Hacker News new | past | comments | ask | show | jobs | submit login
Surveillance on UK council websites [pdf] (brave.com)
562 points by pier25 on Feb 5, 2020 | hide | past | favorite | 145 comments

So I have read this report, but it would be good if there were some example URLs of where this is happening. Take for instance Lambeth's website (https://www.lambeth.gov.uk). I've browsed through a few public facing pages and the council tax payment pages.

The report says Lambeth shows 1 real time bidding, 1 social and 5 Google "trackers".

From my network requests I see:

-> Google Translate and its resources (CSS etc.)

-> Google Font

-> jQuery and a bunch of various modules

-> leafletjs (OSS Map library)

-> Google tag manager

-> The social links at the bottom are just links, no requests or trackers.

Note: None are blocked by PB, only cookies are denied)

Nothing out of the ordinary here (although you could argue against GTM on a council website). I'm not seeing what's at risk here? And according to the report, the above requests should be ignored in the results?

Caveat 1:

> This is not a complete study. Third party tools commonly used by websites for chat bots, designing the page, soliciting email subscription, profiling visitors for the Council’s own user data base, text to speech, CDN, fonts, non-Google analytics, etc. are not counted in this study. (See “table notes” on page 20 for a list of what is counted).

> While these do expose a user’s behaviour to the companies concerned, we exclude them here in order for simplicity.This study highlights what we view as the most dangerous third party data collection and profiling.

To compare, the landing page that this report is hosted on has the following "trackers"/requests:

-> Brave.com Analytics request that is blocked

-> Google Fonts

-> Google Tag Manager

-> Google Analytics (blocked by PB)

-> Mapbox

-> Scorecard research (blocked by PB)

-> Newrelic

-> Slideshare (blocked by PB)

-> Leaderapps

-> Tableau

-> Vimeo (cookies blocked by PB)

Edit: Sorry - PB is Privacy Badger.

As for my personal feelings, "widespread surveillance" makes it appear as though there is some sort of malicious intent here. I have a few friends (and mother) who have previously or currently work for local councils, there is no money for this sort of thing. At worst I believe any actual issues are due to ignorance (which isn't an excuse) but could be easily remedied. This is way too dramatic for what should be a "Hey ICO, these councils are potentially not doing things properly, could you have a look?". Instead you'd think Brave have uncovered a PRISM level conspiracy on the local government level.

Poor taste IMO.

>From my network requests I see:


>Nothing out of the ordinary here

looks like you're not picking up a bunch of requests. maybe you have ublock? Here are some domains that aren't on your list:


Hmm, not getting these. I disabled uBlock for my results. I'll see what else may be the cause.

I think we would all benefit from an update on your comment correcting it with the new factual information. I too have all the tracking scripts included when loading the page.

Unfortunately I cannot update my comment. But looks like my browser was blocking “known trackers” which is why they were not showing up.

Ah, that's right. I forgot we cannot edit comments the same way you can on Reddit.

None of those really stand out as being problematic.

Google Analytics, Hotjar are measurement tools. CSE is google's custom search endpoint, stats.*.doubleclick.net is a doubleclick for publishers endpoint (Google's ad server) and doesn't mean much by itself, it doesn't automatically show ads from third parties or send your data to anyone.

The Facebook tags are sadly quite popular these days, I do agree those are not ideal but they are literally all over the net with like buttons, share buttons and "sign in with facebook"

The fact that you think the Facebook tag is "not ideal" while all the Google tags are not problematic, just shows how much people has bought in to the original "Don't be evil" motto and unfortunately how easy it is for Google to go under the radar in privacy discussions.

Both Facebook and Google are advertising companies. Both of them have littered the web with their scripts and GIFs making it possible for them to track everything we do. The only difference is how we trust them with our data, and honestly I think they are very equal in this regard. Both of them will track us as much as possible within applicable legislation and their own terms.

GA is absolutely problematic. It's one of Google's main spy mechanisms. I know less about Hotjar, but it's reasonable to be nervous about any analytics package that is sending data off to a third party.

