In yet another sign of how broken the barely-regulated ad-based business model of the web is, a disturbing report this week shows that EU government and health service websites are full of third-party ad company trackers that surreptitiously surveil visitors.

The report from Cookiebot on this disgraceful aspect of the secretive adtech industry – which tracks and monitors individuals, aggregating data to build precise data profiles – indicates just how pervasive such silent surveillance is on the public sector web.

This mostly occurs without the public organisations or website managers being aware of the multitude of hidden trackers, some of which seem in violation of EU data privacy protections.

“The extent of tracking on public sector websites is especially alarming,” Cookiebot founder Daniel Johannsen writes in the report.

“Trackers use inventive techniques to gain access to non-commercial websites by working through free third-party services, such as video plugins and social sharing buttons.”

Google had installed a tracker for giant Google-owned adtech company DoubleClick on all 22 EU government sites that feature YouTube videos

These hidden adtech trackers plant a string of code into a visitor’s browser which acts as a unique identifier for everything they then do on that site and even when they move off to other web locations.

The report notes that trackers will typically record what sites a user visits and for how long, the speed and pattern of a visitor’s scrolling behaviour, and which links the user clicks on, or even hovers over.

Harvested data is combined with other information to build detailed individual profiles.

Tracking companies “also perform ‘cookie syncing”, which allows them to swap their unique identifier with other adtech actors, so that the data they hold on users can be cross-referenced and combined, potentially with valuable identifiers like email addresses, social media logins or real names”, the report notes.

EU public sector sites are thus unintentionally serving as platforms for online commercial surveillance, the report states.

State websites

Such tracking occurs even on the websites of national health services, with 52 per cent containing trackers. The State’s HSE had the highest number of all, with 73 per cent of HSE pages that were examined containing up to 23 trackers.

The free, popular ShareThis social sharing tool is actually a Trojan horse that releases a multitude of trackers, according to the report. The HSE used the tool, which on average sent a visitor’s data to 25 different adtech companies. Surprise: free has a hidden cost.

In fairness to the HSE, it has removed the ShareThis tool from its pages since the Cookiebot report was published on Monday.

The report found that 89 per cent of EU member state official government websites contain third-party ad tracking, with 112 companies monitoring EU citizens on these public sector sites. Alarmingly, 10 of these companies actively mask their identities and cannot be associated with any known adtech company.

The main Irish Government site fared well in the study, with just one tracker, compared with 52 on the French government site.

Individual web users should not bear the burden of endlessly tweaking browser settings and installing privacy tools

Some 82 per cent of the government websites contain Google marketing trackers. Some of these are obscured, operating inside YouTube videos on the sites, for example, even when a web user has turned on a “do not track” browser preference.

A hidden bit of code inside the videos “allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video – contrary to Google’s claims” that they limit tracking.

Google is the “kingpin of tracking”, the report states, noting that the company accounts for “several of the most dominant tracking domains” and three out of five trackers on government sites.

Google had installed a tracker for giant Google-owned adtech company DoubleClick on all 22 EU government sites that feature YouTube videos, and tracked visits to 43 per cent of the national health sites surveyed.

Of “special concern” is that, by cross-referencing such data to the vast trove of personally-identifying information Google also holds from services like Gmail, Android apps, and Search, Google can “easily associate web activity with the identities of real people”, the report warns.

Circumventing barriers

The report also reveals how Facebook has repeatedly circumvented a series of privacy-protecting barriers erected by Apple in its Safari browser.

The study shows that Facebook’s new, duplicitous combined tracking approach enables the social media giant to track visitors on two Irish and two UK landing pages featuring information about HIV and mental illness, which the company could then associate with individuals on Facebook.

Such technical workarounds “are highly intrusive as they undermine users’ attempts to protect their personal data – even when using browsers and extensions with the most advanced protection settings”, says the report. And while some such workarounds are known, many others “can be assumed to exist in the shadows”.

If ad-free state sites are plagued with this volume of hidden adtech surveillance, imagine what is going on with commercial, ad-driven sites.

Johannsen clearly states the question governments and regulators must now consider: “How can any organisation live up to its GDPR and ePrivacy obligations if it does not control unauthorised tracking actors accessing their website?”

In addition, individual web users should not bear the hopeless burden of endlessly tweaking browser settings and installing privacy tools to try to evade such relentless surveillance. Especially on EU state-run information websites for EU citizens, which must prioritise trust.