
Surveillance on UK council websites [pdf] - pier25
https://brave.com/wp-content/uploads/2020/02/Surveillance-on-UK-council-websites_compressed_version.pdf
======
MrAlex94
So I have read this report, but it would be good if there were some example
URLs of where this is happening. Take for instance Lambeth's website
([https://www.lambeth.gov.uk](https://www.lambeth.gov.uk)). I've browsed
through a few public facing pages and the council tax payment pages.

The report says Lambeth shows 1 real time bidding, 1 social and 5 Google
"trackers".

From my network requests I see:

-> Google Translate and its resources (CSS etc.)

-> Google Font

-> jQuery and a bunch of various modules

-> leafletjs (OSS Map library)

-> Google tag manager

-> The social links at the bottom are just links, no requests or trackers.

Note: None are blocked by PB, only cookies are denied)

Nothing out of the ordinary here (although you could argue against GTM on a
council website). I'm not seeing what's at risk here? And according to the
report, the above requests should be ignored in the results?

Caveat 1:

> This is not a complete study. Third party tools commonly used by websites
> for chat bots, designing the page, soliciting email subscription, profiling
> visitors for the Council’s own user data base, text to speech, CDN, fonts,
> non-Google analytics, etc. are not counted in this study. (See “table notes”
> on page 20 for a list of what is counted).

> While these do expose a user’s behaviour to the companies concerned, we
> exclude them here in order for simplicity.This study highlights what we view
> as the most dangerous third party data collection and profiling.

To compare, the landing page that this report is hosted on has the following
"trackers"/requests:

-> Brave.com Analytics request that is blocked

-> Google Fonts

-> Google Tag Manager

-> Google Analytics (blocked by PB)

-> Mapbox

-> Scorecard research (blocked by PB)

-> Newrelic

-> Slideshare (blocked by PB)

-> Leaderapps

-> Tableau

-> Vimeo (cookies blocked by PB)

Edit: Sorry - PB is Privacy Badger.

As for my personal feelings, "widespread surveillance" makes it appear as
though there is some sort of malicious intent here. I have a few friends (and
mother) who have previously or currently work for local councils, there is no
money for this sort of thing. At worst I believe any actual issues are due to
ignorance (which isn't an excuse) but could be easily remedied. This is way
too dramatic for what should be a "Hey ICO, these councils are _potentially_
not doing things properly, could you have a look?". Instead you'd think Brave
have uncovered a PRISM level conspiracy on the local government level.

Poor taste IMO.

~~~
jey
What’s PB?

~~~
polyvisual
Privacy Badger (probably!)

[https://www.eff.org/privacybadger](https://www.eff.org/privacybadger)

------
toyg
Council are the victims here. They are forced to debase themselves because
central government, in the Tory era since 2010, simply offloads competencies
to local authorities, without allocating extra funds or even slashing existing
ones. So the priority has become to keep the lights on and find every way
possible to monetize anything remotely monetizable, from parking to this (as
well as cutting tons of jobs, closing libraries and so on). Councils are
literally going bankrupt, but voters can’t make the link and keep voting for
“low taxes” in Westminster and “the Council should do everything” at home,
then complain when pigs can’t manage to lift off and fly.

~~~
Scoundreller
That kind of fiscal « downloading » is also a way to keep wealth within your
council, and poor areas can just get bent because they’ll have more needs, but
the least ability to get revenue.

(If council’s primary revenue source is council tax within their own council).

~~~
adwww
That would be nice... but councils can only increase tax by <2% per year, and
most of their revenue comes from a 'grant' by central government, which has
been cut ~40% in the last decade.

~~~
switch007
> but councils can only increase tax by <2% per year

The current cap is 2.99% and the 2020-21 plans are for 3.99%, which is split
between the core principle and the adult social care principle. It is unlikely
that many councils will increase it by less than the fully-permitted amount.

Also council tax increases in the recent past have capped at 5.99% some year~s
and many actual increases were between 4.5% and 5.5%.

~~~
toyg
My council (in the North) already announced they will not ask for the full
rise, but something like 1%. That's because they are well aware of the recent
trend and they know the local population is feeling the heat.

I expect more will follow, because their seat is on the line - so few people
vote in local elections, that minimal aggravation can quickly escalate into
major upturns. They'll just cut more and more until there is nothing left.

~~~
switch007
> My council (in the North) already announced they will not ask for the full
> rise, but something like 1%.

That's fascinating - I'm genuinely intrigued where. Are you sure it's 1%
total, not 1% of a sub part?

But one council doesn't disprove what I said (it was more of an opinion to be
honest though). The first 10 search results I found were all 2-3.99%. I did
say the "full amount" though - I'll knock that down to at "at least 3%".

------
throwawaylolx
The entire article and "report" are so aggressive that it makes it difficult
to extract any nuance out of it other than that I should use Brave.

Is the core issue that council websites are using real-time bidding for their
ads? Is this specific to the UK?