LOL you're in for a treat if you don't know hotjar and think that GA is problematic! Hotjar tracks(or used to at least) every mouse movement and click on a site so that you could analyze what happened to your clients or perspective ones.

Yes, I'm aware of that aspect of Hotjar. What I meant was that I don't know what Hotjar does with the collected data (beyond what they offer to the sites that use it).

I'm getting these additional requests. They're being blocked, so result in a warning message in the console. Didn't see anything in network requests for them.

- https://static.hotjar.com/c/hotjar-1043047.js?sv=5

- https://cse.google.com/adsense/search/async-ads.js

- https://connect.facebook.net/en_US/fbevents.js

Also, the site is setting a cookie even though I've not consented.

EDIT: Also, one of the lambeth.gov js scripts was written by "rob" in 2015. Hi Rob!

Is the cookie used for the site to function (or a component of it) or for tracking/ads. Only the latter needs consent.

It's tracking cookies. I have Google, Facebook and Hotjar cookies set on initial request before even having seen the cookie consent box.

However that's how the vast majority of sites implement the cookie consent regulation, and authorities (like ICO in UK) has decided to not do anything about it.

According to the GDPR even an IP address needs consent, and those are inherently transmitted when loading a third-party library regardless of cookies. Given that social media sharing isn’t a necessary function of the website, they should be asking for consent before loading the libraries, or just using a locally-hosted icon pointing to a sharing link, so that the target social network gets the data only when the button is actually clicked.

Is a session cookie with datetime of access (and last visit somehow), so probably fine.

not up on cookies and Gdpr tbh, I deal with other types of data normally.

You can drop cookies that are “essential to running your business” without consent, the gdpr tcf 1.1 consent management platforms drop a “euconsent” cookie to store your consent choice lol.

Privacy Badger says that "Yellow" sites where it blocks cookies do appear to be trying to track you, but are necessary for the site to work[1]. That makes 5 trackers PB has identified on Lambeth's website.

[1] https://www.eff.org/privacybadger/faq#What-do-the-red,-yello...

I see - thanks for the info. So all relating to Google from what I'm getting on the website request.

Your comment was making sense until you started comparing a council website with a marketing product (Brave.com).

It doesn't invalidate what I've found though? Also Brave themselves market as being privacy friendly, blocking ads and trackers etc... is it not fair to judge them as well if they are reporting this as egregious?

No it's not fair because what they report as egregious is not the tracking themselves but the context! Council websites are public services. And it says in the report "citizens are entitled to expect that public services do not allow private companies to surveil them on their websites.".

Other than that, you are right that it's hard to find what's wrong with that Lambeth website. However the GTM could be a gateway to any kind of data tracking (visited pages, button clicked, etc.) idk if you can actually find out from the console.

> No it's not fair because what they report as egregious is not the tracking themselves but the context! Council websites are public services. And it says in the report "citizens are entitled to expect that public services do not allow private companies to surveil them on their websites.".

Ah I see. Agreed there.

One of the examples, Enfield, gives me 44 trackers according to Tag Explorer: https://imgur.com/a/NoOjoev

What’s PB?

Privacy Badger (probably!)


Apologies - Privacy Badger

Privacy Badger?

Council are the victims here. They are forced to debase themselves because central government, in the Tory era since 2010, simply offloads competencies to local authorities, without allocating extra funds or even slashing existing ones. So the priority has become to keep the lights on and find every way possible to monetize anything remotely monetizable, from parking to this (as well as cutting tons of jobs, closing libraries and so on). Councils are literally going bankrupt, but voters can’t make the link and keep voting for “low taxes” in Westminster and “the Council should do everything” at home, then complain when pigs can’t manage to lift off and fly.

That kind of fiscal « downloading » is also a way to keep wealth within your council, and poor areas can just get bent because they’ll have more needs, but the least ability to get revenue.

(If council’s primary revenue source is council tax within their own council).

That would be nice... but councils can only increase tax by <2% per year, and most of their revenue comes from a 'grant' by central government, which has been cut ~40% in the last decade.

