EU government websites infested with third-party adtech scripts

Ironic as it may be, EU websites might not be compliant with the EU's own data protection rules.
Written by Charlie Osborne, Contributing Writer

We almost expect it from them now -- the tech giants of today, such as Google and Facebook, and their quest to elicit any shred of useful information from us to generate ad-based revenue and profit.

However, we don't necessarily expect the same treatment from public and government services. 

When we use a government portal to access information related to taxes or health, which may include rather private and sensitive topics, we would hope that our visit and any information gained from it will not end up in the wrong hands.

It seems that this is not the case, according to a new report released by GDPR and ePrivacy consulting firm Cookiebot.

A total of 112 commercial companies are systematically harvesting this information and tracking us through EU government portals and public services. Ten of these companies have masked their identities, too, which could suggest the problem is deeper than we think.

Once this data is collected, it may end up in the possession of data brokers both in and outside of the ad network industry.

An examination of public sector websites across the EU performed by Cookiebot found that 89 percent of official government websites of EU member states contain third-party ad tracking -- despite these websites not requiring ad support to run.

In total, 25 out of the 28 official government websites in the EU contained ad trackers which may be used to monitor which pages a visitor selects, where they click and hover, as well as the speed and pattern of scrolling.

On the French government website, for example, a total of 52 separate commercial companies track citizens. The Latvian government domain contained 27, the Belgian portal hosted 19, and the Greek government domain contained 18 trackers.


When public health services were examined, Cookiebot found that 52 percent of landing pages with health information were found to harbor ad trackers. Irish public health services were the worst, with 73 percent of health-related landing pages containing trackers.

The UK, Spain, France, and Italy followed, with 60 percent, 53 percent, 47 percent and 47 percent containing the same ad tracking technology, respectively.

CNET: Facial recognition: Apple, Amazon, Google and the race for your face

On a single page relating to maternity leave on the German public services domain, for example, 63 companies were tracking German citizens. 21 tracking firms were connected to a French page discussing abortion. Topics including HIV, cancer, and mental health were also tracked across the board. 

Such information, collected and leaked, is sensitive and should not end up in the hands of commercial companies. Not only could this create tailored and targeted ads which can be upsetting, but if sold on to data brokers outside of the ad industry, who knows whether it may end up -- or what purposes it would be used for.

When it comes to Google, 82 percent of official EU government websites are harboring Google marketing trackers -- of which, it should be noted, could be legitimate website and analytics tools. Facebook was present, too, with Cookiebot claiming that "Facebook is employing anti-tracking countermeasures to track citizens who use Safari 11's intelligent tracking prevention" on the UK and Irish public health domains.

"We do not permit publishers to use our technology to collect or build targeting lists based on users' sensitive information, including health conditions like pregnancy or HIV," Google said in a statement

Facebook said the investigation "highlights websites that have chosen to use Facebook's Business Tools -- for example, the Like and Share buttons, or the Facebook pixel." 

"Our Business Tools help websites and apps grow their communities or better understand how people use their services," a Facebook spokesperson added. "For example, we could tell them that their site is most popular among people aged 20 - 25."

The ironic part is that these EU websites are likely not compliant with the EU General Data Protection Regulation (GDPR), which has been designed to limit the amount of data collected by businesses and to give consumers more visibility into data collection practices.

TechRepublic: How to prevent spear phishing attacks: 8 tips for your business

While some trackers and data collection may be required by these websites and you agree to them by clicking the "agree" button for cookies and ad preferences, it is unlikely that all of these companies are lurking on government domains legitimately.

Cookiebot says that third-parties are skirting the rules by entering via free services including video plugins and social media sharing buttons. Accessibility plugins and image gallery systems may also be avenues for these trackers to operate.

See also: These are the worst hacks, cyberattacks, and data breaches of 2018

"Although the governments presumably do not control or benefit from the documented data collection, they still allow the safety and privacy of their citizens to be compromised within the confines of their digital domains -- in violation of the laws that they have themselves put in place," the consultancy firm said. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards