Dozens of university, charity and policing websites designed to aid people get support for serious issues like sexual abuse, addiction or intellectual wellness are inadvertently collecting and sharing site visitors’ delicate data with advertisers.
A variety of tracking tools embedded on these sites – including Meta Pixel and Google Analytics – mean that erstwhile a individual visits them seeking help, their delicate data is collected and shared with companies like Google and Meta, which may become aware that a individual is looking to usage support services before those services can even offer help.
According to privacy experts attempting to rise awareness of the issue, the usage of specified tracking tools means people’s information is being shared inadvertently with these advertisers, as shortly as they enter the sites in many cases due to the fact that analytics tags begin collecting individual data before users have interacted with the cookie banner.
Depending on the configuration of the analytics in place, the data collected could include information about the site visitor’s age, location, browser, device, operating strategy and behaviours online.
While even more data is shared with advertisers if users consent to cookies, experts told Computer Weekly the sites do not supply an adequate explanation of how their information will be stored and utilized by programmatic advertisers.
They further warned the issue is “endemic” due a widespread deficiency of awareness about how tracking technologies like cookies work, as well as the possible harms associated with allowing advertisers inadvertent access to specified delicate information.
Stef Elliott, a data governance and protection expert who has been raising the alarm about these practices since he noticed the issue in mid-2023, has since identified more than 50 delicate sites with this kind of setup, including support sites related to sexual abuse, wellness conditions and the protection of children.
While The Guardian reported on the Met Police’s usage of the Meta Pixel tool on its website in July 2023 after Elliott flagged the issue, he said the problem is much deeper than 1 organisation’s usage of 1 peculiar tracking tool.
“There seems to be a real deficiency of knowing of the possible harms that can be associated with this,” he said, adding a major part of the problem is that the analytics are added to websites by developers as standard practice, without taking into account the sensitivity of a given site.
Elliott said although tracking technologies can be helpful to organisations for a variety of reasons, he has an issue with it being utilized without due care and attention. But whenever he raises the issue with authorities, whether that be the UK’s data regulator or his local MP, he gets “tumbleweeds” in return.
Given the sensitivity of the data being collected, Elliott and another experts are afraid that people may be discouraged from seeking much-needed assistance if they believe delicate data about them is being sent to 3rd parties.
Online privacy investigator Mark Richards, for example, said that erstwhile people enter delicate physical environments like a doctor’s surgery or teacher’s office, there is simply a work of care on organisations and people to safeguard the susceptible people there.
“The basic premise that ‘these 4 walls are safe so you can talk to me and no 1 else will hear you’ is broken,” he said. “It is no longer actual – erstwhile you’re online, you’re being watched, individual knows you walked into that office and the subject you’re trying to handle … it’s an intrusion into a space which is expected to be protected.”
On the harms entailed by this widespread usage of invasive tracking, Richards said if people do not trust a system, they will not usage it.
“If you’ve got a kid who’s depressed, who is having trust issues with the environments around them, and then they’re told to go into an environment which starts lying to them by showing them cookie banners saying they’re not going to be tracked; while at the same time they see their privacy blocking tool saying there’s Facebook and Google and YouTube loading, they’re going to start thinking, ‘how do I trust this website?’,” he said.
Digital surveillance on delicate sites
While the experts Computer Weekly spoke with are choosing to not disclose which circumstantial sites are affected so that people are not deterred from seeking help, method breakdowns of the tracking on multiple sites have been shared with Computer Weekly to confirm the data collection and sharing taking place.
Giving the example of a visitor to a police sexual offences reporting page, Elliott said that with the tracking setup presently in place, cookies would be immediately deployed to start harvesting information about the user, which is linked back to individualised profiles that advertisers can usage to mark them.
While this takes place via login cookies dropped erstwhile users are signed into, for example, their Google or X accounts, specified advertisers can besides build up profiles of people without accounts through the usage of advertiser IDs, which usage various methods specified as browser fingerprinting IP addresses to correlate users with online activity.