Yep - "egoistic firewalling" is basically how Tory HQ sold the strategy to the local authorities they controlled (peppered with rebalancing some formulas so that they would get more than in the past, taken from more deprived areas they didn't control); then turned around and slashed so hard, the first towns to declare bankruptcy were their own [1][2][3]. And what do they do in London? Blame councils, of course! [4]

[1] https://www.theguardian.com/society/2018/feb/02/tory-run-cou...

[2] https://www.theguardian.com/society/2018/may/18/tory-council...

[3] https://www.independent.co.uk/news/uk/politics/local-council...

[4] https://www.theguardian.com/politics/2015/nov/11/cameron-hyp...

> but councils can only increase tax by <2% per year

The current cap is 2.99% and the 2020-21 plans are for 3.99%, which is split between the core principle and the adult social care principle. It is unlikely that many councils will increase it by less than the fully-permitted amount.

Also council tax increases in the recent past have capped at 5.99% some year~s and many actual increases were between 4.5% and 5.5%.

My council (in the North) already announced they will not ask for the full rise, but something like 1%. That's because they are well aware of the recent trend and they know the local population is feeling the heat.

I expect more will follow, because their seat is on the line - so few people vote in local elections, that minimal aggravation can quickly escalate into major upturns. They'll just cut more and more until there is nothing left.

> My council (in the North) already announced they will not ask for the full rise, but something like 1%.

That's fascinating - I'm genuinely intrigued where. Are you sure it's 1% total, not 1% of a sub part?

But one council doesn't disprove what I said (it was more of an opinion to be honest though). The first 10 search results I found were all 2-3.99%. I did say the "full amount" though - I'll knock that down to at "at least 3%".

The tax burden is high. They could certainly do with reducing it in my personal opinion.

A leaflet comes through the door every year or so telling me how much they spend in the local council. Usually the highest amount is not on schools, not on libraries, not on health, not on sweeping the streets or maintaining parks and playgrounds etc, but on "adult social care" (1) which as far as I know is a euphemism for benefits handouts for the baby-boomer generation.

It feels to me like an unrealistic burden is being placed on the current working generation to gold-plate the retirements of the current pensioners (because they tend to vote a lot), who frankly have got it pretty fucking good (not just free university education, but they got grants (i.e. free money), were able to purchase cheap and decent quality housing at relatively low salary multiples (e.g. detached 4 bed in nice areas for 3x average salary in the 60s & 70s), excellent pensions (often from the public sector), free travel, free tv licenses, jumping to the front of the queue in the NHS, free money for heating their homes etc etc, the pension triple-lock of a guaranteed 2.5% increase at a minimum etc, when working age people are lucky to get anything in their gig/zero-hours contract etc).

There has been talk of inter-generationalfairness a bit (at least before brexit took over). I hope something is done. </bitter>

1 - https://engage.barnet.gov.uk/1730/documents/1919

Adult social care covers a few things, but most of it is literally paying care workers to look after old and vulnerable people.

This isn’t what most people would consider a benefit, but a basic dignity.

My father's cousin has been living in social care for the last few years. He was put into a home associated with the council, but as he owned a home (that he'd lived in his whole life) he was forced to sell it to pay for his care. He is able to do most things by himself, but just needs someone to provide a bit of mental support - basically a friend. My father is his closest relative, but lives on the other side of the country.

Currently he pays ~£800 per week, which when the house was sold was backdated to pay for all the care he received. The thing is though that is just the care, the private landlord of the home has now decided he needs to pay another £700 per week for rent. The home is rather run down and he only has a tiny bedroom for himself (the bathroom is shared). As I understand the company providing the care is a private for-profit company too.

I'm not really surprised most council taxes is spent on social care if this is how much private companies are charging them.

£700 per week for rent? that is a luxurious apartment in london. why doesn't he move from that place?

This will be an "assisted living" home, not a regular apartment.

Was he forced into the home?

The entire article and "report" are so aggressive that it makes it difficult to extract any nuance out of it other than that I should use Brave.

Is the core issue that council websites are using real-time bidding for their ads? Is this specific to the UK?

> Is the core issue that council websites are using real-time bidding for their ads?

Yes. These websites are used to support a variety of public services, e.g. disability, poverty, drugs, or alcoholism services.

