
EU government websites have undisclosed adtech trackers from Google and others - snaky
https://www.theregister.co.uk/2019/03/18/cookie_government_tracking_report/
======
marcrosoft
I think they should read their own rules and hit themselves with a fine of 10
million or 2% whichever is greater and distribute it among those who were
effected.

Edit: or at least consider that their rules are ridiculous.

~~~
bad_alloc
If the EU is sued by itself and needs to pay a fine, does that fine count as
income and does that need to be factored into the fine? This might be the
first case of an infinite payment.

~~~
greatersuccess
The European Union is not its member states.

Let me put it another way: the European Union is not like the federal
government in the US; it's mainly an economic union.

Or another way: European countries are independent, not states in a
federation, and the European Union is a separate entity.

~~~
azernik
Or yet another way - even in the US system the federal government can fine the
states.

------
kilburn
So... the report says 0 spanish websites were found having trackers. I've
tried 3 random links of said websites, all taken from the report [1-3].

Ublock detected and blocked google analytics in all of them ([1] has urchin.js
too).

[1]
[http://www.lamoncloa.gob.es/Paginas/index.aspx](http://www.lamoncloa.gob.es/Paginas/index.aspx)
[2] [https://www.riojasalud.es/ciudadanos/problemas-de-
salud/30-e...](https://www.riojasalud.es/ciudadanos/problemas-de-
salud/30-enfermedades-de-transmision-sexual) [3]
[http://www.juntadeandalucia.es/servicioandaluzdesalud/princi...](http://www.juntadeandalucia.es/servicioandaluzdesalud/principal/noticia.asp?codcontenido=17319)

~~~
robador51
Analytics is not the same as ad tracking

~~~
sverige
What is it that they need to analyze that they can't get from their own
servers?

~~~
codezero
This is a good question to which there are a lot of good answers that are
often poorly received on HN so you’re unlikely to get a solid answer.

I’ll take the hit though.

It’s not just pageview logs, but GA has great tools to analyze those logs, do
reporting on some decent set of actions and to bring it all together in a
simple to use interface.

You can take your server logs and then what will a non technical person do
with them? Not much.

That said, you can deploy GA while opting out of behavioral data and ad
network features, and even fuzz ip addresses.

Analytics has the stigma of ad networks because they historically existed to
validate ad spend. We’re past that point and they are often used with strict
first-party intent.

There’s nothing preventing us from imagining all the malicious things any
analytics tool could do, and imaginations run wild.

Disclosure: I work for an analytics company that doesn’t want to own your
data, but I understand why folks have a knee jerk reaction to analytics of any
kind.

~~~
sverige
That's actually a much more reasonable answer than the one I had imagined. The
unfortunate part is that I don't trust anyone not to misuse the data,
especially not government employees.

~~~
arcticbull
Interesting, the 'especially from government employees' bit feels like a very
US-centric reaction. In many other places in the world people just kinda trust
their governments. I have no problem with any European government collecting
analytics data.

~~~
dmichulke
I disagree, as always the US is just 10 years ahead (so it will come to us as
well, just later) and there are numerous law initiatives that show to what
extent your privacy and freedom of expression is a concern of politicians.

~~~
Dahoon
>I disagree, as always the US is just 10 years ahead

At the same time the US is 10 years behind. GDPR is far ahead of anything the
US has. Gun control is 50+ years ahead and lets not try to count years in
social security nets or healthcare for the non-rich (or health in itself for
that matter). In average I'd say the US is behind the curve and falling
further by the day, especially now China has become a semi-great soon to be
superpower.

------
jacquesm
Even my bank feels it is necessary to run Google Analytics tags on the pages
with the _account balances_. Morons.

~~~
mobjack
Google Analytics does not transmit page content like your account balance. It
can see that you viewed the account balance url but knows nothing about what
is displayed.

There are however other trackers that could send such information if they are
not configured correctly.

~~~
jacquesm
What it does or what it does not is of no consequence to me. What it _could_
do is what matters because I don't have the time to check whether or not
someone at Google or some US agency decided that they want to know. The easy
solution is to make sure that it can't happen, which is to stop using GA tags
on logged in parts of the website.

~~~
mdavidn
They would need to remove GA from all pages on the same origin. JavaScript in
any page can perform an AJAX request to read HTML, and those requests will
send cookies.

------
jrockway
What are y'all using for self-hosted analytics? I have used Google Analytics
and Mixpanel out of sheer convenience, but I know many users are uncomfortable
sharing their data with those sites.

To relate this to the article: what should these government agencies be using?
Or should they not be looking for Javascript errors, A/B testing, etc. at all?

