Information-harvesting software widespread on Government websites
Some departments and local authorities are reviewing cookie policies
The worst performing departmental website was the Department of Foreign Affairs, which had 96 trackers detected on it. Photograph: iStock
Software used to harvest potentially sensitive information about users is widespread across the websites of government departments and local authorities, The Irish Times can reveal.
New research shows that almost all of the 16 departmental and 31 local authority websites surveyed had “trackers” installed, which help companies compile detailed profiles of users.
These can then be commercialised and used by online advertisers, or for other data mining purposes.
The research, by Danish ePrivacy firm Cookiebot, scanned up to 1,000 pages on each individual website for tracking technologies.
The worst performing departmental website was the Department of Foreign Affairs, which had 96 trackers detected on it. Kerry County Council had the most trackers operating on its pages of any local authority, with 91.
The results have raised fears about the impact on users of government websites among privacy and data governance experts.
“Tracking cookies are small files written to the various devices you use to access the internet that tag you, in much the same way as livestock are tagged so they can be tracked and traced from farm to fork.
“These trackers can record what sites you visited, what you did there, and where you went next, sending that information back to the services that have dropped them onto your device,” according to Daragh O’Brien, chief executive of Irish ePrivacy firm Castlebridge.
“This can build a rich picture of your online movements, likes, dislikes and habits, often without your knowledge.”
Of the websites surveyed, only the Department of Defence showed no signs of hosting any tracking technologies.
Mr O’Brien was so concerned by the results that he had filed a complaint with the Data Protection Commissioner (DPC).
Dozens of trackers were also detected on the websites of Department of Business, Enterprise and Innovation and the Department of Education.
The websites of Donegal, Dun-Laoghaire Rathdown, Roscommon, Longford, Leitrim, Offaly, Cavan and Louth county councils all contained more than 50 trackers.
Many of the trackers gain access to the state websites through features built by third parties, such as webcams or buttons to encourage and enable social media sharing.
A webcam on Kerry County Council’s site facilitates 68 trackers, while eight departmental websites use the social sharing tool ShareThis, which opens a back door to more than 20 ad tech companies.
The ShareThis cookie, for example, is used to provide information about users to third parties to facilitate real-time bidding for advertisers, according to CookieBot. Trackers from multiple online advertising and data analytics companies were found across the websites.
“Some level of third party measurement is, to some level, excusable, but what we’re seeing goes well beyond that,” said Johnny Ryan, chief policy officer with privacy-driven web browser Brave.
Mr O’Brien said that “government departments need to be showing models of good practice and setting the bar higher, it’s inexcusable”.
“Once the data is in the ad tech domain, it’s very difficult to control what downstream use that is used for. You can’t take the eggs out of the omelette.”
He criticised the public privacy policies of government departments which were found to have a lot of trackers on their sites. The DBEI policy, he said, had 1.44 words in it for every tracker found on its site, which he said was “frankly an appalling lack of effort to demonstrate a model of good practice”.
CookieBot founder Daniel Johannsen said people use government sites to “seek guidance on vulnerable and deeply personal matters”, and that users must be well informed and give consent to be tracked.
Asked for comment, some government departments and local authorities said they were reviewing cookie policies and investigating trackers on their sites. All said they value user privacy, while others said they used cookies solely for website maintenance and analytics.
Mr Ryan told The Irish Times that the online ad industry handled hundreds of billions of ads every day, and was worth €13 billion a year.
He called on the European Council of Ministers to back proposals from the European Commission on ePrivacy which would strengthen consumer rights in the area.
There are also concerns that data gathered from the users of government websites could be used by other third parties, for example banks. “If this data is included in risk datasets or used in algorithmic profiling by lenders, the fact someone has looked at housing assistance payment or family income supplement sites, that could be something that factors into the type of services available to them,” Mr O’Brien said.
Data for profit
Sean Blanchfield, an Irish technology entrepreneur who founded and later sold advertising analytics firm PageFair, said that in addition to specialist data-mining companies, the research showed that Irish state websites had trackers from the likes of Google, Facebook and Twitter.
“It’s less likely [this data] will end up in some credit rating agency’s hands, but these larger household names will keep it and use it for their own profit”.
Some government departments and local authorities told The Irish Times they had begun taking action already.
Cavan County Council said it was removing functionalities which had allowed in trackers, as did Fingal County Council.
The Department of Education said it used cookies for analytics and security reasons, and was removing sharing functions from its site, while DBEI said that it is examining potential issues relating to tracking technologies on its site.
The Department of Justice said it monitors web traffic using Google Analytics to help it improve its site, as did Leitrim County Council.
The Department of Culture, Heritage and the Gaeltacht said it continuously reviews its policies, while the Department of Employment Affairs and Social Protection said users consent to cookies on its site, and it provides information on them via a privacy statement.