So I have read this report, but it would be good if there were some example URLs of where this is happening. Take for instance Lambeth's website (https://www.lambeth.gov.uk). I've browsed through a few public facing pages and the council tax payment pages.
The report says Lambeth shows 1 real time bidding, 1 social and 5 Google "trackers".
From my network requests I see:
-> Google Translate and its resources (CSS etc.)
-> Google Font
-> jQuery and a bunch of various modules
-> leafletjs (OSS Map library)
-> Google tag manager
-> The social links at the bottom are just links, no requests or trackers.
Note: None are blocked by PB, only cookies are denied)
Nothing out of the ordinary here (although you could argue against GTM on a council website). I'm not seeing what's at risk here? And according to the report, the above requests should be ignored in the results?
Caveat 1:
> This is not a complete study. Third party tools commonly used by websites for chat bots, designing the page, soliciting email subscription, profiling visitors for the Council’s own user data base, text to speech, CDN, fonts, non-Google analytics, etc. are not counted in this study. (See “table notes” on page 20 for a list of what is counted).
> While these do expose a user’s behaviour to the companies concerned, we exclude them here in order for simplicity.This study highlights what we view as the most dangerous third party data collection and profiling.
To compare, the landing page that this report is hosted on has the following "trackers"/requests:
-> Brave.com Analytics request that is blocked
-> Google Fonts
-> Google Tag Manager
-> Google Analytics (blocked by PB)
-> Mapbox
-> Scorecard research (blocked by PB)
-> Newrelic
-> Slideshare (blocked by PB)
-> Leaderapps
-> Tableau
-> Vimeo (cookies blocked by PB)
Edit: Sorry - PB is Privacy Badger.
As for my personal feelings, "widespread surveillance" makes it appear as though there is some sort of malicious intent here. I have a few friends (and mother) who have previously or currently work for local councils, there is no money for this sort of thing. At worst I believe any actual issues are due to ignorance (which isn't an excuse) but could be easily remedied. This is way too dramatic for what should be a "Hey ICO, these councils are potentially not doing things properly, could you have a look?". Instead you'd think Brave have uncovered a PRISM level conspiracy on the local government level.
I'm getting these additional requests. They're being blocked, so result in a warning message in the console. Didn't see anything in network requests for them.
Privacy Badger says that "Yellow" sites where it blocks cookies do appear to be trying to track you, but are necessary for the site to work[1]. That makes 5 trackers PB has identified on Lambeth's website.
Council are the victims here. They are forced to debase themselves because central government, in the Tory era since 2010, simply offloads competencies to local authorities, without allocating extra funds or even slashing existing ones. So the priority has become to keep the lights on and find every way possible to monetize anything remotely monetizable, from parking to this (as well as cutting tons of jobs, closing libraries and so on). Councils are literally going bankrupt, but voters can’t make the link and keep voting for “low taxes” in Westminster and “the Council should do everything” at home, then complain when pigs can’t manage to lift off and fly.
That kind of fiscal « downloading » is also a way to keep wealth within your council, and poor areas can just get bent because they’ll have more needs, but the least ability to get revenue.
(If council’s primary revenue source is council tax within their own council).
The tax burden is high. They could certainly do with reducing it in my personal opinion.
A leaflet comes through the door every year or so telling me how much they spend in the local council. Usually the highest amount is not on schools, not on libraries, not on health, not on sweeping the streets or maintaining parks and playgrounds etc, but on "adult social care" (1) which as far as I know is a euphemism for benefits handouts for the baby-boomer generation.
It feels to me like an unrealistic burden is being placed on the current working generation to gold-plate the retirements of the current pensioners (because they tend to vote a lot), who frankly have got it pretty fucking good (not just free university education, but they got grants (i.e. free money), were able to purchase cheap and decent quality housing at relatively low salary multiples (e.g. detached 4 bed in nice areas for 3x average salary in the 60s & 70s), excellent pensions (often from the public sector), free travel, free tv licenses, jumping to the front of the queue in the NHS, free money for heating their homes etc etc, the pension triple-lock of a guaranteed 2.5% increase at a minimum etc, when working age people are lucky to get anything in their gig/zero-hours contract etc).
There has been talk of inter-generationalfairness a bit (at least before brexit took over). I hope something is done. </bitter>
This is one of the downsides of using an ad-blocker
It's literally never occurred to me, as a user of these websites, that local government websites would even have adverts on them -- let alone Google AdSense / junk from Google's Display Network.
Most extensions show a badge with how many ads have been blocked. From there, some of them also include loggers or similar tools to see exactly which scripts, assets, etc. are being blocked (personally, uBlock's "overview panel" is fantastic for this). All without having to disable your adblocker to check.
So no downside, other than being even more frustrated with the current ad-hellhole.