Brave believes that sending tracking information about people accessing this information is a breach of privacy.

And is "real-time bidding" an otherwise uncommon ad strategy that is relatively specific to the these websites? If it is, then I can understand the alarmism, but otherwise this news can be compressed to "UK council websites use targeted ads," right?

> is "real-time bidding" an otherwise uncommon ad strategy that is relatively specific to the these websites?

The alarm does not come from the technology being uncommon, it comes from these sites being uncommon. In particular, there aren't many sites which millions of people may rely-on/be-directed-to in order to exercise their rights (e.g. to healthcare and social services), or even for their life or their friend's/family's.

The argument of "if you don't like it, don't use it" doesn't apply here. It's especially egregious that these sites are built and operated using public money, so we're paying for it regardless.

No. The issue is the means used to target ads on this site are transmitted back to ad servers and used outside this context which is a nightmare scenario.

Is this not how targeted ads are expected to work?

Why are there ads on a website funded by taxes?

extra income?

In order to easily cross-promote other services with suppression and retargeting. Someone able to edit some content can do it rather than requiring the CMS to support this and training the council staff on this.

This is one of the downsides of using an ad-blocker

It's literally never occurred to me, as a user of these websites, that local government websites would even have adverts on them -- let alone Google AdSense / junk from Google's Display Network.

Most extensions show a badge with how many ads have been blocked. From there, some of them also include loggers or similar tools to see exactly which scripts, assets, etc. are being blocked (personally, uBlock's "overview panel" is fantastic for this). All without having to disable your adblocker to check.

So no downside, other than being even more frustrated with the current ad-hellhole.

> Most extensions ...

This is fine for client based blocking, but it not possible for network level blocking, such as using a pi-hole instance as your main local resolver.

How is this a downside to using an ad-blocker? I think it's quite the opposite. An ad-blocker would prevent most of this external JS from being loaded.

I've so successfully created a personal technology environment that hides ads, that I have no situational awareness about what these companies are up to.

If someone out there is selling my healthcare data and running ads around it directed towards just me, I'd never know, but I'd want to.

So block tracking, not ads.

Unfortunately the two are often intimately linked, so that is not really practical.

I'm not sure what you mean. You're right that the two are usually intimately linked. What I've found by blocking tracking is that as a result of this intertwining, blocking tracking usually also blocks the advertising engaging in the spying.

I don't use an adblocker. I block tracking. It's pretty nearly as effective as an adblocker, so that seems practical to me.

"block tracking, not ads" - given the strong links between tracking and ads, saying which one you intend to block is nothing more than wordplay. Practically speaking if you block tracking you likely also block more ads than you don't, whether that is your intent or not.

It sounded like not blocking ads was a goal.

A key concern I have (though it doesn't stop me blocking ads) is that I won't know if a site is normally full of the worst sort of ads (malware install attempts, auto-playing video & audio, tracking up the wazoo & back, ...) and I could send a link to people who are going to be affected because they are not protected by similar blocking.

So not a downside directly, but a risk of lacking awareness.

Can't wait for the bite if you don't hear the bark.

How is that a downside?

I thought that was self explanatory.

But lozaning has done a perfectly eloquent job of explaining above.

Here's the service promoting advertising on Government web sites in the UK.[1]

From their FAQ:

Q: "Could the data collected be used to exploit individual circumstances?"

A: "There is no intention to do this. In all forms of advertising, companies want to appear in front of the people most likely to buy their products or services."

"Just as an advertiser will choose an ad space in a publication because of its readership and relevant editorial content, so an advertiser online will use data from cookies to target their ads to people who would be most interested."

"So, a user browsing for information on a benefits webpage might be shown ads relevant for people on a budget, like for reduced price travel or supermarket price cuts on everyday items or a comparison website to find the best tariff on gas and electricity."

The Enfield council's cookie disclosure page includes cookies from most known trackers.[2] This is an amusing read.

[1] https://can-digital.net/generating-income-from-council-websi... [2] https://new.enfield.gov.uk/privacy-notice/#6

Four of those marketing cookies listed on the Enfield privacy notice page have a pretty wild description:

> Collects unidentifiable data that is sent to an unidentifiable source. The source's identity is kept secret by the company...

