Unintentional but invasive
The researchers began their analysis by building off a seed list containing tens of thousands of government websites using automated searching and crawling and other methods between July and October 2020. They then performed deep crawls to scrape links in the HTML page source. The team used instrumented tracking metrics from OpenWPM, an automated, open-source software used for web-privacy measurements, to collect information such as scripts and cookies used in the websites’ code as well as device fingerprinting techniques.
They tracked Android apps by looking for Google Play store URLs found in government sites and then examining the developers’ URLs and email addresses. When possible, they downloaded the apps — many were geo-blocked — and analyzed them for embedded tracking software-development kits (SDKs).
The analyses revealed that 30 per cent of government websites had one or more JavaScript trackers on their landing pages. The most known trackers were all owned by Alphabet: YouTube (13 per cent of websites), doubleclick.net (13 per cent) and Google (close to four per cent). They found some 1,647 tracking SDKs in 1,166 government Android apps. More than a third — 37.1 per cent — were from Google, with others from Facebook (6.4 per cent), Microsoft (2.1 per cent) and OneSignal (2.9 per cent).
Mannan notes that the use of trackers may not always be intentional. Government developers are most likely using existing suites of software to build their sites and apps that contain tracking scripts or include links to tracker-infused social media sites like Facebook or Twitter.
No other options
While the use of trackers is widespread, Mannan is particularly critical of jurisdictions like the EU and California that profess to have strong privacy laws but in practice are not always significantly different from others. And since users can use only government portals for important personal obligations such as paying taxes or requesting medical care, they are at added risk.
“Governments are becoming more aware of online threats to privacy, but at the same time, they are enabling these potential violations through their own services,” he says.
Mannan urges governments to frequently and thoroughly analyze their own sites and apps to guarantee privacy safety and to ensure that they are complying with their own laws.
Read the cited paper: “Et tu Brute? Privacy Analysis of Government Websites and Mobile Apps.”