How is this a downside to using an ad-blocker? I think it's quite the opposite. An ad-blocker would prevent most of this external JS from being loaded.
Here's the service promoting advertising on Government web sites in the UK.[1]
From their FAQ:
Q: "Could the data collected be used to exploit individual circumstances?"
A: "There is no intention to do this. In all forms of advertising, companies want to appear in front of the people most likely to buy their products or services."
"Just as an advertiser will choose an ad space in a publication because of its readership and relevant editorial content, so an advertiser online will use data from cookies to target their ads to people who would be most interested."
"So, a user browsing for information on a benefits webpage might be shown ads relevant for people on a budget, like for reduced price travel or supermarket price cuts on everyday items or a comparison website to find the best tariff on gas and electricity."
The Enfield council's cookie disclosure page includes cookies from most known trackers.[2] This is an amusing read.
Seems like they aren’t aware of the law or explicitly violating it and hoping to get away with it (which unfortunately isn’t a bad strategy considering Google and Facebook are still around).
The thing with the law (the GDPR in this case) is that it applies to everyone equally. It doesn’t matter whether your intentions are good, if the law says you can’t collect certain data without explicit user consent then you shouldn’t be doing it regardless of how good your intentions are.
What is interesting is the fact that none of the revenue / income from advertising if any, is showing in the accounts of the council. Checked a few at random and none of the account statements mention income from ads. Begs the question then not just of moral bankruptcy but of accounting this. If it's not implemented for income to the council then why ?
They would be unlikely to report an income stream seperately unless it was material. Materiality is a matter of judgement but most auditors would use about 1% of revenue.
It's hardly news that most of the UK government websites, either at the local or national level, report all your activity to foreign corporations, particularly google analytics.
I've raised this with the website creators through their helpdesk system, and on here when they've posted, but been either told that it's fine (they anonymise the data! We trust them!) or just ignored. It doesn't seem to sink in that giving such a company complete and unfettered access to details on how the UK public interacts with its own government might be a problem.
I've just taken a look around my local councils site. I've gone onto the benefits pages, the disability pages, and a few random pages.
There are literally zero trackers here. I have a first party cookie set to the value "1". All images and JS are served first party, with the exception of typekit (adobe) fonts. All images and JS are, without a deep dive, benign.
It's quite likely a contracted web developer is using a "free" library that had these trackers built into it.
It's also possible this is corruption, as it's a question of where the revenue from that data was going. If it's going to some web developer's account that's a problem.
The RTB aspect of this story makes it clearly disingenuous, but getting interaction data to improve services is something you would expect a progressive public service to do. Crying wolf on this could do a lot more harm than good to the risk averse cultures of public services. I hope they've got the story right.
When you actually look at the sites, it's clear Brave hasn't done their homework or don't really understand the online ad ecosystem.
For example, Enfield council ( enfield.gov.uk ) is using Google's ad server (DFP) set to show only internal ads. All their advertising is for cross-promoting projects and sites that Enfield council is involved with, including pest control, social lettings, a publicly-funded golf course, school meals...
It's not showing ads from GDN (Google Display Network) or elsewhere, it seems to only show these internal promotions.
Especially since they are publicly funded, so UK citizens are paying to have their data transmitted to unknown parties and advertised at. Oh, and if you don't pay it? Fuck you. The government will send bailiffs to seize your property to pay the bill, or imprison you for up to 3 months.
Probably something to do with the fact that central government has cut budgets for the last 10 years and if putting some banner ads on their website contributes to keeping a library open, it’s hard to say no.
I suspect the root cause of this issue is the average web developer not realising that including any third party javascript gives total control of the page to whoever controls the included URL
Well that's just depressing. Having the fact that you accessed a government addiction help website packaged and commoditized then sold to the highest bidder just screams moral bankruptcy.
"This report should spur Elizabeth Denham, the UK Information Commissioner, to finally enforce the GDPR."
What is the status of GDPR in the UK now that Brexit has occurred? Is the UK still beholden to the terms of the law, or does the UK have a parallel law that applies now that they're no longer part of the EU?
GDPR is currently entirely valid and enforced until December 2020. After that point it is believed that an entirely compatible law will continue to exist - currently the understanding is that the UK will be considered to have adequate equivalency therefore making it a safe third party country to transmit data for processing. No hard guarantees until the end of the year though.
The title of the submission seems very much like a clickbait: the context makes it sound like it refers to government surveillance, not sending data to private American companies to serve ads.
That wasn't editorialized, that was a gallant attempt to fit both the site guidelines and the 80 char limit. The only thing I'd have done differently was take out "Brave" from the title, since it's in the domain next to the title, and since they provide enough mentions of "Brave" themselves. (Submitted title was "Brave uncovers widespread surveillance of UK citizens on UK council websites".)
It's moot now because we switched to the pdf and taken its shorter title.
