We expect a certain amount of cookie-based tracking on retail websites and social networks, but in some countries up to 90 percent of government sites have implemented trackers – and serve them seemingly without user consent.
A study evaluated more than 118,000 URLs of 5,500 government websites – think .gov, .gov.uk. .gov.au, .gc.ca, etc – hosted in the twenty largest global economies – the G20 – and discovered a surprising tracking cookie problem, even among countries party to Europe's GDPR and those who have their own data privacy regulations.
On average, the study found, more than half of cookies created on G20 government websites were third-party cookies, meaning they were created by outside entities typically to collect information on the user. At least 10 percent, going up to 90 percent, come from known third party cookies or trackers, we're told.
The report, issued by IMDEA, a research facility in Madrid, Spain, explained the ramifications of tracking cookies on government websites beyond regulation violations.
"First, it breaks the trust between citizens and authorities. Second, it allows for large-scale surveillance, monitoring and tracking. If this takes place from third parties it is worrisome as it shows bad website design that relies on external entities that can monitor interactions [between] the public [and] the government,"
the IMDEA team wrote in their paper.
"It seems that despite great efforts to promote regulations like GDPR, governmental sites themselves are not yet clear of tracking practices targeted by such regulations,"
the report concluded.
In addition to focusing on government agency websites, the study also put international organizations and COVID-19-related websites under the lens, finding that over 90 percent of such sites hosted tracking cookies, with just over 60 percent from third parties.
Who put those cookies in easy reach?
The natural conclusion might be to suspect a spying government, but the study concluded that third-party tracking cookies are generally the product of careless webmastery.
"Many of these trackers are added because many government sites include links to social networks such as Facebook and LinkedIn and link videos hosted on YouTube or Vimeo,"
IMDEA said. Additional trackers can come from analytics tools and the use of web code libraries, which the study said can also act like trackers.
Tracking cookie data varies wildly from nation to nation, but the existence of cookies on government websites doesn't: Even among the nations with the fewest cookies - Japan and India - nearly 80 percent of government sites served cookies.
Third party and tracking cookies are worst in Russia, where more than 90 percent of sites contain one or both. Mexico, China and Indonesia follow, with some 70 percent of their websites containing third party and/or tracking cookies.
In the US, slightly less than 60 percent of government sites contain such cookies, and the UK is only better by a few points. Canada actually fares worse than the US, but only by a few percentage points. Australia fares slightly better, with slightly less than 50 percent of its government sites serving problematic cookies.
Those in Germany are the safest, where less than 30 percent of government websites contain third party or tracking cookies. India, South Korea and Argentina follow, with less than 40 percent of their sites containing cookies.
Website designers and contractors working for governments across the G20
"need to take extra care to avoid including plugins for social media, commercial video portals, publishers and avoiding links that download content from such websites,"
as well as avoiding software and libraries known to leak private information.
Third-party tracking cookies have become a common target for privacy advocates in recent years. Mozilla has taken steps to kill third-party cookies in Firefox, for example, and the privacy-minded Brave browser has done similar.