~~~
codazoda
I've actually switched to an old school "counter" that I wrote myself. I just
couldn't find anything that was modern and that I was sure provided privacy. I
also don't need much.

I look at the data in Google Sheets.

On the page I want to track I paste a script tag that includes a few lines of
JS from my counter site. That JS script hits a PHP script with the URL the
user requested. I don't track ANY user details. No browser info, no IP
address, no fingerprinting, etc. It would be trivial to track those things
though. The PHP script logs the data to a CSV file (which I plan to change to
an SQLite DB soon).

I have a Google Sheet setup where the first field of data is
'=IMPORTDATA("[https://example.com/data.csv")'](https://example.com/data.csv"\)').
Google Sheets automatically fetches that data every time you open the sheet;
no API integration required. Then I have a simple bar chart on the data.

~~~
alimi
Just as a warning, it was pretty trivial to be able to look at your java
script and get the csv file that you described.

I doubt that you care that much since the data isn't sensitive but just a
heads up.

~~~
derefr
The GP commenter makes it clear that the CSV file is written to on the server-
side (using PHP) as a consequence of request handling, not on the client side.
There is no place that the CSV URL is visible, other than in the PHP source
(that clients cannot access) and in the Google Sheet (which is presumably
internal to the GP's GSuite domain.)

It's security-by-obscurity, maybe (as all public "secret token" URLs are) but
it's better than what you're implying.

~~~
im3w1l
fwiw I was able to find the csv as well.

EDIT: You are right in theory though.

~~~
pcnix
As a learning exercise, I tried to find it too, but I wasn't able to get it
from the domain in the js file, could you explain how you got to the final
file?

This is strictly as a learning exercise, no malicious intent on my part.

~~~
lightbyte
I was able to quickly get the CSV file as well.

The javascript is located at SITE/counter.js

My first guess for the CSV was SITE/counter.csv

It worked.

------
tareqak
I doubt most government legislators would be aware of this sort of thing (the
components, libraries, and platforms that make up a given government entity's
web presence).

~~~
angott
That's the major problem. A person writing regulation to deal with this
problem would need to know what a CDN is, why they are required in modern web
development, the pros and cons of self-hosted vs. cloud-based analytics
solutions, etc.

I really wouldn't want to be the person tasked with explaining these issues to
the average politician (although some rare exceptions obviously apply).

~~~
marcrosoft
If you step back further, this is just one example of many where regulators
don't understand the consequence of their laws. You can extend this to any
policy like gun control/rights, abortion, etc.

Some facts:

* We will never know the full ramifications regulation has on a market. It is impossible to calculate objectively the _full_ effect. * Regulation _always_ has unintended side effects. (Alcohol prohibition and violence, etc) * A regulator that doesn't understand the entire problem will likely increase the unintended side effects.

~~~
tareqak
I totally agree with you that it is not possible for a regulator to predict
the future with respect to how their decisions impact a market. However, I
think that is only an argument against hasty regulation, as opposed to
regulation in general.

~~~
marcrosoft
I agree that hasty regulation would probably have more unintended side
effects; however the other points still stand. Prohibition, for example, is
always accompanied by a black market. There is _always_ an unintended
consequence of any regulation. GDPR will likely add a tax on individuals as
large companies pass through compliance expenses to us. Real privacy threats
(INCLUDING THE EU) GDPR is meant to block will still continue to operate.

------
cromwellian
Isn't it a little disingenuous to call analytics tools "adtech". Yes, you can
integrate analytics with adtech platforms, by even in isolation, knowing how
your users use your own site and how they arrived there, allows you to better
serve them.

In a physical place of business, for example, a retail store or restaurant,
keeping track of what times or parts of the store were busiest, or where
people spent the most time, would allow you to eliminate waste from your
business, and sometimes that involves knowing how many unique customer foot
traffic you're getting.

