[HN Gopher] Surveillance on UK council websites [pdf] ___________________________________________________________________ Surveillance on UK council websites [pdf] Author : pier25 Score : 479 points Date : 2020-02-05 15:10 UTC (7 hours ago) (HTM) web link (brave.com) (TXT) w3m dump (brave.com) | MrAlex94 wrote: | So I have read this report, but it would be good if there were | some example URLs of where this is happening. Take for instance | Lambeth's website (https://www.lambeth.gov.uk). I've browsed | through a few public facing pages and the council tax payment | pages. | | The report says Lambeth shows 1 real time bidding, 1 social and 5 | Google "trackers". | | From my network requests I see: | | -> Google Translate and its resources (CSS etc.) | | -> Google Font | | -> jQuery and a bunch of various modules | | -> leafletjs (OSS Map library) | | -> Google tag manager | | -> The social links at the bottom are just links, no requests or | trackers. | | Note: None are blocked by PB, only cookies are denied) | | Nothing out of the ordinary here (although you could argue | against GTM on a council website). I'm not seeing what's at risk | here? And according to the report, the above requests should be | ignored in the results? | | Caveat 1: | | > This is not a complete study. Third party tools commonly used | by websites for chat bots, designing the page, soliciting email | subscription, profiling visitors for the Council's own user data | base, text to speech, CDN, fonts, non-Google analytics, etc. are | not counted in this study. (See "table notes" on page 20 for a | list of what is counted). | | > While these do expose a user's behaviour to the companies | concerned, we exclude them here in order for simplicity.This | study highlights what we view as the most dangerous third party | data collection and profiling. | | To compare, the landing page that this report is hosted on has | the following "trackers"/requests: | | -> Brave.com Analytics request that is blocked | | -> Google Fonts | | -> Google Tag Manager | | -> Google Analytics (blocked by PB) | | -> Mapbox | | -> Scorecard research (blocked by PB) | | -> Newrelic | | -> Slideshare (blocked by PB) | | -> Leaderapps | | -> Tableau | | -> Vimeo (cookies blocked by PB) | | Edit: Sorry - PB is Privacy Badger. | | As for my personal feelings, "widespread surveillance" makes it | appear as though there is some sort of malicious intent here. I | have a few friends (and mother) who have previously or currently | work for local councils, there is no money for this sort of | thing. At worst I believe any actual issues are due to ignorance | (which isn't an excuse) but could be easily remedied. This is way | too dramatic for what should be a "Hey ICO, these councils are | _potentially_ not doing things properly, could you have a look? | ". Instead you'd think Brave have uncovered a PRISM level | conspiracy on the local government level. | | Poor taste IMO. | gruez wrote: | >From my network requests I see: | | >[...] | | >Nothing out of the ordinary here | | looks like you're not picking up a bunch of requests. maybe you | have ublock? Here are some domains that aren't on your list: | www.google-analytics.com script.hotjar.com | cse.google.com vars.hotjar.com www.facebook.com | stats.g.doubleclick.net static.hotjar.com | connect.facebook.net | MrAlex94 wrote: | Hmm, not getting these. I disabled uBlock for my results. | I'll see what else may be the cause. | mpeg wrote: | None of those really stand out as being problematic. | | Google Analytics, Hotjar are measurement tools. CSE is | google's custom search endpoint, stats.*.doubleclick.net is a | doubleclick for publishers endpoint (Google's ad server) and | doesn't mean much by itself, it doesn't automatically show | ads from third parties or send your data to anyone. | | The Facebook tags are sadly quite popular these days, I do | agree those are not ideal but they are literally all over the | net with like buttons, share buttons and "sign in with | facebook" | JohnFen wrote: | GA is absolutely problematic. It's one of Google's main spy | mechanisms. I know less about Hotjar, but it's reasonable | to be nervous about any analytics package that is sending | data off to a third party. | ahel wrote: | LOL you're in for a treat if you don't know hotjar and | think that GA is problematic! Hotjar tracks(or used to at | least) every mouse movement and click on a site so that | you could analyze what happened to your clients or | perspective ones. | JohnFen wrote: | Yes, I'm aware of that aspect of Hotjar. What I meant was | that I don't know what Hotjar does with the collected | data (beyond what they offer to the sites that use it). | jey wrote: | What's PB? | polyvisual wrote: | Privacy Badger (probably!) | | https://www.eff.org/privacybadger | cameronbrown wrote: | Privacy Badger? | everdrive wrote: | Privacy Badger | | https://www.eff.org/privacybadger | MrAlex94 wrote: | Apologies - Privacy Badger | shermozle wrote: | One of the examples, Enfield, gives me 44 trackers according to | Tag Explorer: https://imgur.com/a/NoOjoev | grsmto wrote: | Your comment was making sense until you started comparing a | council website with a marketing product (Brave.com). | MrAlex94 wrote: | It doesn't invalidate what I've found though? Also Brave | themselves market as being privacy friendly, blocking ads and | trackers etc... is it not fair to judge them as well if they | are reporting this as egregious? | grsmto wrote: | No it's not fair because what they report as egregious is | not the tracking themselves but the context! Council | websites are public services. And it says in the report | "citizens are entitled to expect that public services do | not allow private companies to surveil them on their | websites.". | | Other than that, you are right that it's hard to find | what's wrong with that Lambeth website. However the GTM | could be a gateway to any kind of data tracking (visited | pages, button clicked, etc.) idk if you can actually find | out from the console. | MrAlex94 wrote: | > No it's not fair because what they report as egregious | is not the tracking themselves but the context! Council | websites are public services. And it says in the report | "citizens are entitled to expect that public services do | not allow private companies to surveil them on their | websites.". | | Ah I see. Agreed there. | ajor wrote: | Privacy Badger says that "Yellow" sites where it blocks cookies | do appear to be trying to track you, but are necessary for the | site to work[1]. That makes 5 trackers PB has identified on | Lambeth's website. | | [1] https://www.eff.org/privacybadger/faq#What-do-the- | red,-yello... | MrAlex94 wrote: | I see - thanks for the info. So all relating to Google from | what I'm getting on the website request. | dijksterhuis wrote: | I'm getting these additional requests. They're being blocked, | so result in a warning message in the console. Didn't see | anything in network requests for them. | | - https://static.hotjar.com/c/hotjar-1043047.js?sv=5 | | - https://cse.google.com/adsense/search/async-ads.js | | - https://connect.facebook.net/en_US/fbevents.js | | Also, the site is setting a cookie even though I've not | consented. | | EDIT: Also, one of the lambeth.gov js scripts was written by | "rob" in 2015. Hi Rob! | wopian wrote: | Is the cookie used for the site to function (or a component | of it) or for tracking/ads. Only the latter needs consent. | Nextgrid wrote: | According to the GDPR even an IP address needs consent, and | those are inherently transmitted when loading a third-party | library regardless of cookies. Given that social media | sharing isn't a necessary function of the website, they | should be asking for consent before loading the libraries, | or just using a locally-hosted icon pointing to a sharing | link, so that the target social network gets the data only | when the button is actually clicked. | dijksterhuis wrote: | Is a session cookie with datetime of access (and last visit | somehow), so probably fine. | | not up on cookies and Gdpr tbh, I deal with other types of | data normally. | frou_dh wrote: | Invisible trackers aside, it's simply gross that local government | sites have banner ads on them. Have some pride and/or taste! | mpeg wrote: | When you actually look at the sites, it's clear Brave hasn't | done their homework or don't really understand the online ad | ecosystem. | | For example, Enfield council ( enfield.gov.uk ) is using | Google's ad server (DFP) set to show only internal ads. All | their advertising is for cross-promoting projects and sites | that Enfield council is involved with, including pest control, | social lettings, a publicly-funded golf course, school meals... | | It's not showing ads from GDN (Google Display Network) or | elsewhere, it seems to only show these internal promotions. | eclipxe wrote: | Brave's business model is fear mongering. | tssva wrote: | And extortion. | wnoise wrote: | Extortion would be threatening to reveal bad acts, in | order to gain something from those threatened. If they | always reveal bad acts, and don't even try to gain | anything from the bad actors -- well, that's just plainly | not extortion, nor even criminal in any way. | tssva wrote: | That would be blackmail. Extortion is "the practice of | obtaining something, especially money, through force or | threats." Brave extorts websites by threatening to block | the site's choosen revenue stream and to instead earn | revenues from visitors to the site unless the site