A report by the team behind privacy-focused browser Brave suggests Britain's local authorities are sharing information about their website users with dozens of private companies.
The study [PDF] shows that nearly all councils across the UK exposed data about visitors to their websites, which was then sold on to private companies. Some councils allow companies to track sensitive information about users, such as when they were seeking financial help or support for substance abuse.
London's Enfield Council, which serves 333,969 people, and Sheffield Council, which serves 582,506, were the worst offenders. Both exposed visitors to 25 data collectors apiece.
The report names Google as the source of much of the exposure. Brave found that 98 per cent of the councils reviewed used systems from Mountain View, which owned the top five embedded elements in council websites. These elements enable users to be tracked around the web, scraping together whatever information it can, such as what websites and apps they're looking at, their location and their device.
Brave also found that more than half the councils it reviewed use Google's real-time bidding (RTB) system. The tech works by instantly linking up advertisers with specific people's eyeball, allowing firms to buy and sell on a per-impressions basis through real-time auctions.
The process uses the information pulled together through the embedded elements to build detailed profiles on users. This information is then auctioned off to advertisers, which bid on which users they want their ads to target. Well-off visitors with a lot of disposable income or IT buyers with big spending budgets will command higher rates, for example. The whole process is automated and the winner's ad instantly appears on the user's screen when the page loads.
One of the ad exchanges that used RTB, the Council Advertising Network (CAN), shared people's data from 34 council websites with 22 companies, Brave said.
RTB systems have been in murky waters for some time. The UK's data watchdog, the Information Commissioner's Office (ICO), has been investigating the issue and recently warned a Parliamentary inquiry that companies harvesting data poses a serious risk to privacy and security.
Last year, privacy warriors lodged a legal complaint against the Internet Advertising Bureau's (IAB) openRTB and Google's Authorized Buyers systems. The IAB, which is well aware that its advertising networks flout Europe's General Data Protection Regulations (GDPR), insists that they aren't doing anything wrong.
Public disgrace: 82% of EU govt websites stalked by Google adtech cookies – reportREAD MORE
The company has consistently stressed that blaming the makers of RTB technology is like holding road builders accountable for people who break the speed limit. Google is – surprise, surprise – an IAB member. Critics responded that the IAB are not road builders, but the traffic authority.
The ICO's response was hardly inspiring. Simon McDougall, the authority's executive director of technology and innovation, said: "There are thousands of companies involved in the adtech ecosystem and at this stage the issue raised involve[s] the entire industry. We stand ready to deal with the problems but it is a hugely complex area. As a pragmatic regulator, we have a duty to build a thorough and robust case for any regulatory action we may decide to take, and all this takes time.
"We are using the intelligence gathered throughout last year to develop an appropriate regulatory response and we continue to investigate real-time bidding. It may be necessary to take formal regulatory action and we will continue to progress our work on that basis."
Google insisted it was GDPR compliant, adding that it does not build advertising profiles from "sensitive interest categories, including from sites offering benefits such as welfare or unemployment, and we have strict policies preventing advertisers from using such data to target ads".
CAN admitted it was collecting data for "advertising purposes", but denied that it sold any personal info to data brokers. "We automatically block categories such as gambling, alcohol, payday loans, politics and adult themes in order to protect users of our council partners' websites from advertising inappropriate for a public sector environment," a spokesperson said.
This is not the first study to warn that public sector websites are littered with undisclosed adtech. A report last year by Cookiebot found that 82 per cent of EU government websites were slurping up information on EU citizens' browsing habits. ®
Sponsored: Ransomware has gone nuclear