A new study has revealed that four in five government-related websites in the EU have ad tech trackers on them.
Following an analysis of 184,683 EU government websites, privacy consulting firm, Cookiebot, released a new report revealing that a total of 112 companies were harvesting information about people visiting almost 200,000 government websites.
According to Cookiebot’s report, ad tech trackers were found on 25 of the 28 member states’ sites (89%), with the German, Spanish, Dutch government websites being the only three sites that had no commercial trackers.
Governmental sites in France, for example, have the highest number of commercial trackers, with a total of 52 different companies tracking visitors. The Latvian government contained 27, the Belgian portal hosted 19, and the Greek government domain contained 18 trackers.
According to Cookiebot’s analysis, a total of 20 cookies were discovered on the UK government’s website, GOV.UK, 12 of which were Google marketing.
Ad tech trackers
The firm’s report described Google as the “kingpin of tracking” and the company’s trackers were found on 82% of all the sites that were analysed.
YouTube, DoubleClick, and Google were also among the list of top five firms using commercial trackers, according to Cookiebot.
The report says that cookies were discovered on public health service websites as well, with 52% of the sites tested found to contain ad trackers.
And yet again, Google and DoubleClick were among the top five companies’ that use ad trackers to monitor visitors’ browsing habits on public health sites. The other three sites include eversttech.net (Adobe), adnxs.com (AppNexus), and Mathtag.com (Mediamath).
“How can any organisations live up to its GDPR and ePrivacy obligations if it does not control unauthorised tracking actors accessing their website?” says Cookiebot founder, Daniel Johannsen.
“Public sector bodies now have the opportunity to lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites.”
Ilia Kolochenko, CEO of High-Tech-Bridge, commented on Cookiebot’s latest report, by saying: “Unfortunately, this is a longstanding and widespread practice in Europe. Governmental agencies often lack resources to properly implement security of their web portals, let alone ensuring privacy.
“Worse, many governmental agencies do not possess an up-to-date inventory of their web and mobile applications. Forgotten APIs, unprotected cloud storage and web applications become low-hanging fruit for cyber mercenaries and even less well-equipped hacktivists.”
Risk and quality management
Risk and quality management of third-party suppliers is another challenge faced by many governmental agencies, Kolochenko says.
“Often, limited in financial recourses to properly implement and control software quality, they overlook serious problems in the code. When outsourced, developers tend to rely on open source frameworks and libraries, often precluding proper update management once the website is deployed to production. Cases when a third-party code unwittingly brought an intrusive tracker or even a malware are not all that uncommon.
“Unfortunately, there are no miracles – with the current state of governmental funding, it will be pretty hard to do better. While formidable sanctions imposed by the GDPR and other regulations are often toothless against the governments who are either immune or have alternative legal and administrative avenues to avoid or reduce punishment.
“Negligent governmental employees are also usually far better protected compared to private companies, and it’s often impossible to sanction them for any omissions.”