uses | Brave to funnel their revenues. | | I don't have an issue with ad blockers or alternative | payment methods but the way Brave combines the two in my | opinion amounts to extortion. | wnoise wrote: | Sure, I was focusing on the blackmail subset of | extortion, because (a) this posting was discussing their | releasing of information and (b) they can't actually use | any _force_ or threats of force. Helping their users | decline to provide tracking information on unless they | and their users get a cut is also not extortion, because | the website owners don 't have a right to that | information. | | You seem to believe that owners of websites have a | natural right to their chosen business model, even if | others don't wish to help enable that business model. | gowld wrote: | What's the difference betwen fear mongering and educating | about risks? | endorphone wrote: | The difference is the beholder. If the beholder's income | is threatened when people are educated about risks, | they'll invariably declare it fear mongering. | weekay wrote: | You are missing the fact that Enfield council has RTB House , | Criteo retargeting , Tru Optik demand side platform , OpenX , | Districtm, msecnd , doubleclick , omnitag integrated as 3rd | party. This doesnt make sense if the intent was purely to | show internal ads. The implementation here seems to be no | different to any other news site. As a visitor to the council | website , I would expect that the same privacy levels and UX | as that of gov.uk sites. | velox_io wrote: | GDS are bringing them together, slowly... I recently | applied for Personal Independence Payments (PIP). And | despite being a new 'system' plus the assessments are | carried out by two large IT outsourcing companies (Capita & | Atos). It is entirely paper-based (drive.google is blocked, | they don't take emails...). If you request a copy of the | report they photocopy the physical file and post it. They | are so backwards it is unreal. | | Plus there's no provisions for an alternative format to the | 30 page paper form. Not very independent if handwriting is | an issue (the target demographic is people with | disabilities). | | Don't get me started on the actual assessment/ assessor. | (it's been a long day going through this stuff). | rtb wrote: | I think they understand it fine. As you say, the website is | using Google's ad server. So it is sending detailed | identifying info about each user to Google. | | Just because that has become normal for "the online ad | ecosystem" over the past few years doesn't mean that it | should be acceptable or that we cannot try to stop it. | mpeg wrote: | What is the alternative here? Should Enfield spend tax | payer money creating an alternative tool to show banner ad | cross-promotions and re-training their teams? | | Where do you stop? Is Google Analytics evil too? What about | Twitter feeds? | rtb wrote: | The alternative is to not show ads. | | Yes, Google Analytics has many of the same problems. The | alternative to that is to analyze the server logs or to | simply not track your users' behaviour in detail. | chriswarbo wrote: | > Where do you stop? Is Google Analytics evil too? | | Absolutely. | | > What about Twitter feeds? | | In what context? Including/embedding Twitter cookies | and/or Javascript in pages paid-for by citizens, which | citizens are required to use to exercise their rights? | Absolutely. | | As a non-exclusive outlet to disseminate information via | an independent site (twitter.com), which anyone is free | to avoid and ignore? That's fine. | mpeg wrote: | In reality, what happens is lots of council services | (including police) use twitter as the main real-time | source of information for citizens. | | Should they use an alternative platform? probably not, | because twitter is the biggest and best known, so you | could argue you can reach the most people with it. | JohnFen wrote: | > use twitter as the main real-time source of information | for citizens. | | So they're excluding people who don't use twitter? Why | can't their web pages be the main source of real-time | information? | Hoasi wrote: | > Is Google Analytics evil too? What about Twitter feeds? | | Yes. Both bad. | dboreham wrote: | Sounds like a great business opportunity especially if we | can lobby politicians to require "surveillance-free" | services be used. | shaoonb wrote: | Why does Enfield council need to use adtech tracking to | optimise their ads for other services? It's not like they are | competing with anyone to deliver the most efficient services | by fractions of a percent. Surely basic keyword targeted or | completely untargeted ads are all they need. | frou_dh wrote: | In the PDF, this is the example of the banner ad they show: | | https://i.imgur.com/qwuU5Sx.png | | So the banner ads being strictly council related is certainly | not universal. | jszymborski wrote: | Right, but are you suggesting that the Google ad servers are | not going to use that information to sell to these visitors | on other websites that are showing ads from the GDN? | eclipxe wrote: | Correct | ulimn wrote: | Incorrect | mpeg wrote: | I'm not a Google fan by any means, but DFP is the #1 ad | server in the world and an industry standard, and I | definitely don't think they would use DFP data to populate | GDN segments because it would be a privacy nightmare. | | You have to consider DFP is a software tool, it would be | like Slack selling your data so other SaaS can target you | when you are talking about buying a new CMS. | jszymborski wrote: | "it would be a privacy nightmare." | | Right, but being a privacy nightmare is their business | plan | sandwell wrote: | Especially since they are publicly funded, so UK citizens are | paying to have their data transmitted to unknown parties and | advertised at. Oh, and if you don't pay it? Fuck you. The | government will send bailiffs to seize your property to pay the | bill, or imprison you for up to 3 months. | thomasedwards wrote: | Probably something to do with the fact that central government | has cut budgets for the last 10 years and if putting some | banner ads on their website contributes to keeping a library | open, it's hard to say no. | Animats wrote: | Here's the service promoting advertising on Government web sites | in the UK.[1] | | From their FAQ: | | Q: _" Could the data collected be used to exploit individual | circumstances?"_ | | A: _" There is no intention to do this. In all forms of | advertising, companies want to appear in front of the people most | likely to buy their products or services."_ | | _" Just as an advertiser will choose an ad space in a | publication because of its readership and relevant editorial | content, so an advertiser online will use data from cookies to | target their ads to people who would be most interested."_ | | _" So, a user browsing for information on a benefits webpage | might be shown ads relevant for people on a budget, like for | reduced price travel or supermarket price cuts on everyday items | or a comparison website to find the best tariff on gas and | electricity."_ | | The Enfield council's cookie disclosure page includes cookies | from most known trackers.[2] This is an amusing read. | | [1] https://can-digital.net/generating-income-from-council- | websi... [2] https://new.enfield.gov.uk/privacy-notice/#6 | Nextgrid wrote: | Seems like they aren't aware of the law or explicitly violating | it and hoping to get away with it (which unfortunately isn't a | bad strategy considering Google and Facebook are still around). | | The thing with the law (the GDPR in this case) is that it | applies to everyone equally. It doesn't matter whether your | intentions are good, if the law says you can't collect certain | data without explicit user consent then you shouldn't be doing | it regardless of how good your intentions are. | throwawaylolx wrote: | The title of the submission seems very much like a clickbait: the | context makes it sound like it refers to government surveillance, | not sending data to private American companies to serve ads. | tomlong wrote: | In the appendix table, South Oxfordshire is listed as South | Oxfordshite. | zionic wrote: | Well that's just depressing. Having the fact that you accessed a | government addiction help website packaged and commoditized then | sold to the highest bidder just screams moral bankruptcy. | blibble wrote: | I suspect the root cause of this issue is the average web | developer not realising that including any third party javascript | gives total control of the page to whoever controls the included | URL | choathedolls wrote: | The average developer knows this even if you're an absolute | lover of all things JS. | | Whether or not the developers were forced to include them due | to certain constraints is another issue. | Grumbledour wrote: | I am kind of sick of this excuse. | | While I suppose every developer here was in a situation where | they had to include something they did not want, I also know | that none of my colleagues would care or even think about | including external scripts, trackers or other crap. | Possibility would be high they would be the ones suggesting | it. And I have met many developers who think that way. And | looking at a plethora of open source projects, which many | would assume should have many developers more conscious of | these kind of issues suggest this is more than anecdotal | evidence. | | Most people, developers included, probably even most | developers on hacker news, don't care at all. We should