The report says Lambeth shows 1 real time bidding, 1 social and 5 Google "trackers".
From my network requests I see:
-> Google Translate and its resources (CSS etc.)
-> Google Font
-> jQuery and a bunch of various modules
-> leafletjs (OSS Map library)
-> Google tag manager
-> The social links at the bottom are just links, no requests or trackers.
Note: None are blocked by PB, only cookies are denied)
Nothing out of the ordinary here (although you could argue against GTM on a council website). I'm not seeing what's at risk here? And according to the report, the above requests should be ignored in the results?
> This is not a complete study. Third party tools commonly used by websites for chat bots, designing the page, soliciting email subscription, profiling visitors for the Council’s own user data base, text to speech, CDN, fonts, non-Google analytics, etc. are not counted in this study. (See “table notes” on page 20 for a list of what is counted).
> While these do expose a user’s behaviour to the companies concerned, we exclude them here in order for simplicity.This study highlights what we view as the most dangerous third party data collection and profiling.
To compare, the landing page that this report is hosted on has the following "trackers"/requests:
-> Brave.com Analytics request that is blocked
-> Google Fonts
-> Google Tag Manager
-> Google Analytics (blocked by PB)
-> Scorecard research (blocked by PB)
-> Slideshare (blocked by PB)
-> Vimeo (cookies blocked by PB)
Edit: Sorry - PB is Privacy Badger.
As for my personal feelings, "widespread surveillance" makes it appear as though there is some sort of malicious intent here. I have a few friends (and mother) who have previously or currently work for local councils, there is no money for this sort of thing. At worst I believe any actual issues are due to ignorance (which isn't an excuse) but could be easily remedied. This is way too dramatic for what should be a "Hey ICO, these councils are potentially not doing things properly, could you have a look?". Instead you'd think Brave have uncovered a PRISM level conspiracy on the local government level.
Poor taste IMO.
>Nothing out of the ordinary here
looks like you're not picking up a bunch of requests. maybe you have ublock? Here are some domains that aren't on your list:
Google Analytics, Hotjar are measurement tools. CSE is google's custom search endpoint, stats.*.doubleclick.net is a doubleclick for publishers endpoint (Google's ad server) and doesn't mean much by itself, it doesn't automatically show ads from third parties or send your data to anyone.
The Facebook tags are sadly quite popular these days, I do agree those are not ideal but they are literally all over the net with like buttons, share buttons and "sign in with facebook"
Both Facebook and Google are advertising companies. Both of them have littered the web with their scripts and GIFs making it possible for them to track everything we do. The only difference is how we trust them with our data, and honestly I think they are very equal in this regard. Both of them will track us as much as possible within applicable legislation and their own terms.
Also, the site is setting a cookie even though I've not consented.
EDIT: Also, one of the lambeth.gov js scripts was written by "rob" in 2015. Hi Rob!
However that's how the vast majority of sites implement the cookie consent regulation, and authorities (like ICO in UK) has decided to not do anything about it.
not up on cookies and Gdpr tbh, I deal with other types of data normally.
Other than that, you are right that it's hard to find what's wrong with that Lambeth website. However the GTM could be a gateway to any kind of data tracking (visited pages, button clicked, etc.) idk if you can actually find out from the console.
Ah I see. Agreed there.
(If council’s primary revenue source is council tax within their own council).
The current cap is 2.99% and the 2020-21 plans are for 3.99%, which is split between the core principle and the adult social care principle. It is unlikely that many councils will increase it by less than the fully-permitted amount.
Also council tax increases in the recent past have capped at 5.99% some year~s and many actual increases were between 4.5% and 5.5%.
I expect more will follow, because their seat is on the line - so few people vote in local elections, that minimal aggravation can quickly escalate into major upturns. They'll just cut more and more until there is nothing left.
That's fascinating - I'm genuinely intrigued where. Are you sure it's 1% total, not 1% of a sub part?
But one council doesn't disprove what I said (it was more of an opinion to be honest though). The first 10 search results I found were all 2-3.99%. I did say the "full amount" though - I'll knock that down to at "at least 3%".
A leaflet comes through the door every year or so telling me how much they spend in the local council. Usually the highest amount is not on schools, not on libraries, not on health, not on sweeping the streets or maintaining parks and playgrounds etc, but on "adult social care" (1) which as far as I know is a euphemism for benefits handouts for the baby-boomer generation.
It feels to me like an unrealistic burden is being placed on the current working generation to gold-plate the retirements of the current pensioners (because they tend to vote a lot), who frankly have got it pretty fucking good (not just free university education, but they got grants (i.e. free money), were able to purchase cheap and decent quality housing at relatively low salary multiples (e.g. detached 4 bed in nice areas for 3x average salary in the 60s & 70s), excellent pensions (often from the public sector), free travel, free tv licenses, jumping to the front of the queue in the NHS, free money for heating their homes etc etc, the pension triple-lock of a guaranteed 2.5% increase at a minimum etc, when working age people are lucky to get anything in their gig/zero-hours contract etc).
