Tracking cookies found on G20 government websites • The Register

We expect some level of cookie-based tracking on retail websites and social networks, but in some countries up to 90 percent of government sites have implemented trackers — and seemingly offer them without user consent.

A study analyzed more than 118,000 URLs from 5,500 government websites – think .gov, .gov.uk. .gov.au, .gc.ca, etc. – hosted in the world’s twenty largest economies – the G20 – and discovered a surprising tracking cookie problem, even among the countries that have joined the European GDPR and those that have their own privacy policy.

The study found that, on average, more than half of the cookies created on G20 government websites were third-party cookies, meaning they were created by external entities, typically to collect information about the user. At least 10 percent, up to 90 percent, comes from known third-party cookies or trackers, they say.

The report, issued by IMDEA, a research organization in Madrid, Spain, explains the impact of tracking cookies on government websites beyond breaches of regulations.

“First, it breaks trust between citizens and authorities. Second, it allows for large-scale surveillance, monitoring and tracking. When this is done by a third party, this is worrying as it shows poor website design that relies on external bodies that can monitor interactions [between] the public [and] of the government,” the IMDEA team wrote in their paper.

“It appears that despite major efforts to promote regulations such as GDPR, government websites themselves are not yet free from tracking practices such regulations target,” the report concluded.

In addition to focusing on government agency websites, the study also looked at international organizations and COVID-19-related websites and found that over 90 percent of these websites hosted tracking cookies, with just over 60 percent coming from third parties .

Who put these cookies within reach?

The natural conclusion might be to suspect a government spy, but the study concluded that third-party tracking cookies are generally the product of careless webmastering.

“Many of these trackers are added because many government sites have links to social networks like Facebook and LinkedIn and links to videos hosted on YouTube or Vimeo,” IMDEA said. Additional trackers can come from analytics tools and the use of web code libraries, which the study found can also act like trackers.

Tracking cookie data varies widely by country, but the presence of cookies on government websites does not: Even among the countries with the fewest cookies – Japan and India – nearly 80 percent of government websites served cookies.

Third-party and tracking cookies are worst in Russia, where more than 90 percent of websites contain one or both. Mexico, China and Indonesia follow, with around 70 percent of their websites containing third-party and/or tracking cookies.

In the US, just under 60 percent of government sites contain such cookies, and the UK is only a few points better. Canada actually underperforms the US, but only by a few percentage points. Australia does slightly better, with just under 50 percent of its government sites offering problematic cookies.

Those in Germany are the safest, where fewer than 30 percent of government websites contain third-party or tracking cookies. India, South Korea and Argentina follow, with less than 40 percent of their websites containing cookies.

Website designers and contractors working for governments in the G20 “must take special care not to include plugins for social media, commercial video sharing sites and publishers and to avoid links that download content from such sites,” as well as to avoid software and libraries who are known to leak private information.

Third-party tracking cookies have become a common target for privacy advocates in recent years. For example, Mozilla has taken steps to kill third-party cookies in Firefox, and the privacy-friendly Brave browser has done similar things.

Google also announced plans to break third-party cookies in Chrome, but has pushed the date back to 2023 and may not materialize as originally promised. ®