~~~
cwkoss
Is it possible to use google analytics without the resulting data being
accessible by google ads or search teams? I would assume that they don't let
you opt out of org-internal data sharing.

~~~
kalyan02
Absolutely. Corporate/Enterprise accounts can opt-out of it.

~~~
Nextgrid
I wouldn't trust any opt-out functionality from a company whose bottom line is
based on harvesting as much data as possible off everyone.

~~~
inetknght
Moreover: opted-in should not be the default; I should not have to actively
opt-out of anything in order to improve my internet security.

------
__m
Thanks for bringing this to attention, so it can be fixed. Who would have
thought that HN would become such a great advocate for the privacy of EU
citizens?

~~~
Operyl
I took it differently, personally. To me it’s a double standard, we spent so
much time going after the private companies with this law, that to have so
much of the government’s own groups fail to even do a review of their own damn
sites? Ugh.

Since the governments are not subject to the GDPR, it doesn’t have teeth, and
I would not be surprised if it fails to get resolved.

~~~
Nursie
A lot of them will be technically not in breach, claiming anonymisation etc
gets them out of it. This is the line I have always had from Gov.uk, for
instance.

But it's pretty crappy that they haven't tried to follow the spirit of the
law. And it's pretty crappy that all my interactions with the government, as a
UK citizen, are reported back to the Google mothership.

~~~
Operyl
Thankfully we as savvy users are able to strip away information we don’t want
sent to companies, via browser extensions and what have you. I’m concerned
about the less savvy users who, frankly, never have even thought about this
being an issue.

------
renholder
The title is intentionally misleading (click-bait?). EU government websites
does not equal EU members' government websites.

For our American friends, that would be akin to saying the federal government,
when you mean the states' governments.

~~~
sam_lowry_
Indeed, major European Union websites do not use Google Analytics for 10 years
or so. They switch to Piwik soon after the cookie law came into effect.

------
Animats
www.parliament.uk:

Google Analytics and Google Tag Manager.

www.army.mod.uk:

All the above, plus Doubleclick and Google Ads.

Google Tag Manager is especially dangerous, because it's a Javascript
injection system and a known attack vector.[1]

[1] [https://securityboulevard.com/2018/04/malicious-
activities-w...](https://securityboulevard.com/2018/04/malicious-activities-
with-google-tag-manager/)

~~~
kmlx
from your link: "Any external assets which load on your website should be kept
to a minimum so that you can maintain the most control over everything. " made
me chuckle. that ship has sailed about 20 years ago.

~~~
Animats
For a site that's not ad-supported, there's not much need for external assets.

------
clarkmoody
"Do as we say, not as we do."

~~~
ozaark
In the US a common version of this is for ADA laws on government websites.
Many(most?) .gov domains aren't compliant. [1]

Interestingly, successful lawsuits for private company websites breaching ADA
have increased over the past couple of years.

[1] Non-compliant: senate.gov , supremecourt.gov , congress.gov , justice.gov
, etc

~~~
tracker1
Working on a compliant application currently... the irony, is you can't use
the main function of the app without being at least relatively sighted (the
app displays scanned documents for confirmation)... but heaven forbid if my
color contrast is 2% too little.

------
k_sze
In Chinese we have a saying: 「只許州官放火，不許百姓點燈。」

"Only state officials are allowed to commit arson; the populace is not allowed
to light a lamp _. "

_"lamp" as in "oil lamp" or "candle" in general.

------
interfixus
Where I live (Denmark), these days nteraction with public administration
mainly happens through web interfaces, like it or not.

And believe me, when I log into some state service, Google follows. Because
even in what is supposedly my private business, pages are infested with links
to analytics, fonts, tag managers, and assorted other Mountain View
skullduggery.

In my daily life, I have uMatrix, cookie killers, and other defenses keeping
me reasonable free of all that nonsense. But the mandatory, enforced central
logon ("NemID") - which I must use for all public logging in as well as for my
bank and similar stuff - is such an unholy clusterfuck of malice and
incompetence that I long since gave up the fight and assigned it its very own,
completely unfiltered Firefox profile, simply in order to at least sometimes
get things done.

So yes, Google knows exactly where I'm going page for page, not only if I
visit, say, the national police website, but if I am deep in filling out forms
for the tax authority, consulting with health services, using my web bank,
answering a court summons, whatever.

I'm fairly certain much of it is actually illegal. But any complaint goes up
against a massive wall of ignorance and incomprehension, often a far greater
challenge than an expert reply.

------
jammygit
In Canada, most of the health services / clinic websites I've been to over the
last year use a mishmash of google scripts.

I'm actually not certain whether things like google fonts gives them any data
(is it just an IP and nothing about the site in question?). It seems
inappropriate to put google maps in there though, but again I'm not certain

~~~
blihp
They might get the referrer (i.e. the URL the page the request came from) and
information about the browser since it's your PC/phone that actually contacts
Google's servers to request the resource. As long as the URL doesn't encode
any PII, that will be it.