There has been talk of inter-generationalfairness a bit (at least before brexit took over). I hope something is done. </bitter>
1 - https://engage.barnet.gov.uk/1730/documents/1919
This isn’t what most people would consider a benefit, but a basic dignity.
Currently he pays ~£800 per week, which when the house was sold was backdated to pay for all the care he received. The thing is though that is just the care, the private landlord of the home has now decided he needs to pay another £700 per week for rent. The home is rather run down and he only has a tiny bedroom for himself (the bathroom is shared). As I understand the company providing the care is a private for-profit company too.
I'm not really surprised most council taxes is spent on social care if this is how much private companies are charging them.
Is the core issue that council websites are using real-time bidding for their ads? Is this specific to the UK?
Yes. These websites are used to support a variety of public services, e.g. disability, poverty, drugs, or alcoholism services.
Brave believes that sending tracking information about people accessing this information is a breach of privacy.
The alarm does not come from the technology being uncommon, it comes from these sites being uncommon. In particular, there aren't many sites which millions of people may rely-on/be-directed-to in order to exercise their rights (e.g. to healthcare and social services), or even for their life or their friend's/family's.
The argument of "if you don't like it, don't use it" doesn't apply here. It's especially egregious that these sites are built and operated using public money, so we're paying for it regardless.
It's literally never occurred to me, as a user of these websites, that local government websites would even have adverts on them -- let alone Google AdSense / junk from Google's Display Network.
So no downside, other than being even more frustrated with the current ad-hellhole.
This is fine for client based blocking, but it not possible for network level blocking, such as using a pi-hole instance as your main local resolver.
If someone out there is selling my healthcare data and running ads around it directed towards just me, I'd never know, but I'd want to.
I don't use an adblocker. I block tracking. It's pretty nearly as effective as an adblocker, so that seems practical to me.
It sounded like not blocking ads was a goal.
So not a downside directly, but a risk of lacking awareness.
But lozaning has done a perfectly eloquent job of explaining above.
From their FAQ:
Q: "Could the data collected be used to exploit individual circumstances?"
A: "There is no intention to do this. In all forms of advertising, companies want to appear in front of the people most likely to buy their products or services."
"Just as an advertiser will choose an ad space in a publication because of its readership and relevant editorial content, so an advertiser online will use data from cookies to target their ads to people who would be most interested."
"So, a user browsing for information on a benefits webpage might be shown ads relevant for people on a budget, like for reduced price travel or supermarket price cuts on everyday items or a comparison website to find the best tariff on gas and electricity."
The Enfield council's cookie disclosure page includes cookies from most known trackers. This is an amusing read.
> Collects unidentifiable data that is sent to an unidentifiable source. The source's identity is kept secret by the company...
The thing with the law (the GDPR in this case) is that it applies to everyone equally. It doesn’t matter whether your intentions are good, if the law says you can’t collect certain data without explicit user consent then you shouldn’t be doing it regardless of how good your intentions are.
> So, a user browsing for information on a benefits webpage might be shown ads relevant for people on a budget, like for reduced price travel or supermarket price cuts on everyday items or a comparison website to find the best tariff on gas and electricity.
Or payday loans, or get-rich-quick schemes, or gambling, or news articles about how the elite is oppressing them, or "save your money on power bill by bundling it with your mobile service" borderline scams.
It's not like the government, or the company that wrote that FAQ, will be actively filtering the ads to ensure that only the honest win-win deals are shown.
Like many companies, GDPR seems right down the list. The most troubling part of all for me was that the ICO acknowledged the illegality but didn't follow up. Sums up Britain to a tee!
(I'm a Brit)
analytics? To better serve you? to think-of-the-children?
Perhaps the ads are run by 3rd party web hosting providers. Just a guess.
I've raised this with the website creators through their helpdesk system, and on here when they've posted, but been either told that it's fine (they anonymise the data! We trust them!) or just ignored. It doesn't seem to sink in that giving such a company complete and unfettered access to details on how the UK public interacts with its own government might be a problem.
I've just taken a look around my local councils site. I've gone onto the benefits pages, the disability pages, and a few random pages.
There are literally zero trackers here. I have a first party cookie set to the value "1". All images and JS are served first party, with the exception of typekit (adobe) fonts. All images and JS are, without a deep dive, benign.
We pointed out that one of the many reasons that's a terrible idea is that the Test Valley exists.
I'll see myself out.
On a more serious note:
Add "testing", "dev", "qa", "internal", or "non-prod" instead. At least those are my goto's for establishing multi-environment separation of configuration data through namespace separation.
It isn't an inherently bad way of going about things as long as you keep it consistent and do your best to automate it.
I prefer to make sure we use a different signing authority, just to be sure. But I didn't give enough context to clue in the reader that that was an option :)
Some of the stuff in this report is worse, of course, than just including GA.
