Up to 90% of governmental websites include cookies of third-party trackers
IMDEA NETWORKS INSTITUTE/DICYT Researchers Matthias Götze (TU Berlin), Srdjan Matic (IMDEA Software), Costas Iordanou (Cyprus University of Technology), Georgios Smaragdakis (TU Delft), and Nikolaos Laoutaris (IMDEA Networks) have presented at the ‘Web Science Conference’ the paper: “Measuring Web Cookies in Governmental Websites”, in which they investigate governmental websites of G20 countries and evaluate to what extent visits to these sites are tracked by third parties.
The results reveal that in some countries up to 90% of these websites add third-party tracker cookies without users’ consent. This occurs even in countries with strict user privacy laws.
The study
Previous studies have shown the widespread use of cookies to track users on websites on an unprecedented scale but this had not been studied so far on government sites.
The researchers considered studying the behavior of government websites and their compliance or non-compliance with data protection laws during the COVID-19 pandemic, a time when citizen information was provided through official websites of international organizations and governments. “Our results indicate that official governmental, international organizations’ websites and other sites that serve public health information related to COVID-19 are not held to higher standards regarding respecting user privacy than the rest of the web, which is an oxymoron given the push of many of those governments for enforcing GDPR,” comments Nikolaos Laoutaris, Research Professor at IMDEA Networks.
A total of 5,500 websites of international organizations, official COVID-19 information, and governments of G20 countries were analyzed: Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Mexico, Russia, Saudi Arabia, South Africa, South Korea, Turkey, UK, and the USA.
Methodology: types of cookies
There are several types of cookies. “Two primary types of cookies: first-party cookies that are issued by the visited website, and third-party ones which are typically created by external parties embedded in a webpage”, highlights Srdjan Matic, Researcher at IMDEA Software.
This paper also distinguishes between cookies by their duration: session cookies active only during the visit to the page or persistent cookies of short, medium or long duration.
Results: G20 government websites
Most of the websites of the G20 countries created at least one cookie without the user’s consent. Japan is the country with the lowest percentage of websites with cookies, with 77.2%, and South Korea, Saudi Arabia, and Indonesia lead the ranking with almost 100%.
With respect to the third-party cookies, the paper differentiates between generic third parties (TP) and third-party cookies originating from known trackers (TPT). Overall TP cookies range from 30% in the case of Germany, up to 95% for countries such as Russia. Germany is the only country where this percentage decreases significantly, with only 9% of official websites including a TPT cookie. In 16 of the 19 analyzed countries more than half of the TP cookies last at least one day.
France and China lead the ranking with around 70% of TP and TPT cookies expiring after more than one year.
Results: International Organizations websites
The study shows that around 95% of the websites of international organizations set cookies and around 60% of these websites use at least one third-party (TP) cookie. Matic explains that ” it seems that there is no special care in designing those webpages since 52% of websites of international organizations set at least one TPT cookie”.
Results: COVID-19 Websites
More than 99% of the websites analyzed in the COVID-19 information study add at least one cookie without the user’s consent. In contrast, there is a lower presence of third-party (TP) cookies, at around 62%.
As Laoutaris points out, with this publication the research team aims to “put more pressure on governments to clean up their own house first and, by doing so, set an example and be more convincing about the importance of implementing the GDPR in practice”.