Seems like they aren’t aware of the law or explicitly violating it and hoping to get away with it (which unfortunately isn’t a bad strategy considering Google and Facebook are still around).

The thing with the law (the GDPR in this case) is that it applies to everyone equally. It doesn’t matter whether your intentions are good, if the law says you can’t collect certain data without explicit user consent then you shouldn’t be doing it regardless of how good your intentions are.

What good intentions? That quoted FAQ walked around the core point: advertising is, for the most part, exploiting.

> So, a user browsing for information on a benefits webpage might be shown ads relevant for people on a budget, like for reduced price travel or supermarket price cuts on everyday items or a comparison website to find the best tariff on gas and electricity.

Or payday loans, or get-rich-quick schemes, or gambling, or news articles about how the elite is oppressing them, or "save your money on power bill by bundling it with your mobile service" borderline scams.

It's not like the government, or the company that wrote that FAQ, will be actively filtering the ads to ensure that only the honest win-win deals are shown.

What is interesting is the fact that none of the revenue / income from advertising if any, is showing in the accounts of the council. Checked a few at random and none of the account statements mention income from ads. Begs the question then not just of moral bankruptcy but of accounting this. If it's not implemented for income to the council then why ?

They would be unlikely to report an income stream seperately unless it was material. Materiality is a matter of judgement but most auditors would use about 1% of revenue.

Maybe there is a document somewhere that enforces certain practices when making websites for public institutions?

Unfortunately not, otherwise it would be easier to enforce consistency. The simple truth is that councils like many companies are not specialist developers but are expected to run high-quality web applications. Add in some Consultants who may have conflicting interests or lack of knowledge, semi-skilled staff, a friend-of-a-friend who told you to use X on your site, third-party web developers and a marketing team who need the "analytics" and you end up with this mess.

Like many companies, GDPR seems right down the list. The most troubling part of all for me was that the ICO acknowledged the illegality but didn't follow up. Sums up Britain to a tee!

(I'm a Brit)

> If it's not implemented for income to the council then why

analytics? To better serve you? to think-of-the-children?

Careful, some people may not pick up on that sarcasm.

Did you cross-reference to the councils whose websites are serving ads?

Perhaps the ads are run by 3rd party web hosting providers. Just a guess.

It's hardly news that most of the UK government websites, either at the local or national level, report all your activity to foreign corporations, particularly google analytics.

I've raised this with the website creators through their helpdesk system, and on here when they've posted, but been either told that it's fine (they anonymise the data! We trust them!) or just ignored. It doesn't seem to sink in that giving such a company complete and unfettered access to details on how the UK public interacts with its own government might be a problem.

It may be hardly news to you; but it is to me.


I've just taken a look around my local councils site. I've gone onto the benefits pages, the disability pages, and a few random pages.

There are literally zero trackers here. I have a first party cookie set to the value "1". All images and JS are served first party, with the exception of typekit (adobe) fonts. All images and JS are, without a deep dive, benign.


Pretty hard core to invent a whole local government for test purposes..

Ha, this came up the other day. Non technical guy suggests we just insert 'Test' into the distinguished name of certificates we want to mark as 'not for production'.

We pointed out that one of the many reasons that's a terrible idea is that the Test Valley exists.

Humorous solution: Add test_not_the_valley to all non-prod certificates.

I'll see myself out.

On a more serious note:

Add "testing", "dev", "qa", "internal", or "non-prod" instead. At least those are my goto's for establishing multi-environment separation of configuration data through namespace separation.

It isn't an inherently bad way of going about things as long as you keep it consistent and do your best to automate it.

Get in the sea!

I prefer to make sure we use a different signing authority, just to be sure. But I didn't give enough context to clue in the reader that that was an option :)

Perhaps my turn of phrase was less than ideal there.... but yeah, I've been pissed off about this for a while but got nowhere.

Some of the stuff in this report is worse, of course, than just including GA.