not | always try to push responsibility on someone else when it is | us who builds this kind of crap often without even | protesting. | oefrha wrote: | A better link would probably be the actual report, "Surveillance | on UK council websites" https://brave.com/wp- | content/uploads/2020/02/Surveillance-on... | | At least that report doesn't start every sentence with "Brave". | dang wrote: | Ok, we've changed the URL above to that from | https://brave.com/ukcouncilsreport/. Thanks! | nottorp wrote: | [quote] This report should spur Elizabeth Denham, the UK | Information Commissioner, to finally enforce the GDPR. It is 17 | months since formal evidence from Brave and complaints about | breaches of data protection laws were filed before the ICO. | [/quote] | | Oh really? Hello BRexit? | gniv wrote: | > Hello BRexit? | | I was curious about this and searched a bit. According to this | website [1] the GDPR is still in force until the end of the | year, and in addition there is a UK-GDPR law, very similar to | the EU GDPR, which took effect on Feb 1st. So there are two | regulations now, not zero. | | [1] https://www.cookiebot.com/en/uk-gdpr/ | 627467 wrote: | I don't want to be overly critical here but If we rush to call | this 'widespread surveillance' (intended or not) I worry that | we'll quickly start losing words/expressions to describe the | stuff that snowden unveiled or whethever the government does in | China... | shadowgovt wrote: | The source for the story clearly has a specific political bias | regarding its interpretation of privacy. | | That political bias doesn't impinge on the facts of the report | though (merely that Brave believes it's worth surfacing | loudly). | alharith wrote: | So the right to privacy is a political agenda item now? I | don't get what you are saying, can you please clarify? | licebmi__at__ wrote: | Yes, anything related to the life on society and how we | regulate it or not is "politics" and a particular political | subject is pushed by any individual or group is a | "political agenda item". If we act like politics is a dirty | word, only the worst of us will involve in politics. | shadowgovt wrote: | Whether pseudonymized background data collection | constitutes a violation of right to privacy is a hot-button | political topic. The GDPR has put a stake in the ground on | this but is not the final say on the matter. | salawat wrote: | How ya figure? It's same in type. Pervasive monitoring/metadata | collection is an attack. | | PRISM/CALEA/ubiquitous surveillance via facial recognition, | social credit scoring don't just magically stop being | linguistically addressable because we've tossed another | specific example into the generic bucket. It just means that | we're getting better at identifying exploitative forms of | unnecessary data collection. | | Unless I'm reading your statement wrong, I'm just not seeing a | here your worry comes into play. There's no Orwellian language | leak there, and I'm usually pretty sensitive to that just | because it does drive me nutswhen people try to do that | intentionally. | pier25 wrote: | Sorry for the editorialized title but it was too long... | dang wrote: | That wasn't editorialized, that was a gallant attempt to fit | both the site guidelines and the 80 char limit. The only thing | I'd have done differently was take out "Brave" from the title, | since it's in the domain next to the title, and since they | provide enough mentions of "Brave" themselves. (Submitted title | was "Brave uncovers widespread surveillance of UK citizens on | UK council websites".) | | It's moot now because we switched to the pdf and taken its | shorter title. | pier25 wrote: | > that was a gallant attempt to fit both the site guidelines | and the 80 char limit | | Well thank you kind sir | motohagiography wrote: | It's quite likely a contracted web developer is using a "free" | library that had these trackers built into it. | | It's also possible this is corruption, as it's a question of | where the revenue from that data was going. If it's going to some | web developer's account that's a problem. | | The RTB aspect of this story makes it clearly disingenuous, but | getting interaction data to improve services is something you | would expect a progressive public service to do. Crying wolf on | this could do a lot more harm than good to the risk averse | cultures of public services. I hope they've got the story right. | shadowgovt wrote: | "This report should spur Elizabeth Denham, the UK Information | Commissioner, to finally enforce the GDPR." | | What is the status of GDPR in the UK now that Brexit has | occurred? Is the UK still beholden to the terms of the law, or | does the UK have a parallel law that applies now that they're no | longer part of the