Government leaking private information? Study finds official websites track data for third parties

MONTREAL, Quebec — George Orwell’s book “1984” warned people of the dangers of a government that is always watching its citizens. While the story is fictional, a recent study warns that it’s starting to become reality. Researchers from Concordia University have discovered that government websites use tracking software from Google to gather sensitive information on their users. The findings call into question the effectiveness of privacy laws, especially when our own government may be sending information to private third parties.

“The findings were surprising,” says Mohammad Mannan, associate professor at the Concordia Institute for Information Systems Engineering, in a university release. “Government sites are supported by public money, so they do not need to sell information to third parties. And some countries, especially in the European Union, are trying to limit commercial tracking. So why are they allowing it on their own sites?”

1 in 3 government sites using tracking software

The research team analyzed the security networks of over 150,000 government websites belonging to 206 countries from July to October 2020. Their analysis started off with a seed list of thousands of government websites using automated searching, crawling, and other methods.

Later, they moved on to deep crawls that scraped links in the HTML page source. Using OpenWPM, an open-source software measuring a web page’s metrics, they collected government site scripts and cookies from their code. They also successfully obtained device fingerprinting techniques.

Researchers wanted to compare the privacy settings from government sites with the ones on apps. They tracked over 1,150 government Android apps from 71 different countries using Google Play store URLs in government sites. They studied the developers’ URLs and email addresses. If possible, the apps were downloaded and data extracted using tracking software-development kits.

The study finds 30 percent of government websites have JavaScript trackers on their contact information pages. Most trackers were owned by the Alphabet company. They also found 1,647 software development kits in 1,166 Android apps, with over a third belonging to Google (37.1%). The rest of the software development kits came from Facebook (6.4%), Microsoft (2.1%), and OneSignal (2.9%).

Governments ‘are enabling these potential violations’

In total, 17 percent of government websites and 37 percent of government Android apps have Google trackers. Researchers say over a quarter (27%) of Android apps gave away private data to third parties or potential hackers. An internet security website called Virustotal flagged 304 sites and 40 apps for malicious activity.

The researchers say the results are alarming, considering people may be forced to enter personal information to government sites to pay their taxes or get medical care. This potentially puts them at higher risk of having their information stolen by identity thieves.

“Governments are becoming more aware of online threats to privacy, but at the same time, they are enabling these potential violations through their own services,” Mannan says. While privacy laws are in place for several states and counties, Mannan says governments need to follow their own advice and make privacy a top priority.

The study is published in the Proceedings of the ACM Web Conference 2022.

YouTube video

About the Author

Jocelyn Solis-Moreira

Jocelyn is a New York-based science journalist whose work has appeared in Discover Magazine, Health, and Live Science, among other publications. She holds a Master’s of Science in Psychology with a concentration in behavioral neuroscience and a Bachelor’s of Science in integrative neuroscience from Binghamton University. Jocelyn has reported on several medical and science topics ranging from coronavirus news to the latest findings in women’s health.

The contents of this website do not constitute advice and are provided for informational purposes only. See our full disclaimer