Comparing the tracking to another forms of surveillance, Elliott said it was “more precise” than utilizing video cameras or facial designation due to the way it allows a wide variety of information about circumstantial people to be linked to individualised profiles of them.
Highlighting another example of a university’s sexually transmitted infections (STI) webpage, Elliot said in that instance it asks for people’s ages, postcodes and sexual preferences, which then goes to a search results page with that information in the URL, all of which takes place before any interaction with the cookie banner.
“My issue is that if you knew that data was going to Facebook and Google, would you go on to the STI site and enter that data?” he said. “I think it undermines the intent of the site, which is to aid people in distress, in trauma.”
Commenting on the nature of the digital surveillance underpinning programmatic advertising, Richards likened it to a criminal act of trespass.
“Whenever you’re on a device … you’re doing your individual activities in your own environment. And erstwhile you’re doing them, you’re being watched through your own device,” he said. “To me, this is simply a sense of trespass – if individual was in my house, watching me do things, taking notes, I would feel like the police should be here taking them outside.
“They’re like Peeping Toms in any ways, peeking through even though they’re not expected to … there’s no restraint, the digital streets you walk, they’re following.”
Richards added that while many people are at least attempting to claw back any privacy by, for example, utilizing ad blockers – 1 of the most downloaded tools on the net – or buying iPhones due to their higher degree of privacy over Android devices, “the saddest part is as much as people effort to avoid all of this, they haven’t got much hope”.
He said that while it can be hard to quantify the cost of privacy invasions in financial terms, there can be clear emotional impacts from a failure of privacy, and that people’s attempts to halt their privacy being abused shows there is “obviously a sense of dislike and distrust in the strategy that modern IT has created”.
A black box ecosystem
Those Computer Weekly spoke with besides highlighted the “black box” nature of the online advertising ecosystem this delicate data is then sent into, noting that erstwhile data is taken from a person’s device and sent to the likes of Google, Meta and others, there is very small visibility over how it is used.
“They’re utilizing search algorithms, they’re utilizing AI, they’re utilizing device learning, they’re utilizing techniques to effort and correlate users to things they think the users will be curious in, and things they think users will buy, to make money,” said Richards.
“Do you think it’s okay that erstwhile a kid visits a suicide support website, we’re now trusting that Facebook’s algorithms will choice up the kid is curious in suicide and will present the appropriate adverts and recommended content for that child’s situation? What does that even look like? How do they avoid the machine-learnt hazard that the best thing financially to show them is likely booze?”
Richards added the way in which advertisers collect and combine people’s individual data to make inferences about them as both individuals and groups can easy become very discriminatory, as it fundamentally runs off of stereotyping.
“You have organisations sitting there picking out topics and choosing how they’re going to mark people,” he said, adding that in practice this means “picking out stereotypes of circumstantial groups and utilizing that as a means to scope out to that group of people”.
Mariano delli Santi, a legal and policy officer for Open Rights Group, added that the systemic usage of tracking tools to monitor people’s behaviour for the purposes of serving them ads is peculiarly harmful for those with vulnerabilities or addictions.
Noting the difficulty behavioural advertising frequently has in accurately inferring people’s intentions, characteristics or position – “if you’re reading an article about a strike, that doesn’t tell whether you agree with the strike or not, so everything is based on guessing” – delli Santi said it is good at picking up on and exploiting people’s compulsive behaviours due to the regular and repetitive nature of these actions.
“The existing strategy of advertising is simply a strategy that inherently favours this exploitive model of online targeting, precisely due to the fact that any strategy that profiles behaviour is simply a strategy that is very good at identifying vulnerabilities and addictions, and is very bad at identifying everything else,” he said. “There is simply a perverse incentive to mark people based on their weak spots.”
Delli Santi besides highlighted the fact that erstwhile the data is collected by the delicate sites in question, there is simply no knowing what happens to it, or what another data about you it can be combined with, especially erstwhile purchasing further information about people from data brokers is so easy and accessible.
However, Shane Gohil, a data protection officer at DPO Centre, questioned whether the possible harms to individuals outweighed the good achieved by the delicate sites, given how hard it is to pinpoint circumstantial harms that stem from a programmatic advertiser’s access to any given data point or the subsequent inferences made off the back of it.
He added that while it is “very hard to track due to the advert ecosystem”, the severity of harms will be different depending on the context of the data collection.
“Let’s say it was gambling addiction, for example – if that went into the advertising ecosystem, who’s to say that gambling firms cannot service those individuals ads? due to the fact that their position will be, ‘I don’t care if you’re an addict or not, the fact is, you make me money’. I know it sounds awful, but that’s the way commercial vehicles will operate,” he said.
“The difficulty with another things – for example, visiting self-harm pages or police services – is I just don’t see how that materially affects someone. How could they bring damages, how could they show they were caused distress by this?
“Merely saying, ‘I don’t feel large about that information being in the ad strategy due to the fact that they know I’ve been on that website’, doesn’t truly constitute a [legal] harm or harm to someone.”
Gohil added it is much easier to legally show direct harm from the collection of delicate individual data in another contexts, specified as erstwhile it is utilized for things like insurance or claims handling. He besides said that while individual data from the delicate sites may be added to behavioural profiles, it is inactive legally very tricky to pinpoint the harm to the circumstantial data collected during a site visit.
Despite the legal difficulty of linking circumstantial harms to the collection of circumstantial data points, Gohil added: “Would you tell your doctor everything if you looked over and there was individual in the room? That would make me think twice.”
A deficiency of awareness
All those Computer Weekly spoke with said the core reason why specified invasive tracking has been allowed to flourish is simply a general deficiency of awareness around how these technologies work in practice.
“My concern is that we’ve got to the point where we have a deficiency of awareness of the tracking tools that are available for businesses, and the possible associated harms to people,” said Elliott, who noted it is standard for tracking tools to be embedded on websites from the get-go.
“When you set up a system, you either build it, buy it, or borrow it. I think lots of people have learnt the rudiments of website development, but don’t full realize the functionality they’re implementing, and so the associated risks and harms they’re exposing individuals to.”
Gohil added that while on the 1 hand it’s hard for organisations to argue ignorance of the UK’s laws on digital tracking given they are now 20 years old, the readily available nature of today’s tracking tools – “which is simply copying a part of code and placing it into your website” – means they get overlooked, especially by organisations like charities that are mostly already strapped for resources.
“I visit many organisations and part of my overall audit would be to measure their website and their usage of cookies,” he said. “And whilst I can say, ‘You’re non-compliant in this area’, having the legal [and] method expertise to remove these cookies and set them up correctly is simply a resource that many charities most likely don’t have.
“I see this a lot in SMEs and in tiny charities who genuinely want to do good things, but they’ve got much bigger problems – they’ve got no IT provider, shadow IT, volunteers managing the data and doing work, so there’s a balance.”
The function of large tech
For delli Santi, the root origin of pervasive behavioural tracking online is the structure of today’s net platforms and their marketplace dominance.
Noting that quite a few today’s web improvement relies on the usage of plugins and tools that have been “pre-compiled” by large tech advertisers to extract and share people’s data, delli Santi said the standard inclusion of tracking tech by these firms acts as a way of reinforcing their marketplace dominance, as it fundamentally brings more and more data into their orbit without them having to do anything.
Highlighting that tracking tools are even embedded in software developer kits (SDKs), which are platform-specific software packages utilized to build applications, delli Santi said “these tracking technologies are effectively viral”.
He added this tracking is “particularly pernicious” due to the fact that it taps into the dynamics around web development, including that organisations want websites set up as cheaply and rapidly as possible, and that many web developers will not necessarily be well-versed in how to code or the method ins and outs of how the tracking tools they’re embedding work.
“You can clearly see the commercial value of having this strategy of surveillance installed, even if you [as the developer] didn’t necessarily want to, which is that as a digital platform I’m now getting access to your browsing habits in an environment where I wouldn’t otherwise have access to it,” he says. “Of course, we’re talking about very delicate information here, so it’s even more valuable.”