[+] [-] MrAlex94|6 years ago|reply
The report says Lambeth shows 1 real time bidding, 1 social and 5 Google "trackers".
From my network requests I see:
-> Google Translate and its resources (CSS etc.)
-> Google Font
-> jQuery and a bunch of various modules
-> leafletjs (OSS Map library)
-> Google tag manager
-> The social links at the bottom are just links, no requests or trackers.
Note: None are blocked by PB, only cookies are denied)
Nothing out of the ordinary here (although you could argue against GTM on a council website). I'm not seeing what's at risk here? And according to the report, the above requests should be ignored in the results?
Caveat 1:
> This is not a complete study. Third party tools commonly used by websites for chat bots, designing the page, soliciting email subscription, profiling visitors for the Council’s own user data base, text to speech, CDN, fonts, non-Google analytics, etc. are not counted in this study. (See “table notes” on page 20 for a list of what is counted).
> While these do expose a user’s behaviour to the companies concerned, we exclude them here in order for simplicity.This study highlights what we view as the most dangerous third party data collection and profiling.
To compare, the landing page that this report is hosted on has the following "trackers"/requests:
-> Brave.com Analytics request that is blocked
-> Google Fonts
-> Google Tag Manager
-> Google Analytics (blocked by PB)
-> Mapbox
-> Scorecard research (blocked by PB)
-> Newrelic
-> Slideshare (blocked by PB)
-> Leaderapps
-> Tableau
-> Vimeo (cookies blocked by PB)
Edit: Sorry - PB is Privacy Badger.
As for my personal feelings, "widespread surveillance" makes it appear as though there is some sort of malicious intent here. I have a few friends (and mother) who have previously or currently work for local councils, there is no money for this sort of thing. At worst I believe any actual issues are due to ignorance (which isn't an excuse) but could be easily remedied. This is way too dramatic for what should be a "Hey ICO, these councils are potentially not doing things properly, could you have a look?". Instead you'd think Brave have uncovered a PRISM level conspiracy on the local government level.
Poor taste IMO.
[+] [-] gruez|6 years ago|reply
>[...]
>Nothing out of the ordinary here
looks like you're not picking up a bunch of requests. maybe you have ublock? Here are some domains that aren't on your list:
[+] [-] dijksterhuis|6 years ago|reply
- https://static.hotjar.com/c/hotjar-1043047.js?sv=5
- https://cse.google.com/adsense/search/async-ads.js
- https://connect.facebook.net/en_US/fbevents.js
Also, the site is setting a cookie even though I've not consented.
EDIT: Also, one of the lambeth.gov js scripts was written by "rob" in 2015. Hi Rob!
[+] [-] ajor|6 years ago|reply
[1] https://www.eff.org/privacybadger/faq#What-do-the-red,-yello...
[+] [-] grsmto|6 years ago|reply
[+] [-] shermozle|6 years ago|reply
[+] [-] jey|6 years ago|reply
[+] [-] toyg|6 years ago|reply
[+] [-] Scoundreller|6 years ago|reply
(If council’s primary revenue source is council tax within their own council).
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] Bantros|6 years ago|reply
[deleted]
[+] [-] mattlondon|6 years ago|reply
A leaflet comes through the door every year or so telling me how much they spend in the local council. Usually the highest amount is not on schools, not on libraries, not on health, not on sweeping the streets or maintaining parks and playgrounds etc, but on "adult social care" (1) which as far as I know is a euphemism for benefits handouts for the baby-boomer generation.
It feels to me like an unrealistic burden is being placed on the current working generation to gold-plate the retirements of the current pensioners (because they tend to vote a lot), who frankly have got it pretty fucking good (not just free university education, but they got grants (i.e. free money), were able to purchase cheap and decent quality housing at relatively low salary multiples (e.g. detached 4 bed in nice areas for 3x average salary in the 60s & 70s), excellent pensions (often from the public sector), free travel, free tv licenses, jumping to the front of the queue in the NHS, free money for heating their homes etc etc, the pension triple-lock of a guaranteed 2.5% increase at a minimum etc, when working age people are lucky to get anything in their gig/zero-hours contract etc).
There has been talk of inter-generationalfairness a bit (at least before brexit took over). I hope something is done. </bitter>
1 - https://engage.barnet.gov.uk/1730/documents/1919
[+] [-] throwawaylolx|6 years ago|reply
Is the core issue that council websites are using real-time bidding for their ads? Is this specific to the UK?
[+] [-] sandwell|6 years ago|reply
Yes. These websites are used to support a variety of public services, e.g. disability, poverty, drugs, or alcoholism services.
Brave believes that sending tracking information about people accessing this information is a breach of privacy.
[+] [-] butler14|6 years ago|reply
It's literally never occurred to me, as a user of these websites, that local government websites would even have adverts on them -- let alone Google AdSense / junk from Google's Display Network.
