Banner Banner

Web Trackers are widely present in Governmental Websites

BIFOLD Researcher Prof. Dr. Georgios Smaragdakis with TU Berlin recent bachelor graduate Matthias Götze, and collaborators from IMDEA Software and Networks Institutes, and the Cyprus University of Technology performed a large-scale measurement study of more than 5,500 official government websites. The study shows that up to 90% of these official websites in some countries add third-party tracker cookies without user consent.
One of the biggest challenges of our times is digital transformation, i.e., the adoption of digital technologies by an organization.

Electronic governance (e-governance) refers to the ongoing digital transformation efforts by governments around the globe to deliver government services, such as announcements, communication, exchange of information, and point of service to their citizens. Studies have shown that e-governance reduces the cost of a government, minimizes corruption, and drastically reduces the service time for citizens. The investment in e-governance has proved extremely valuable during the COVID-19 pandemic, allowing a significant fraction of the interactions between citizens and the authorities to remain uninterrupted during these difficult times. But how secure is the design and operation of such websites, and are citizens’ visits to these websites tracked?
Since 2018, the European Union General Data Protection Regulation (GDPR) has been in force. GDPR, among other provisions, protects Web European users from tracking when they visit a webpage anywhere in the world.

“We would have expected that governmental websites visited by millions of citizens every day comply with GDPR law and be held to the highest standards regarding respecting user privacy. Unfortunately, our study shows that this is not the case”, says BIFOLD Fellow Georgios Smaragdakis, Professor of Cybersecurity at TU Delft. Researchers evaluated more than 5,500 governmental websites and 120k URLs from G20 countries and hundreds of websites of International organizations and official COVID-19 websites. They found that more than 90% of websites typically add cookies without user explicit consent. The analysis also shows that the presence of third-party trackers is quite common and highly varies across countries. The Figure illustrates that countries like Russia, Mexico, China, and USA are at the top of the list. Nearly 90% of the Russian government websites host known third-party trackers that set cookies to Web user visitors without their consent. It is also alarming that the Web Cookies set by third-party trackers can last for months or years, thus, allowing for long-time tracking.


German governmental websites are less affected by tracking. The study finds that less than 5% of governmental websites add third-party tracker cookies. Nevertheless, there is space for improvement to eliminate tracking. The analysis also shows more than half of International organization websites and COVID-19 websites that were very popular during the pandemic add third-party tracker cookies.

“Our work demonstrates how difficult it is to engineer data protection in practice. Closer investigation shows that third-party trackers are present in governmental websites probably unintentionally by including external content from social media, video portals, and third-party libraries and services. This is a call for better design and operation of official websites”, explains BIFOLD Fellow Prof. Georgios Smaragdakis. “With our study, we also aim to increase public awareness about potential tracking when visiting websites, and we argue for the need for large-scale tools and systems to enable continuous measurement and transparent reporting towards improving the privacy of public online services.”


Web tracking typically takes place by adding a small block of data called “Web Cookie” (or simply cookie) to the user browser. This data can be generated by the server that a user is visiting. In this case, the cookie is set by the first-party, i.e., the original server the user visited. However, there may be links to other objects on the webpage, e.g., advertisements and media from external servers. In this case, cookies can be added by other servers. In this case, these are third-party cookies. Web trackers also use cookies to get information about a user’s profile, preferences, and web visits e.g., to recommend advertisements. In this case, cookies are set by third-party cookies. Under GDPR law, cookies must only be activated only after users have given explicit consent to the specific purpose of their operation and collection of personal data. Thus, no cookie must be installed, especially from trackers, unless a user gives explicit consent.

Publication

Measuring Web Cookies in Governmental Websites“, by Matthias Götze, Srdjan Matic, Costas Iordanou, Georgios Smaragdakis, and Nikolaos Laoutaris. ACM Web Science Conference (WebSci) 2022.