It’s no secret that the business websites and mobile apps we use every day are tracking us. Big companies like Facebook and Google depend on it. However, as a new paper from a team of researchers at Concordia shows, companies aren’t the only ones harvesting our private data. Governments around the world are integrating the same tracking tools and allowing large companies to track users of government services, even in jurisdictions where lawmakers enact laws to restrict commercial trackers.
The authors of the article performed privacy and security scans on over 150,000 government websites from 206 countries and over 1,150 Android apps from 71 countries. They found that 17% of government websites and 37% of government Android apps host Google trackers. They also noted that more than a quarter – 27% – of Android apps leak sensitive information to third parties or potential network attackers. And they identified 304 sites and 40 apps flagged as malicious by VirusTotal, an internet security website.
“The results were surprising,” says the paper’s co-author, Mohammad Mannan, an associate professor at the Concordia Institute for Information Systems Engineering (CIISE) at the Gina Cody School for Engineering and Computer Science. “Government sites are publicly funded, so they don’t need to sell information to third parties. And some countries, especially in the European Union, are trying to limit commercial tracing. So why do they allow it on their own sites? »
The paper was presented at the Association for Computing Machinery’s WWW ’22 conference in late April. Current PhD student Nayanamana Samarasinghe, recently graduated MSc student Aashish Adhikari (MASc 21) and Professor Amr Youssef, all from CIISE, co-authored the paper.
Involuntary but invasive
The researchers began their analysis by building a seed list containing tens of thousands of government websites using automated search and crawling and other methods between July and October 2020. They then performed in-depth analyzes to retrieve links in the HTML page source. The team used instrumented tracking metrics from OpenWPM, an automated open source software used for web privacy measurements, to collect information such as scripts and cookies used in the code of websites as well as device fingerprinting techniques.
They tracked Android apps by searching Google Play store URLs found on government sites, then examining developer URLs and email addresses. Whenever possible, they downloaded the apps — many of which were geoblocked — and scanned them for built-in tracking SDKs.
Mannan notes that the use of trackers is not always intentional. Government developers most likely use existing software suites to build their sites and apps that contain tracking scripts or include links to tracker-infused social media sites like Facebook or Twitter.
No other option
Although the use of trackers is widespread, Mannan is particularly critical of jurisdictions such as the EU and California which claim to have strong privacy laws but which in practice are not always very different. others. And since users can only use government portals for important personal obligations such as paying taxes or seeking medical care, they are at increased risk.
“Governments are increasingly aware of online threats to privacy, but at the same time they enable these potential breaches through their own services,” he says.
Mannan urges governments to frequently and thoroughly scan their own sites and apps to ensure privacy security and compliance with their own laws.
Read the quoted article: “And you Brute? Privacy analysis of government websites and mobile apps. » [ ]
— By Patrick Lejtenyi
— Concordia University
– A B