~~~
sandwell
> Is the core issue that council websites are using real-time bidding for
> their ads?

Yes. These websites are used to support a variety of public services, e.g.
disability, poverty, drugs, or alcoholism services.

Brave believes that sending tracking information about people accessing this
information is a breach of privacy.

~~~
throwawaylolx
And is "real-time bidding" an otherwise uncommon ad strategy that is
relatively specific to the these websites? If it is, then I can understand the
alarmism, but otherwise this news can be compressed to "UK council websites
use targeted ads," right?

~~~
farazbabar
No. The issue is the means used to target ads on this site are transmitted
back to ad servers and used outside this context which is a nightmare
scenario.

~~~
throwawaylolx
Is this not how targeted ads are expected to work?

~~~
komali2
Why are there ads on a website funded by taxes?

~~~
kmlx
extra income?

------
butler14
This is one of the downsides of using an ad-blocker

It's literally never occurred to me, as a user of these websites, that local
government websites would even have adverts on them -- let alone Google
AdSense / junk from Google's Display Network.

~~~
basilgohar
How is this a downside to using an ad-blocker? I think it's quite the
opposite. An ad-blocker would prevent most of this external JS from being
loaded.

~~~
lozaning
I've so successfully created a personal technology environment that hides ads,
that I have no situational awareness about what these companies are up to.

If someone out there is selling my healthcare data and running ads around it
directed towards just me, I'd never know, but I'd want to.

~~~
JohnFen
So block tracking, not ads.

~~~
dspillett
Unfortunately the two are often intimately linked, so that is not really
practical.

~~~
JohnFen
I'm not sure what you mean. You're right that the two are usually intimately
linked. What I've found by blocking tracking is that as a result of this
intertwining, blocking tracking usually also blocks the advertising engaging
in the spying.

I don't use an adblocker. I block tracking. It's pretty nearly as effective as
an adblocker, so that seems practical to me.

~~~
dspillett
"block tracking, not ads" \- given the strong links between tracking and ads,
saying which one you _intend_ to block is nothing more than wordplay.
Practically speaking if you block tracking you likely also block more ads than
you don't, whether that is your intent or not.

It sounded like _not_ blocking ads was a goal.

------
Animats
Here's the service promoting advertising on Government web sites in the UK.[1]

From their FAQ:

Q: _" Could the data collected be used to exploit individual circumstances?"_

A: _" There is no intention to do this. In all forms of advertising, companies
want to appear in front of the people most likely to buy their products or
services."_

 _" Just as an advertiser will choose an ad space in a publication because of
its readership and relevant editorial content, so an advertiser online will
use data from cookies to target their ads to people who would be most
interested."_

 _" So, a user browsing for information on a benefits webpage might be shown
ads relevant for people on a budget, like for reduced price travel or
supermarket price cuts on everyday items or a comparison website to find the
best tariff on gas and electricity."_

The Enfield council's cookie disclosure page includes cookies from most known
trackers.[2] This is an amusing read.

[1] [https://can-digital.net/generating-income-from-council-
websi...](https://can-digital.net/generating-income-from-council-websites-can-
advertising-network/) [2] [https://new.enfield.gov.uk/privacy-
notice/#6](https://new.enfield.gov.uk/privacy-notice/#6)

~~~
Nextgrid
Seems like they aren’t aware of the law or explicitly violating it and hoping
to get away with it (which unfortunately isn’t a bad strategy considering
Google and Facebook are still around).

The thing with the law (the GDPR in this case) is that it applies to everyone
equally. It doesn’t matter whether your intentions are good, if the law says
you can’t collect certain data without explicit user consent then you
shouldn’t be doing it regardless of how good your intentions are.

~~~
TeMPOraL
What good intentions? That quoted FAQ walked around the core point:
advertising is, for the most part, exploiting.

> _So, a user browsing for information on a benefits webpage might be shown
> ads relevant for people on a budget, like for reduced price travel or
> supermarket price cuts on everyday items or a comparison website to find the
> best tariff on gas and electricity._

Or payday loans, or get-rich-quick schemes, or gambling, or news articles
about how the elite is oppressing them, or "save your money on power bill by
bundling it with your mobile service" borderline scams.

It's not like the government, or the company that wrote that FAQ, will be
actively filtering the ads to ensure that only the honest win-win deals are
shown.

------
weekay
What is interesting is the fact that none of the revenue / income from
advertising if any, is showing in the accounts of the council. Checked a few
at random and none of the account statements mention income from ads. Begs the
question then not just of moral bankruptcy but of accounting this. If it's not
implemented for income to the council then why ?

~~~
pier25
Maybe there is a document somewhere that enforces certain practices when
making websites for public institutions?

~~~
lbriner
Unfortunately not, otherwise it would be easier to enforce consistency. The
simple truth is that councils like many companies are not specialist
developers but are expected to run high-quality web applications. Add in some
Consultants who may have conflicting interests or lack of knowledge, semi-
skilled staff, a friend-of-a-friend who told you to use X on your site, third-
party web developers and a marketing team who need the "analytics" and you end
up with this mess.

Like many companies, GDPR seems right down the list. The most troubling part
of all for me was that the ICO acknowledged the illegality but didn't follow
up. Sums up Britain to a tee!

(I'm a Brit)

------
Nursie
It's hardly news that most of the UK government websites, either at the local
or national level, report all your activity to foreign corporations,
particularly google analytics.

I've raised this with the website creators through their helpdesk system, and
on here when they've posted, but been either told that it's fine (they
anonymise the data! We trust them!) or just ignored. It doesn't seem to sink
in that giving such a company complete and unfettered access to details on how
the UK public interacts with its own government might be a problem.

~~~
Normal_gaussian
It may be hardly news to you; but it is to me.

\---

I've just taken a look around my local councils site. I've gone onto the
benefits pages, the disability pages, and a few random pages.

There are literally zero trackers here. I have a first party cookie set to the
value "1". All images and JS are served first party, with the exception of
typekit (adobe) fonts. All images and JS are, without a deep dive, benign.

[https://www.testvalley.gov.uk/](https://www.testvalley.gov.uk/)

~~~
dboreham
Pretty hard core to invent a whole local government for test purposes..

~~~
Nursie
Ha, this came up the other day. Non technical guy suggests we just insert
'Test' into the distinguished name of certificates we want to mark as 'not for
production'.

We pointed out that one of the many reasons that's a terrible idea is that the
Test Valley exists.

~~~
salawat
Humorous solution: Add test_not_the_valley to all non-prod certificates.

I'll see myself out.

On a more serious note:

Add "testing", "dev", "qa", "internal", or "non-prod" instead. At least those
are my goto's for establishing multi-environment separation of configuration
data through namespace separation.

It isn't an inherently bad way of going about things as long as you keep it
consistent and do your best to automate it.

~~~
Nursie
Get in the sea!

I prefer to make sure we use a different signing authority, just to be sure.
But I didn't give enough context to clue in the reader that that was an option
:)

------
motohagiography
It's quite likely a contracted web developer is using a "free" library that
had these trackers built into it.

It's also possible this is corruption, as it's a question of where the revenue
from that data was going. If it's going to some web developer's account that's
a problem.

The RTB aspect of this story makes it clearly disingenuous, but getting
interaction data to improve services is something you would expect a
progressive public service to do. Crying wolf on this could do a lot more harm
than good to the risk averse cultures of public services. I hope they've got
the story right.

------
frou_dh
Invisible trackers aside, it's simply gross that local government sites have
banner ads on them. Have some pride and/or taste!

~~~
mpeg
When you actually look at the sites, it's clear Brave hasn't done their
homework or don't really understand the online ad ecosystem.

For example, Enfield council ( enfield.gov.uk ) is using Google's ad server
(DFP) set to show only internal ads. All their advertising is for cross-
promoting projects and sites that Enfield council is involved with, including
pest control, social lettings, a publicly-funded golf course, school meals...

It's not showing ads from GDN (Google Display Network) or elsewhere, it seems
to only show these internal promotions.

~~~
jszymborski
Right, but are you suggesting that the Google ad servers are not going to use
that information to sell to these visitors on other websites that are showing
ads from the GDN?

~~~
mpeg
I'm not a Google fan by any means, but DFP is the #1 ad server in the world
and an industry standard, and I definitely don't think they would use DFP data
to populate GDN segments because it would be a privacy nightmare.

You have to consider DFP is a software tool, it would be like Slack selling
your data so other SaaS can target you when you are talking about buying a new
CMS.

~~~
jszymborski
"it would be a privacy nightmare."

Right, but being a privacy nightmare is their business plan

------
awinter-py
I've been on government sites (ny.gov, IIRC) that use google-provided captchas
for form submissions

sucks but not sure it's immoral -- submission fraud is a hard problem to deal
with and if captchas help, .gov should use them

------
whalesalad
I guess the irony of a 'tweet this' href after every single bullet point was
lost on the author.

------
tomlong
In the appendix table, South Oxfordshire is listed as South Oxfordshite.

------
blibble
I suspect the root cause of this issue is the average web developer not
realising that including any third party javascript gives total control of the
page to whoever controls the included URL

~~~
choathedolls
The average developer knows this even if you're an absolute lover of all
things JS.

Whether or not the developers were forced to include them due to certain
constraints is another issue.

~~~
Grumbledour
I am kind of sick of this excuse.