[+] [-] choathedolls|6 years ago|reply
So no downside, other than being even more frustrated with the current ad-hellhole.
[+] [-] basilgohar|6 years ago|reply
[+] [-] gumby|6 years ago|reply
[+] [-] Animats|6 years ago|reply
From their FAQ:
Q: "Could the data collected be used to exploit individual circumstances?"
A: "There is no intention to do this. In all forms of advertising, companies want to appear in front of the people most likely to buy their products or services."
"Just as an advertiser will choose an ad space in a publication because of its readership and relevant editorial content, so an advertiser online will use data from cookies to target their ads to people who would be most interested."
"So, a user browsing for information on a benefits webpage might be shown ads relevant for people on a budget, like for reduced price travel or supermarket price cuts on everyday items or a comparison website to find the best tariff on gas and electricity."
The Enfield council's cookie disclosure page includes cookies from most known trackers.[2] This is an amusing read.
[1] https://can-digital.net/generating-income-from-council-websi... [2] https://new.enfield.gov.uk/privacy-notice/#6
[+] [-] ukoki|6 years ago|reply
> Collects unidentifiable data that is sent to an unidentifiable source. The source's identity is kept secret by the company...
[+] [-] Nextgrid|6 years ago|reply
The thing with the law (the GDPR in this case) is that it applies to everyone equally. It doesn’t matter whether your intentions are good, if the law says you can’t collect certain data without explicit user consent then you shouldn’t be doing it regardless of how good your intentions are.
[+] [-] weekay|6 years ago|reply
[+] [-] jsmith99|6 years ago|reply
[+] [-] pier25|6 years ago|reply
[+] [-] asdfasdf1231|6 years ago|reply
analytics? To better serve you? to think-of-the-children?
[+] [-] gowld|6 years ago|reply
Perhaps the ads are run by 3rd party web hosting providers. Just a guess.
[+] [-] Nursie|6 years ago|reply
I've raised this with the website creators through their helpdesk system, and on here when they've posted, but been either told that it's fine (they anonymise the data! We trust them!) or just ignored. It doesn't seem to sink in that giving such a company complete and unfettered access to details on how the UK public interacts with its own government might be a problem.
[+] [-] Normal_gaussian|6 years ago|reply
---
I've just taken a look around my local councils site. I've gone onto the benefits pages, the disability pages, and a few random pages.
There are literally zero trackers here. I have a first party cookie set to the value "1". All images and JS are served first party, with the exception of typekit (adobe) fonts. All images and JS are, without a deep dive, benign.
https://www.testvalley.gov.uk/
[+] [-] motohagiography|6 years ago|reply
It's also possible this is corruption, as it's a question of where the revenue from that data was going. If it's going to some web developer's account that's a problem.
The RTB aspect of this story makes it clearly disingenuous, but getting interaction data to improve services is something you would expect a progressive public service to do. Crying wolf on this could do a lot more harm than good to the risk averse cultures of public services. I hope they've got the story right.
[+] [-] frou_dh|6 years ago|reply
[+] [-] mpeg|6 years ago|reply
For example, Enfield council ( enfield.gov.uk ) is using Google's ad server (DFP) set to show only internal ads. All their advertising is for cross-promoting projects and sites that Enfield council is involved with, including pest control, social lettings, a publicly-funded golf course, school meals...
It's not showing ads from GDN (Google Display Network) or elsewhere, it seems to only show these internal promotions.
[+] [-] sandwell|6 years ago|reply
[+] [-] thomasedwards|6 years ago|reply
[+] [-] awinter-py|6 years ago|reply
sucks but not sure it's immoral -- submission fraud is a hard problem to deal with and if captchas help, .gov should use them
[+] [-] whalesalad|6 years ago|reply
[+] [-] tomlong|6 years ago|reply
[+] [-] blibble|6 years ago|reply
[+] [-] choathedolls|6 years ago|reply
Whether or not the developers were forced to include them due to certain constraints is another issue.
[+] [-] paulcarroty|6 years ago|reply
Cool business idea: Mr Robot style hoodie with tracking protection.
[+] [-] CommanderData|6 years ago|reply
[+] [-] zionic|6 years ago|reply
[+] [-] shadowgovt|6 years ago|reply
What is the status of GDPR in the UK now that Brexit has occurred? Is the UK still beholden to the terms of the law, or does the UK have a parallel law that applies now that they're no longer part of the EU?
[+] [-] rux|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] throwawaylolx|6 years ago|reply
[+] [-] oefrha|6 years ago|reply
At least that report doesn’t start every sentence with “Brave”.
[+] [-] pier25|6 years ago|reply
[+] [-] dang|6 years ago|reply
It's moot now because we switched to the pdf and taken its shorter title.