Revealing research around web and cookie security at Black Hat Europe in London, Eliot Bendinelli, technologist at Privacy International and Frederike Kaltheuner, formerly of Privacy International and now tech policy fellow at Mozilla, described how a number of websites offering “tests” on mental health and depression shared results with third parties.
Kaltheuner said that this sort of tracking is “not just highly intrusive but is information that can be used against you.” She said that GDPR consent firms are “designed to be deceptive and annoying” and often it is easier to consent than not, and very few people know what happens when you do consent.
Therefore, the duo did accept some tracking requests and did a subject access request to get the data that had been collected, and received a statistical analysis on their age, gender and education level. This also included data shared with companies in the data broker and the advertising technology ecosystem.
This led them to do tests on websites, with a focus on three countries: UK, Germany and France. Bendinelli said that the goal was to find websites driving traffic to partners. Using tools such as Webxray to run a headless version of chrome and record all interaction you have had with a website, including cookies, images and javascript, and a HTTP Toolkit which inspects what POST queries a website is sending.
Kaltheuner revealed that 97.78% of all webpages had a third party element and while this was not nefarious, “it does come with a privacy risk.” She said that the average cookies collected were 44 for French websites, 12 in the UK and seven in Germany.
“Also, we found that 76% of websites contained a third party tracker for marketing,” Kaltheuner said, with counters found for data brokers and companies who do programmatic advertising.
Bendinelli added that having completed depression tests, he found that several stored the test results in the URL, and this was shared with a third party, and one sent them to 500 partners with answers in clear text. An NHS website sent the test scores to a website which was found to be an analytics server, which the NHS confirmed was recorded for their own analytics. “We were disappointed as there was no warning,” Bendinelli said.
Kaltheuner said that the basics of the research and this extended version had “barely scratched the surface” as they had only investigated nine websites and found poorly designed tests. “Many findings are in violation of GDPR and e-privacy,” she pointed out, saying that consent is needed to place cookies, and for processing data as “you can only process with the explicit consent of the user.”
The two concluded by acknowledging that technology changes quickly, but a broader discussion is needed about how people want to be treated, and who wants access to this and who shouldn’t.