While I suppose every developer here was in a situation where they had to
include something they did not want, I also know that none of my colleagues
would care or even think about including external scripts, trackers or other
crap. Possibility would be high they would be the ones suggesting it. And I
have met many developers who think that way. And looking at a plethora of open
source projects, which many would assume should have many developers more
conscious of these kind of issues suggest this is more than anecdotal
evidence.

Most people, developers included, probably even most developers on hacker
news, don't care at all. We should not always try to push responsibility on
someone else when it is us who builds this kind of crap often without even
protesting.

------
paulcarroty
UK has the biggest number of cameras per m^2 in world. Sadly, it's common
pattern.

Cool business idea: Mr Robot style hoodie with tracking protection.

~~~
theseadroid
And only by then you'll realize how many people don't really care and the ones
wearing the hoodie will be singled out with special attention from state.

------
CommanderData
Interested in some of these comments, no doubt places like these are getting
astroturfed more and more.

------
zionic
Well that's just depressing. Having the fact that you accessed a government
addiction help website packaged and commoditized then sold to the highest
bidder just screams moral bankruptcy.

------
shadowgovt
"This report should spur Elizabeth Denham, the UK Information Commissioner, to
finally enforce the GDPR."

What is the status of GDPR in the UK now that Brexit has occurred? Is the UK
still beholden to the terms of the law, or does the UK have a parallel law
that applies now that they're no longer part of the EU?

~~~
rux
GDPR is currently entirely valid and enforced until December 2020. After that
point it is believed that an entirely compatible law will continue to exist -
currently the understanding is that the UK will be considered to have adequate
equivalency therefore making it a safe third party country to transmit data
for processing. No hard guarantees until the end of the year though.

------
throwawaylolx
The title of the submission seems very much like a clickbait: the context
makes it sound like it refers to government surveillance, not sending data to
private American companies to serve ads.

------
oefrha
A better link would probably be the actual report, “Surveillance on UK council
websites” [https://brave.com/wp-content/uploads/2020/02/Surveillance-
on...](https://brave.com/wp-content/uploads/2020/02/Surveillance-on-UK-
council-websites_compressed_version.pdf)

At least that report doesn’t start every sentence with “Brave”.

~~~
dang
Ok, we've changed the URL to that from
[https://brave.com/ukcouncilsreport/](https://brave.com/ukcouncilsreport/).
Thanks!

------
pier25
Sorry for the editorialized title but it was too long...

~~~
dang
That wasn't editorialized, that was a gallant attempt to fit both the site
guidelines and the 80 char limit. The only thing I'd have done differently was
take out "Brave" from the title, since it's in the domain next to the title,
and since they provide enough mentions of "Brave" themselves. (Submitted title
was "Brave uncovers widespread surveillance of UK citizens on UK council
websites".)

It's moot now because we switched to the pdf and taken its shorter title.

~~~
pier25
> that was a gallant attempt to fit both the site guidelines and the 80 char
> limit

Well thank you kind sir

------
627467
I don't want to be overly critical here but If we rush to call this
'widespread surveillance' (intended or not) I worry that we'll quickly start
losing words/expressions to describe the stuff that snowden unveiled or
whethever the government does in China...

~~~
shadowgovt
The source for the story clearly has a specific political bias regarding its
interpretation of privacy.

That political bias doesn't impinge on the facts of the report though (merely
that Brave believes it's worth surfacing loudly).

~~~
alharith
So the right to privacy is a political agenda item now? I don't get what you
are saying, can you please clarify?

~~~
licebmi__at__
Yes, anything related to the life on society and how we regulate it or not is
"politics" and a particular political subject is pushed by any individual or
group is a "political agenda item". If we act like politics is a dirty word,
only the worst of us will involve in politics.

------
nottorp
[quote] This report should spur Elizabeth Denham, the UK Information
Commissioner, to finally enforce the GDPR. It is 17 months since formal
evidence from Brave and complaints about breaches of data protection laws were
filed before the ICO. [/quote]

Oh really? Hello BRexit?

~~~
gniv
> Hello BRexit?

I was curious about this and searched a bit. According to this website [1] the
GDPR is still in force until the end of the year, and in addition there is a
UK-GDPR law, very similar to the EU GDPR, which took effect on Feb 1st. So
there are two regulations now, not zero.

[1] [https://www.cookiebot.com/en/uk-gdpr/](https://www.cookiebot.com/en/uk-
gdpr/)

------
foxyv
Advertising is starting to edge towards the side of "Universal Evil." We need
some serious regulatory controls on this stuff because it is getting out of
control. GDPR is a step in the right direction, but sites and advertisers are
pretty much flouting it at this point.

~~~
eclipxe
Why is it starting to edge towards "Universal Evil"?

~~~
mc3
Probably 2 things:

1\. Bulk collection of millions of people's habits and data.

2\. Misleading "click bait" style ads.

