. This week marks one year since the GDPR.  Read more here and here

Somehow, we can imagine the gathering of information on each individual internet user to profile their personality in order to predict needs and wishes to be sold to Ad bidders. Google’s wish is to predict your needs before you realise. Young people get offered Apple ‘smart’ watch with their Vitality insurance and health club that monitor their heart beats and exercises. This is all OK until an illness is detected. Women won’t anymore need to knock at the HR door to announce their pregnancy. Probably their employer will be informed before they even notice it. Consequently, new businesses have been created : dog Fitbit walker to simulate exercise to trick the insurance company. Would that be sufficient? Probably not enough to hide actual sickness that your insurance company love to be the first to know about.

And if you wondered why all that matters, think of the past, not that long ago, what the Stasi could have done had they had access to Google or Facebook. Think of totalitarian regimes. Think of the US democracy asking social media passwords from visitors. you think you have nothing to hide, think twice. Think of over-reliance on technology and the margin of error.

In fine, a demonstration of what happened if your shop assistant was an App.

Further read : “More than two of out every three dollars spent on digital ads in the US goes to one of the three companies.”

Beacon Marketing Platform inMarket Introduces Predictive Targeting Program

in 2009 Facebook shuts down Beacon

On the expanding notion of data controller