I'd guess that bigger thing that companies like Google get from hosting
resources like fonts etc. is that it provides them yet another, and much
broader, market research data point re: what browsers are people using, what
fonts/scripts are sites using and so on. So even if you completely avoid
Google products/services like Android/Chrome/Chromebook/etc., they'll still
get a bit of usage data from both you and the site.

------
michalskop
I was looking once (about a year or two ago) on Czech (EU member state)
government websites and about 90% of them were using something from Google,
usually Analytics. But some of them required even Captcha (so no way to access
it without being vetted by Google, an US company).

------
mulander
GDPR aside, the most annoying thing I saw was Polish 'Agencja Wywiadu' (the
CIA equivalent) having a recruitment page[1] stating how careful people should
be when applying. To not tell friends, to do it in person etc. and when you
look at it, the whole page is filled with tracking from Facebook, Twitter and
Google. I tweeted at them but they don't seem to care... [2]

[1] - [https://aw.gov.pl/rekrutacja/](https://aw.gov.pl/rekrutacja/)

[2] -
[https://mobile.twitter.com/mulander/status/10239817413951283...](https://mobile.twitter.com/mulander/status/1023981741395128320)

------
jdietrich
Third-party tracking is not inherently illegal under GDPR, even without
consent. GDPR regulates personal data; if you're collecting genuinely
anonymous usage data that cannot be attributed to a specific individual by any
reasonable means, you don't need consent.

I can't say how compliant any of these websites are, but the presence of a
third-party tracking cookie does _not_ automatically mean that a website is in
breach. Nothing in the article clearly points to a breach of the GDPR.

Edit: I'm being downvoted for this comment, so I'd invite you to actually read
the legislation.

[https://gdpr-info.eu/](https://gdpr-info.eu/)

~~~
JangoSteve
I didn't downvote you, but from the article:

> The group said this could be used to "infer sensitive facts about [users']
> health condition and life situation" and be resold to target ads. "These
> citizens have no clear way to prevent this leakage, understand where their
> data is sent, or to correct or delete the data," it said.

The second quoted sentence in particular, if true, would seem to be in
violation of GDPR, more specifically several sections/articles within Chapter
3.

------
negus
"The group said this could be used to "infer sensitive facts about [users']
health condition and life situation" and be resold to target ads"

Could. But will not. There are strict policies in Google ads on this.

~~~
westpfelia
Enforced policies? I realize there is probably not a good way to judge this
but I have become skeptical to most big business and their adherance to
'policies'.

~~~
negus
Reputational risk is too high for this. And medical ad targetting is being
regulated in many countries.

~~~
TeMPOraL
I don't think reputational risk applies much to big companies. From Equifax
through Facebook and yes, Google - lots of companies have done things in the
past years that should have killed or crippled them, and yet they're still
chugging along, none worse for the wear.

------
Nursie
I've tried to raise this, specifically about UK government websites before.
The gov.uk people didn't want to know, and told me it was OK - google promised
to anonymise the data they were collecting.

And we should just trust this, that google are given all the data they need to
track _everything_ that UK citizens do to interact with their government
online, but they won't.

~~~
kmlx
1\. persoanlly i'd rather trust goog than any government out there. at least
with goog i know where i stand, and i know what it takes for them to change
course. with governments there's no recourse except for voting every 4ish
years. 2\. if you've got ublock or some other tech installed then you can
easily ignore your own advice.

------
StreamBright
It would be a great move from some of the more privacy aware countries to
block entirely these trackers on national level.

~~~
rubbingalcohol
Mass censorship is so hot right now!

~~~
Nextgrid
Honestly, this is the kind of censorship I would support (as long as there's a
way to opt-out). Would you be bothered if your ISP or similar blocked access
to malware command & control servers? This is basically the same - these
analytics services are essentially spyware and the companies behind them
should be held to the same standard as any spyware operators.

~~~
buzzerbetrayed
> Would you be bothered if your ISP or similar blocked access to malware
> command & control servers?

Yes, that would bother me. I prefer to make my own choices about what I can
and cannot access on the internet. Why would I want my ISP doing that for me?

As far as implementing this on a national level goes - I would trust the
government much less than I would trust my ISP with that kind of power. At
least I can switch to another ISP if mine started abusing it.

------
candeira
The Australian Tax Office, Aussie Medicare and the my.gov.au site all use
Google Analytics! Unless you use countermeasures (I have Privacy Badger
installed), Google is getting quite a bit of information from your use of the
sites, even if all they get is the metadata. It's freaking nuts.

------
havkom
Just a side note in relation to the title, EU institutions are not subject to
GDPR.

They are instead subject to the similar Regulation (EU) 2018/1725 of the
European Parliament and of the Council.

Much smaller administrative fines among other things.

[https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=15525770...](https://eur-
lex.europa.eu/legal-content/EN/TXT/?qid=1552577087456&uri=CELEX:32018R1725)

However, the linked article discusses not EU government/institutions but
rather EU member states public authorities web sites. Such web sites are
subject to GDPR but each member states decides whether administrative fines
should be possible to impose on public authorities (and if so their max
amounts) according to GDPR Article 83(7).

------
bArray
So, what's the punishment for the EU not following its own legislation? Surely
they should have to follow their own rules?

~~~
mrweasel
I don't know about the EU as a whole, but the Danish government just exempted
itself from large parts of the GDPR, mostly regarding fines. That's a little
idiotic, given that the government loses/leaks more personal data than anyone
else.

~~~
tumetab1
Remember remember; The data leaked through CSC; That the government pretended;
It never was important.

------
based2
like google font cdn.

------
cobookman
What happens if EU found to be violating GDPR. Does it fine itself 5% of tax
rev?

~~~
matt4077
Fines for GDPR transgressions are administered by the 28 national government's
data privacy regulators. The money also goes into the countries' coffers, not
the European Union. See for example [https://www.gdpreu.org/compliance/fines-
and-penalties/](https://www.gdpreu.org/compliance/fines-and-penalties/).

But GDPR is mostly not about fines, but about the rights of citizen
(/consumers) to get information, request deletion, etc. Citizen can file
lawsuits in their local courts. It's somewhat improbable (as in: it has never
happened) for the EU to disregard a judgement, just like the US government
complies with adverse judgements by the Supreme Court.

~~~
jdietrich
The regulators can (and do) take enforcement action against government bodies.
Some recent examples from the UK:

[https://ico.org.uk/action-weve-
taken/enforcement/?facet_type...](https://ico.org.uk/action-weve-
taken/enforcement/?facet_type=&facet_sector=Local+government&facet_sector=Central+government&facet_date=&date_from=&date_to=)

~~~
matt4077
> The regulators can (and do) take enforcement action against government
> bodies.

I did not dispute this. I merely said enforcement is usually not accomplished
via fines when targeted against government bodies, because those are
inherently expected to comply without the necessity of threats.

Skimming two of the linked pdfs, these did not mention fines.

------
arendtio
I think this story is gold. I like the GDPR, but I think this story shows how
easy it is to violate it or how difficult to follow it.

In my opinion, the EU should offer reference implementations for all their
'internet' laws. If they make a law which requires privacy policies they
should supply some examples (under some license which allows using them). If
they create a law to let users choose if they want to be tracked, they should
offer a script which does just that.

Such a reference implementation would give a concrete implementation of how
the law could be followed and make it easier for everyone to implement it
(e.g. for themselves). Otherwise, millions of people have to interpret the law
and it is painful for everyone involved: creators cannot be sure that their
implementation is correct and consumers have to use illegal implementations
until everybody knows how the law is meant to be implemented.

------
microdrum
[https://www.reddit.com/r/adops/comments/b2nton/lets_be_hones...](https://www.reddit.com/r/adops/comments/b2nton/lets_be_honest_google_is_a_lazy_monopolist/)