(edit - Just looked at test valley site there, it brings in google analytics, though seems clean otherwise. Also Hey neighbour! I'm based in Southampton at the moment)
Notably my test method was completely and utterly flawed - I used a Firefox Private Browsing window forgetting it blocks content-trackers (like GA). Still, having now visited it properly it is as you say.
And Hey! I'm down in soton every week :D
It's also possible this is corruption, as it's a question of where the revenue from that data was going. If it's going to some web developer's account that's a problem.
The RTB aspect of this story makes it clearly disingenuous, but getting interaction data to improve services is something you would expect a progressive public service to do. Crying wolf on this could do a lot more harm than good to the risk averse cultures of public services. I hope they've got the story right.
For example, Enfield council ( enfield.gov.uk ) is using Google's ad server (DFP) set to show only internal ads. All their advertising is for cross-promoting projects and sites that Enfield council is involved with, including pest control, social lettings, a publicly-funded golf course, school meals...
It's not showing ads from GDN (Google Display Network) or elsewhere, it seems to only show these internal promotions.
Plus there's no provisions for an alternative format to the 30 page paper form. Not very independent if handwriting is an issue (the target demographic is people with disabilities).
Don't get me started on the actual assessment/ assessor. (it's been a long day going through this stuff).
Just because that has become normal for "the online ad ecosystem" over the past few years doesn't mean that it should be acceptable or that we cannot try to stop it.
Where do you stop? Is Google Analytics evil too? What about Twitter feeds?
> What about Twitter feeds?
As a non-exclusive outlet to disseminate information via an independent site (twitter.com), which anyone is free to avoid and ignore? That's fine.
Should they use an alternative platform? probably not, because twitter is the biggest and best known, so you could argue you can reach the most people with it.
So they're excluding people who don't use twitter? Why can't their web pages be the main source of real-time information?
Yes, Google Analytics has many of the same problems. The alternative to that is to analyze the server logs or to simply not track your users' behaviour in detail.
Yes. Both bad.
You have to consider DFP is a software tool, it would be like Slack selling your data so other SaaS can target you when you are talking about buying a new CMS.
Right, but being a privacy nightmare is their business plan
So the banner ads being strictly council related is certainly not universal.
fear mongering is "you're in danger, buy this for us to save yourself"
not exactly a thin line
I worked a summer shift at a heavy machinery factory just after high school before college. I was the single and only person, to my knowledge, that made use of the provided ear and air protection (a face mask and ear plugs, given that we worked with fiberglass with incredibly loud machines).
I was told multiple times that I was "paranoid" and faced a negative reaction because someone protecting themselves pierced a hole in the delusion that everything was fine.
I don't have an issue with ad blockers or alternative payment methods but the way Brave combines the two in my opinion amounts to extortion.
You seem to believe that owners of websites have a natural right to their chosen business model, even if others don't wish to help enable that business model.
sucks but not sure it's immoral -- submission fraud is a hard problem to deal with and if captchas help, .gov should use them
Whether or not the developers were forced to include them due to certain constraints is another issue.
While I suppose every developer here was in a situation where they had to include something they did not want, I also know that none of my colleagues would care or even think about including external scripts, trackers or other crap. Possibility would be high they would be the ones suggesting it. And I have met many developers who think that way. And looking at a plethora of open source projects, which many would assume should have many developers more conscious of these kind of issues suggest this is more than anecdotal evidence.
Most people, developers included, probably even most developers on hacker news, don't care at all. We should not always try to push responsibility on someone else when it is us who builds this kind of crap often without even protesting.
Cool business idea: Mr Robot style hoodie with tracking protection.
What is the status of GDPR in the UK now that Brexit has occurred? Is the UK still beholden to the terms of the law, or does the UK have a parallel law that applies now that they're no longer part of the EU?
At least that report doesn’t start every sentence with “Brave”.
It's moot now because we switched to the pdf and taken its shorter title.
Well thank you kind sir
PRISM/CALEA/ubiquitous surveillance via facial recognition, social credit scoring don't just magically stop being linguistically addressable because we've tossed another specific example into the generic bucket. It just means that we're getting better at identifying exploitative forms of unnecessary data collection.
Unless I'm reading your statement wrong, I'm just not seeing a here your worry comes into play. There's no Orwellian language leak there, and I'm usually pretty sensitive to that just because it does drive me nutswhen people try to do that intentionally.
That political bias doesn't impinge on the facts of the report though (merely that Brave believes it's worth surfacing loudly).
Oh really? Hello BRexit?
I was curious about this and searched a bit. According to this website  the GDPR is still in force until the end of the year, and in addition there is a UK-GDPR law, very similar to the EU GDPR, which took effect on Feb 1st. So there are two regulations now, not zero.
1. Bulk collection of millions of people's habits and data.
2. Misleading "click bait" style ads.