EU? | rux wrote: | GDPR is currently entirely valid and enforced until December | 2020. After that point it is believed that an entirely | compatible law will continue to exist - currently the | understanding is that the UK will be considered to have | adequate equivalency therefore making it a safe third party | country to transmit data for processing. No hard guarantees | until the end of the year though. | throwawaylolx wrote: | The entire article and "report" are so aggressive that it makes | it difficult to extract any nuance out of it other than that I | should use Brave. | | Is the core issue that council websites are using real-time | bidding for their ads? Is this specific to the UK? | sandwell wrote: | > Is the core issue that council websites are using real-time | bidding for their ads? | | Yes. These websites are used to support a variety of public | services, e.g. disability, poverty, drugs, or alcoholism | services. | | Brave believes that sending tracking information about people | accessing this information is a breach of privacy. | throwawaylolx wrote: | And is "real-time bidding" an otherwise uncommon ad strategy | that is relatively specific to the these websites? If it is, | then I can understand the alarmism, but otherwise this news | can be compressed to "UK council websites use targeted ads," | right? | farazbabar wrote: | No. The issue is the means used to target ads on this site | are transmitted back to ad servers and used outside this | context which is a nightmare scenario. | throwawaylolx wrote: | Is this not how targeted ads are expected to work? | komali2 wrote: | Why are there ads on a website funded by taxes? | scarejunba wrote: | In order to easily cross-promote other services with | suppression and retargeting. Someone able to edit some | content can do it rather than requiring the CMS to | support this and training the council staff on this. | chriswarbo wrote: | > is "real-time bidding" an otherwise uncommon ad strategy | that is relatively specific to the these websites? | | The alarm does not come from the technology being uncommon, | it comes from _these sites_ being uncommon. In particular, | there aren 't many sites which millions of people may rely- | on/be-directed-to in order to exercise their rights (e.g. | to healthcare and social services), or even for their life | or their friend's/family's. | | The argument of "if you don't like it, don't use it" | doesn't apply here. It's especially egregious that these | sites are built and operated using public money, so we're | paying for it regardless. | whalesalad wrote: | I guess the irony of a 'tweet this' href after every single | bullet point was lost on the author. | awinter-py wrote: | I've been on government sites (ny.gov, IIRC) that use google- | provided captchas for form submissions | | sucks but not sure it's immoral -- submission fraud is a hard | problem to deal with and if captchas help, .gov should use them | CommanderData wrote: | Interested in some of these comments, no doubt places like these | are getting astroturfed more and more. | toyg wrote: | Council are the victims here. They are forced to debase | themselves because central government, in the Tory era since | 2010, simply offloads competencies to local authorities, without | allocating extra funds or even slashing existing ones. So the | priority has become to keep the lights on and find every way | possible to monetize anything remotely monetizable, from parking | to this (as well as cutting tons of jobs, closing libraries and | so on). Councils are literally going bankrupt, but voters can't | make the link and keep voting for "low taxes" in Westminster and | "the Council should do everything" at home, then complain when | pigs can't manage to lift off and fly. | mattlondon wrote: | The tax burden is high. They could certainly do with reducing | it in my personal opinion. | | A leaflet comes through the door every year or so telling me | how much they spend in the local council. Usually the highest | amount is not on schools, not on libraries, not on health, not | on sweeping the streets or maintaining parks and playgrounds | etc, but on "adult social care" (1) which as far as I know is a | euphemism for benefits handouts for the baby-boomer generation. | | It feels to me like an unrealistic burden is being placed on | the current working generation to gold-plate the retirements of | the current pensioners (because they tend to vote a lot), who | frankly have got it pretty fucking good (not just free | university education, but they got _grants_ (i.e. free money), | were able to purchase cheap and decent quality housing at | relatively low salary multiples (e.g. detached 4 bed in nice | areas for 3x average salary in the 60s & 70s), excellent | pensions (often from the public sector), free travel, free tv | licenses, jumping to the front of the queue in the NHS, free | money for heating their homes etc etc, the pension triple-lock | of a guaranteed 2.5% increase at a minimum etc, when working | age people are lucky to get _anything_ in their gig /zero-hours | contract etc). | | There has been talk of inter-generationalfairness a bit (at | least before brexit took over). I hope something is done. | </bitter> | | 1 - https://engage.barnet.gov.uk/1730/documents/1919 | [deleted] | Scoundreller wrote: | That kind of fiscal << downloading >> is also a way to keep | wealth within your council, and poor areas can just get bent | because they'll have more needs, but the least ability to get | revenue. | | (If council's primary revenue source is council tax within | their own council). | adwww wrote: | That would be nice... but councils can only increase tax by | <2% per year, and most of their revenue comes from a 'grant' | by central government, which has been cut ~40% in the last | decade. | weekay wrote: | What is interesting is the fact that none of the revenue / income | from advertising if any, is showing in the accounts of the | council. Checked a few at random and none of the account | statements mention income from ads. Begs the question then not | just of moral bankruptcy but of accounting this. If it's not | implemented for income to the council then why ? | asdfasdf1231 wrote: | > If it's not implemented for income to the council then why | | analytics? To better serve you? to think-of-the-children? | godelski wrote: | Careful, some people may not pick up on that sarcasm. | gowld wrote: | Did you cross-reference to the councils whose websites are | serving ads? | | Perhaps the ads are run by 3rd party web hosting providers. | Just a guess. | jsmith99 wrote: | They would be unlikely to report an income stream seperately | unless it was material. Materiality is a matter of judgement | but most auditors would use about 1% of revenue. | pier25 wrote: | Maybe there is a document somewhere that enforces certain | practices when making websites for public institutions? | lbriner wrote: | Unfortunately not, otherwise it would be easier to enforce | consistency. The simple truth is that councils like many | companies are not specialist developers but are expected to | run high-quality web applications. Add in some Consultants | who may have conflicting interests or lack of knowledge, | semi-skilled staff, a friend-of-a-friend who told you to use | X on your site, third-party web developers and a marketing | team who need the "analytics" and you end up with this mess. | | Like many companies, GDPR seems right down the list. The most | troubling part of all for me was that the ICO acknowledged | the illegality but didn't follow up. Sums up Britain to a | tee! | | (I'm a Brit) | butler14 wrote: | This is one of the downsides of using an ad-blocker | | It's literally never occurred to me, as a user of these websites, | that local government websites would even have adverts on them -- | let alone Google AdSense / junk from Google's Display Network. | gumby wrote: | How is that a downside? | butler14 wrote: | I thought that was self explanatory. | | But lozaning has done a perfectly eloquent job of explaining | above. | basilgohar wrote: | How is this a downside to using an ad-blocker? I think it's | quite the opposite. An ad-blocker would prevent most of this | external JS from being loaded. | pavel_lishin wrote: | Can't wait for the bite if you don't hear the bark. | lozaning wrote: | I've so successfully created a personal technology | environment that hides ads, that I have no situational | awareness about what these companies are up to. | | If someone out there is selling my healthcare data and | running ads around it directed towards just me, I'd never | know, but I'd want to. | JohnFen wrote: | So block tracking, not ads. | dspillett wrote: | Unfortunately the two are often intimately linked, so | that is not really practical. | JohnFen wrote: | I'm not sure what you mean. You're right that the two are | usually intimately linked. What I've found by blocking | tracking is that as a result of this intertwining, | blocking tracking usually also blocks the advertising | engaging in the spying. | | I don't use an adblocker. I block tracking. It's pretty | nearly as effective as an adblocker, so that seems | practical to me. | dspillett wrote: | A key concern I have (though it doesn't stop me blocking ads) | is that I won't know if a site is normally full of the worst | sort of ads (malware install attempts, auto-playing video & | audio, tracking up the wazoo & back, ...) and I could send a | link to people who _are_ going to be affected because they | are not protected by similar blocking. | | So not a downside directly, but a risk of lacking awareness. | choathedolls wrote: | Most extensions show a badge with how many ads have been | blocked. From there, some of them also include loggers or | similar tools to see exactly which scripts, assets, etc. are | being blocked (personally, uBlock's "overview panel" is | fantastic for this). All without having to disable your | adblocker to check. | | So no downside, other than being even more frustrated with the | current ad-hellhole. | dspillett wrote: | _> Most extensions ..._ | | This is fine for client based blocking, but it not possible | for network level blocking, such as using a pi-hole instance | as your main local resolver. | Nursie wrote: | It's hardly news that most of the UK government websites, either | at the local or national level, report all your activity to | foreign corporations, particularly google analytics. | | I've raised this with the website creators through their helpdesk | system, and on here when they've posted, but been either told | that it's fine (they anonymise the data! We trust them!) or just | ignored. It doesn't seem to sink in that giving such a company | complete and unfettered access to details on how the UK public | interacts with its own government might be a problem. | Normal_gaussian wrote: | It may be hardly news to you; but it is to me. | | --- | | I've just taken a look around my local councils site. I've gone | onto the benefits pages, the disability pages, and a few random | pages. | | There are literally zero trackers here. I have a first party | cookie set to the value "1". All images and JS are served first | party, with the exception of typekit (adobe) fonts. All images | and JS are, without a deep dive, benign. | | https://www.testvalley.gov.uk/ | dboreham wrote: | Pretty hard core to invent a whole local government for test | purposes.. | Nursie wrote: | Ha, this came up the other day. Non technical guy suggests | we just insert 'Test' into the distinguished name of | certificates we want to mark as 'not for production'. | | We pointed out that one of the many reasons that's a | terrible idea is that the Test Valley exists. | salawat wrote: | Humorous solution: Add test_not_the_valley to all non- | prod certificates. | | I'll see myself out. | | On a more serious note: | | Add "testing", "dev", "qa", "internal", or "non-prod" | instead. At least those are my goto's for establishing | multi-environment separation of configuration data | through namespace separation. | | It isn't an inherently bad way of going about things as | long as you keep it consistent and do your best to | automate it. | Nursie wrote: | Get in the sea! | | I prefer to make sure we use a different signing | authority, just to be sure. But I didn't give enough | context to clue in the reader that that was an option :) | Nursie wrote: | Perhaps my turn of phrase was less than ideal there.... but | yeah, I've been pissed off about this for a while but got | nowhere. | | Some of the stuff in this report is worse, of course, than | just including GA. | | (edit - Just looked at test valley site there, it brings in | google analytics, though seems clean otherwise. Also Hey | neighbour! I'm based in Southampton at the moment) | Normal_gaussian wrote: | Ahh, the part after the hyphens is something I wrote after | the initial comment I didn't mean it to sound so abrupt. | | Notably my test method was completely and utterly flawed - | I used a Firefox Private Browsing window forgetting it | blocks content-trackers (like GA). Still, having now | visited it properly it is as you say. | | And Hey! I'm down in soton every week :D | foxyv wrote: | Advertising is starting to edge towards the side of "Universal | Evil." We need some serious regulatory controls on this stuff | because it is getting out of control. GDPR is a step in the right | direction, but sites and advertisers are pretty much flouting it | at this point. | eclipxe wrote: | Why is it starting to edge towards "Universal Evil"? | JohnFen wrote: | Because its spying tentacles keep expanding to more and more | places. | paulcarroty wrote: | UK has the biggest number of cameras per m^2 in world. Sadly, | it's common pattern. | | Cool business idea: Mr Robot style hoodie with tracking | protection. | theseadroid wrote: | And only by then you'll realize how many people don't really | care and the ones wearing the hoodie will be singled out with | special attention from state. | dnh44 wrote: | Well someone has been fined for disorderly behaviour for | covering their face. | | https://www.dailymail.co.uk/news/article-7036141/Police-fine... ___________________________________________________________________ (page generated 2020-02-05 23:00 UTC)