Commenting on the work of large tech advertisers, Elliott said firms that supply specified tracking services will mention the fact their Ts&Cs prohibit advertising surveillance on peculiarly delicate sites, and that they will flag improper uses of tracking to their customers, adding: “I’ve never heard of anyone having this flagged.”
However, delli Santi notes that while large tech firms have a work to halt offering this tracking as standard, the organisations setting up the websites are data controllers in their own right, and are so liable for installing software that performs tracking on behalf of these firms.
“If you’re writing a website and you have something that is ready to be deployed, ready to copy and paste, that’s perfect,” he said. “On the another hand, you’re liable for how the individual data being collected in this way is used, due to the fact that yet the decision to copy and paste that web code, to implement that plug-in, to implement the functionality of your website, was your decision, nobody else’s decision.”
Gohil yet came to a akin conclusion, noting that while he is very sympathetic to the pressures smaller organisations face erstwhile it comes to dealing with method matters like data protection and tracking, there is no legal excuse at the end of the day.
“This is something that will unfortunately fall, erstwhile it comes down to data protection law, on the data controller, which is fundamentally the organisation that’s chosen to usage these tools,” he said.
Google and Meta respond
Computer Weekly contacted both Google and Meta about the tracking and the claims made by data protection experts.
“Our policies require advertisers to have the essential rights and permissions, including people’s consent where applicable, to usage our Business Tools data, and we don’t want or licence advertisers to send delicate information about people through our Business Tools,” said a Meta spokesperson. “We educate advertisers on decently setting up our Business Tools to prevent this from occurring. Our strategy is designed to filter out possibly delicate data it is able to detect.”
According to Google, measurement tools like Analytics aid businesses realize how users engage with their websites and apps through aggregate reports that supply insights into patterns of behaviour of their traffic and the performance of their online properties, all without identifying individual users.
The search giant besides contends that Google Analytics does not combine data of different customers or track users across unaffiliated websites, and that the data collected by customers utilizing Analytics would only be utilized for advertising purposes for that circumstantial customer, and only if the client links their Google Analytics account with their Google Ads account, exporting their own data for their own use.
On the usage of wider tracking tools, Google said its customers own and control the data they collect on their properties, that it does not usage their measurement data for its own ad targeting or profile building, and that businesses are required to give visitors appropriate announcement of and, where legally required, get their consent for their collection of data utilizing Google Analytics on their properties.
It further added that its policies do not let serving advertisements to people based on delicate information specified as health, ethnicity, sexual orientation or negative financial situations, and has strict policies in place to prohibit customers from utilizing Analytics to collected protected wellness information.
These customers are besides prohibited from uploading any information to Google that could be utilized by the company to identify an individual.
On the usage of Tag Manager, Google said that if a business uses the Tag Manager, the tool itself does not collect, hold or share any information about site visits, and is alternatively a tool to aid customers manage the behaviour of the tags they place on their websites.
A deficiency of enforcement
While Elliott first raised the issues around websites inadvertently sharing delicate individual data with third-party advertising platforms with the Information Commissioner’s Office (ICO) in July 2023, the regulator is yet to take any action in helping the affected organisations mitigate the risks to site visitors.
In his latest correspondence to the ICO, in mid-March 2024, Elliott noted that while the tracking activity was halted on the police.uk website’s sexual assault page, this only happened in consequence to press coverage at the time, and that the same functionality is deployed across 26 of England and Wales’ 43 police forces.
“[One policing website] alone inadvertently shared individual data on 245 individuals seeking support! I can’t confirm the full number of people impacted as I am awaiting a importantly overdue FOI reply,” Elliott told information commissioner John Edwards in an email.
He added that, 9 months since he originally reached out to the ICO, “the endemic leaking of individual data through support sites, raised in my letters, continues”.
Elliott concluded the letter by asking whether the ICO had been in contact with any of the organisations highlighted to make them aware of the issues and aid them with mitigation, and if it could supply a roadmap for erstwhile circumstantial guidance would be issued by the regulator, but is yet to receive a response.
The data regulator wrote to 53 of the UK’s top 100 websites in November 2023, informing them that they faced enforcement action if they did not make changes to advertising cookies to comply with data protection law. Of those contacted, 38 changed their cookie banners in ways that achieved compliance.
“We anticipate all websites utilizing advertising cookies or akin technologies to give people a fair choice over whether they consent to the usage of specified technologies. Where organisations proceed to ignore the law, they can anticipate to face the consequences,” it said in a January 2024 press release.
“We will not halt with the top 100 websites. We are already preparing to compose to the next 100 – and the 100 after that.”
In 2019, the ICO issued a study titled Update study into adtech and real time bidding, which found that online advertising companies were failing to comply with the law in key areas specified as legality of data processing, transparency, usage of delicate data, accountability requirements and ensuring an adequate level of safety throughout the supply chain.
“The creation and sharing of individual data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, peculiarly erstwhile people are frequently unaware it is happening,” wrote the ICO. “We outline that 1 visit to a website, prompting 1 auction among advertisers, can consequence in a person’s individual data being seen by hundreds of organisations, in ways that propose data protection rules have not been sufficiently considered.”
In a since-deleted blog post published by the ICO in January 2020 about its adtech actions, the regulator’s then-executive manager of technology and innovation, Simon McDougall, said: “The improvement of real-time bidding has started and will continue,” noting that while manufacture engagement has been positive, much more inactive needs to be done to bring transparency and guarantee the processing of individual data in advertising ecosystems is lawful.
“The most effective way for organisations to avoid the request for further regulatory scrutiny or action is to engage with the manufacture improvement and transformation, and to encourage their supply chain to do the same,” he said. “I am both heartened at how much advancement we have made, and disappointed that there are any who are inactive ignoring our message. Those who have ignored the window of chance to engage and transform must now prepare for the ICO to utilise its wider powers.”
However, the ORG has previously told Computer Weekly that, to date, the ICO has not taken any regulatory action against data protection infringements in the online advertising space that were revealed as a consequence of the regulatory update report.
Computer Weekly contacted the ICO about the tracking in place on delicate support sites and all aspect of the story. A spokesperson responded that organisations utilizing cookies and tracking pixels have responsibilities to usage these technologies lawfully, reasonably and transparently.
“We want them to make it easy for people to realize what is happening to their information and whether they want to give their approval for it to be shared,” they told Computer Weekly.
“We anticipate organisations providing these technologies to take action too. All besides frequently there’s a deficiency of accountability for how these tools collect and usage people’s individual information, with mediocre transparency and deceptive design.”
The spokesperson added that the ICO wrote to more than 20 NHS trusts and wellness charities utilizing Meta Pixel last autumn to remind them of their responsibilities.
“We’re besides engaging straight with companies providing these technologies, including Meta, to make our expectations clear. Tackling the possible harms caused by advertising technology is simply a precedence for the ICO and we will not hesitate to act decisively to defend the public,” the spokesperson said.
“In November, we warned the top 100 websites in the UK that they faced enforcement action if their ‘reject all’ button for cookies was not as prominent as their ‘accept all’, achieving large success so far with more to come. We’ve noted the information that has come to light through this study and will be considering this substance further.”
In lieu of formal regulatory action from the ICO, delli Santi said antitrust government around digital markets – which there is simply a increasing push for in Europe and the US – could aid by stopping large tech firms from providing tracking technologies as standard in SDKs and another software improvement tools.
“Focusing on the tiny player like the charity is not going to solve the issue,” he said. “We know they most likely never meant to share the data with these platforms in the first place, so there is simply a problem of marketplace dominance and marketplace dynamics which needs to be addressed.”
However, he added: “What we truly request in the end is institutions which have the strength and integrity to actually take this action.”
For Richards, part of moving towards a fix is looking at how the modern net has been built around tracking, and questioning the value of this to the general public.
“We’re getting content on social media platforms for free and we’re getting content from publishers which is subsidised. But that subsidy is not without cost,” he said. “A very large percent of that is going consecutive to the advertising and tech manufacture to keep a strategy that tracks us, to give profits to a fewer monopolies who managed to corner the market.”
However, regarding the technology itself, Richards added: “It needs the regulator to enforce the law.”