(edit - Just looked at test valley site there, it brings in google analytics, though seems clean otherwise. Also Hey neighbour! I'm based in Southampton at the moment)

Ahh, the part after the hyphens is something I wrote after the initial comment I didn't mean it to sound so abrupt.

Notably my test method was completely and utterly flawed - I used a Firefox Private Browsing window forgetting it blocks content-trackers (like GA). Still, having now visited it properly it is as you say.

And Hey! I'm down in soton every week :D

It's quite likely a contracted web developer is using a "free" library that had these trackers built into it.

It's also possible this is corruption, as it's a question of where the revenue from that data was going. If it's going to some web developer's account that's a problem.

The RTB aspect of this story makes it clearly disingenuous, but getting interaction data to improve services is something you would expect a progressive public service to do. Crying wolf on this could do a lot more harm than good to the risk averse cultures of public services. I hope they've got the story right.

Invisible trackers aside, it's simply gross that local government sites have banner ads on them. Have some pride and/or taste!

When you actually look at the sites, it's clear Brave hasn't done their homework or don't really understand the online ad ecosystem.

For example, Enfield council ( enfield.gov.uk ) is using Google's ad server (DFP) set to show only internal ads. All their advertising is for cross-promoting projects and sites that Enfield council is involved with, including pest control, social lettings, a publicly-funded golf course, school meals...

It's not showing ads from GDN (Google Display Network) or elsewhere, it seems to only show these internal promotions.

You are missing the fact that Enfield council has RTB House , Criteo retargeting , Tru Optik demand side platform , OpenX , Districtm, msecnd , doubleclick , omnitag integrated as 3rd party. This doesnt make sense if the intent was purely to show internal ads. The implementation here seems to be no different to any other news site. As a visitor to the council website , I would expect that the same privacy levels and UX as that of gov.uk sites.

GDS are bringing them together, slowly... I recently applied for Personal Independence Payments (PIP). And despite being a new 'system' plus the assessments are carried out by two large IT outsourcing companies (Capita & Atos). It is entirely paper-based (drive.google is blocked, they don't take emails...). If you request a copy of the report they photocopy the physical file and post it. They are so backwards it is unreal.

Plus there's no provisions for an alternative format to the 30 page paper form. Not very independent if handwriting is an issue (the target demographic is people with disabilities).

Don't get me started on the actual assessment/ assessor. (it's been a long day going through this stuff).

I think they understand it fine. As you say, the website is using Google's ad server. So it is sending detailed identifying info about each user to Google.

Just because that has become normal for "the online ad ecosystem" over the past few years doesn't mean that it should be acceptable or that we cannot try to stop it.

What is the alternative here? Should Enfield spend tax payer money creating an alternative tool to show banner ad cross-promotions and re-training their teams?

Where do you stop? Is Google Analytics evil too? What about Twitter feeds?

> Where do you stop? Is Google Analytics evil too?


> What about Twitter feeds?

In what context? Including/embedding Twitter cookies and/or Javascript in pages paid-for by citizens, which citizens are required to use to exercise their rights? Absolutely.

As a non-exclusive outlet to disseminate information via an independent site (twitter.com), which anyone is free to avoid and ignore? That's fine.

In reality, what happens is lots of council services (including police) use twitter as the main real-time source of information for citizens.

Should they use an alternative platform? probably not, because twitter is the biggest and best known, so you could argue you can reach the most people with it.

> use twitter as the main real-time source of information for citizens.

So they're excluding people who don't use twitter? Why can't their web pages be the main source of real-time information?

The alternative is to not show ads.

Yes, Google Analytics has many of the same problems. The alternative to that is to analyze the server logs or to simply not track your users' behaviour in detail.

> to simply not track your users' behaviour in detail

that's unpossible

> Is Google Analytics evil too? What about Twitter feeds?

Yes. Both bad.

Sounds like a great business opportunity especially if we can lobby politicians to require "surveillance-free" services be used.

Right, but are you suggesting that the Google ad servers are not going to use that information to sell to these visitors on other websites that are showing ads from the GDN?

I'm not a Google fan by any means, but DFP is the #1 ad server in the world and an industry standard, and I definitely don't think they would use DFP data to populate GDN segments because it would be a privacy nightmare.

