It’s no secret that the commercial websites and mobile apps we use every day are tracking us. Big companies like Facebook and Google depend on it. However, as a new research paper by a team of Concordia researchers shows, companies aren’t the only ones collecting our own data. Governments around the world are incorporating the same tracking tools and enabling large companies to track users of government services, even in jurisdictions where legislators are enacting legislation to restrict commercial tracking tools.
The paper’s authors conducted privacy and security analyzes of more than 150,000 government websites from 206 countries and more than 1,150 Android apps from 71 countries. They found that 17 percent of government websites and 37 percent of government Android apps host Google trackers. They also noted that more than a quarter – 27 percent – of Android apps leak sensitive information to third parties or potential network attackers. They identified 304 sites and 40 apps that were flagged as malicious by VirusTotal, an internet security site.
“The results were surprising,” says paper co-author Muhammad Manan, associate professor at the Concordia Institute of Information Systems Engineering (CIISE) at the Gina Cody School of Engineering and Computer Science. “Government websites are backed by public money, so they do not need to sell information to third parties. Some countries, especially in the European Union, are trying to restrict commercial tracking. So why would they allow it on their own sites?”
The paper was delivered at the WWW ’22 Society of Computing Conference in late April. The research was co-authored by current PhD student Nyanamana Samarasinghe, recently graduated master’s student Ashish Adhikari (Meng 21) and Professor Amr Youssef, all from CIISE.
Unintentional, but invasive
The researchers began their analysis by building an initial list of tens of thousands of government websites using automated search, crawling, and other methods between July and October 2020. Then they ran deep crawls to scrape links in the HTML page’s source. The team used tracking metrics made from OpenWPM, an open source automated program used for web privacy measurements, to collect information such as text and cookies used in websites’ code as well as device fingerprinting techniques.
They tracked Android apps by searching for Google Play Store URLs found on government websites and then examining developer URLs and email addresses. When possible, they downloaded apps – many of which were geo-blocked – and analyzed them for tracking software development kits (SDKs).
Mannan notes that the use of trackers may not always be intentional. Government developers are more likely to use existing software suites to build their sites and apps that contain tracking scripts or include links to social media sites equipped with trackers such as Facebook or Twitter.
There are no other options
While the use of trackers is widespread, Mannan is particularly critical of jurisdictions such as the European Union and California that claim to have strong privacy laws but in practice they are not always significantly different from others. And since users can only use government portals to fulfill important personal obligations such as paying taxes or seeking medical care, they are at additional risk.
“Governments are becoming more aware of online threats to privacy, but at the same time they are enabling these potential abuses through their own services,” he says.
Mannan urges governments to perform frequent and comprehensive analysis of their websites and apps to ensure privacy security and to ensure they comply with their own laws.
Read the paper excerpted from:et tu brute? Privacy analysis for government websites and mobile apps. “
do not apply
et tu brute? Privacy analysis for government websites and mobile apps
The date the article was published
25 April 2022
Not giving an opinion: AAAS and EurekAlert! is not responsible for the accuracy of newsletters sent on EurekAlert! Through the contributing institutions or for the use of any information through the EurekAlert system.