You have to consider DFP is a software tool, it would be like Slack selling your data so other SaaS can target you when you are talking about buying a new CMS.

"it would be a privacy nightmare."

Right, but being a privacy nightmare is their business plan



Why does Enfield council need to use adtech tracking to optimise their ads for other services? It's not like they are competing with anyone to deliver the most efficient services by fractions of a percent. Surely basic keyword targeted or completely untargeted ads are all they need.

In the PDF, this is the example of the banner ad they show:


So the banner ads being strictly council related is certainly not universal.

Brave's business model is fear mongering.

What's the difference betwen fear mongering and educating about risks?

educating is "this works like this and that, mind yourself"

fear mongering is "you're in danger, buy this for us to save yourself"

not exactly a thin line

The difference is the beholder. If the beholder's income is threatened when people are educated about risks, they'll invariably declare it fear mongering.

My prior comment was so well received that I'd like to add that another motivator for claims of "fear monger!" is when people delight in their lack of concern, such that the concern of anyone else feels threatening to them.

I worked a summer shift at a heavy machinery factory just after high school before college. I was the single and only person, to my knowledge, that made use of the provided ear and air protection (a face mask and ear plugs, given that we worked with fiberglass with incredibly loud machines).

I was told multiple times that I was "paranoid" and faced a negative reaction because someone protecting themselves pierced a hole in the delusion that everything was fine.


Extortion would be threatening to reveal bad acts, in order to gain something from those threatened. If they always reveal bad acts, and don't even try to gain anything from the bad actors -- well, that's just plainly not extortion, nor even criminal in any way.

That would be blackmail. Extortion is "the practice of obtaining something, especially money, through force or threats." Brave extorts websites by threatening to block the site's choosen revenue stream and to instead earn revenues from visitors to the site unless the site uses Brave to funnel their revenues.

I don't have an issue with ad blockers or alternative payment methods but the way Brave combines the two in my opinion amounts to extortion.

Sure, I was focusing on the blackmail subset of extortion, because (a) this posting was discussing their releasing of information and (b) they can't actually use any force or threats of force. Helping their users decline to provide tracking information on unless they and their users get a cut is also not extortion, because the website owners don't have a right to that information.

You seem to believe that owners of websites have a natural right to their chosen business model, even if others don't wish to help enable that business model.

Especially since they are publicly funded, so UK citizens are paying to have their data transmitted to unknown parties and advertised at. Oh, and if you don't pay it? Fuck you. The government will send bailiffs to seize your property to pay the bill, or imprison you for up to 3 months.

Probably something to do with the fact that central government has cut budgets for the last 10 years and if putting some banner ads on their website contributes to keeping a library open, it’s hard to say no.

I've been on government sites (ny.gov, IIRC) that use google-provided captchas for form submissions

sucks but not sure it's immoral -- submission fraud is a hard problem to deal with and if captchas help, .gov should use them

I guess the irony of a 'tweet this' href after every single bullet point was lost on the author.

In the appendix table, South Oxfordshire is listed as South Oxfordshite.

I suspect the root cause of this issue is the average web developer not realising that including any third party javascript gives total control of the page to whoever controls the included URL

The average developer knows this even if you're an absolute lover of all things JS.

Whether or not the developers were forced to include them due to certain constraints is another issue.

I am kind of sick of this excuse.

While I suppose every developer here was in a situation where they had to include something they did not want, I also know that none of my colleagues would care or even think about including external scripts, trackers or other crap. Possibility would be high they would be the ones suggesting it. And I have met many developers who think that way. And looking at a plethora of open source projects, which many would assume should have many developers more conscious of these kind of issues suggest this is more than anecdotal evidence.

Most people, developers included, probably even most developers on hacker news, don't care at all. We should not always try to push responsibility on someone else when it is us who builds this kind of crap often without even protesting.

UK has the biggest number of cameras per m^2 in world. Sadly, it's common pattern.

Cool business idea: Mr Robot style hoodie with tracking protection.

And only by then you'll realize how many people don't really care and the ones wearing the hoodie will be singled out with special attention from state.

Well someone has been fined for disorderly behaviour for covering their face.


Interested in some of these comments, no doubt places like these are getting astroturfed more and more.

Well that's just depressing. Having the fact that you accessed a government addiction help website packaged and commoditized then sold to the highest bidder just screams moral bankruptcy.

"This report should spur Elizabeth Denham, the UK Information Commissioner, to finally enforce the GDPR."

What is the status of GDPR in the UK now that Brexit has occurred? Is the UK still beholden to the terms of the law, or does the UK have a parallel law that applies now that they're no longer part of the EU?

GDPR is currently entirely valid and enforced until December 2020. After that point it is believed that an entirely compatible law will continue to exist - currently the understanding is that the UK will be considered to have adequate equivalency therefore making it a safe third party country to transmit data for processing. No hard guarantees until the end of the year though.

The title of the submission seems very much like a clickbait: the context makes it sound like it refers to government surveillance, not sending data to private American companies to serve ads.

A better link would probably be the actual report, “Surveillance on UK council websites” https://brave.com/wp-content/uploads/2020/02/Surveillance-on...

At least that report doesn’t start every sentence with “Brave”.

Ok, we've changed the URL to that from https://brave.com/ukcouncilsreport/. Thanks!

Sorry for the editorialized title but it was too long...

That wasn't editorialized, that was a gallant attempt to fit both the site guidelines and the 80 char limit. The only thing I'd have done differently was take out "Brave" from the title, since it's in the domain next to the title, and since they provide enough mentions of "Brave" themselves. (Submitted title was "Brave uncovers widespread surveillance of UK citizens on UK council websites".)

It's moot now because we switched to the pdf and taken its shorter title.

> that was a gallant attempt to fit both the site guidelines and the 80 char limit

Well thank you kind sir

I don't want to be overly critical here but If we rush to call this 'widespread surveillance' (intended or not) I worry that we'll quickly start losing words/expressions to describe the stuff that snowden unveiled or whethever the government does in China...

How ya figure? It's same in type. Pervasive monitoring/metadata collection is an attack.

PRISM/CALEA/ubiquitous surveillance via facial recognition, social credit scoring don't just magically stop being linguistically addressable because we've tossed another specific example into the generic bucket. It just means that we're getting better at identifying exploitative forms of unnecessary data collection.

Unless I'm reading your statement wrong, I'm just not seeing a here your worry comes into play. There's no Orwellian language leak there, and I'm usually pretty sensitive to that just because it does drive me nutswhen people try to do that intentionally.

The source for the story clearly has a specific political bias regarding its interpretation of privacy.

That political bias doesn't impinge on the facts of the report though (merely that Brave believes it's worth surfacing loudly).

So the right to privacy is a political agenda item now? I don't get what you are saying, can you please clarify?

Yes, anything related to the life on society and how we regulate it or not is "politics" and a particular political subject is pushed by any individual or group is a "political agenda item". If we act like politics is a dirty word, only the worst of us will involve in politics.

Whether pseudonymized background data collection constitutes a violation of right to privacy is a hot-button political topic. The GDPR has put a stake in the ground on this but is not the final say on the matter.

[quote] This report should spur Elizabeth Denham, the UK Information Commissioner, to finally enforce the GDPR. It is 17 months since formal evidence from Brave and complaints about breaches of data protection laws were filed before the ICO. [/quote]

Oh really? Hello BRexit?

> Hello BRexit?

I was curious about this and searched a bit. According to this website [1] the GDPR is still in force until the end of the year, and in addition there is a UK-GDPR law, very similar to the EU GDPR, which took effect on Feb 1st. So there are two regulations now, not zero.

[1] https://www.cookiebot.com/en/uk-gdpr/

Advertising is starting to edge towards the side of "Universal Evil." We need some serious regulatory controls on this stuff because it is getting out of control. GDPR is a step in the right direction, but sites and advertisers are pretty much flouting it at this point.

Why is it starting to edge towards "Universal Evil"?

Probably 2 things:

1. Bulk collection of millions of people's habits and data.

2. Misleading "click bait" style ads.

Because its spying tentacles keep expanding to more and more places.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact