In some countries up to 90% of governmental websites add third-party tracker cookies without users’ consent. This occurs even in countries with strict user privacy laws, according to researchers Matthias Götze (TU Berlin), Srdjan Matic (IMDEA Software), Costas Iordanou (Cyprus University of Technology), Georgios Smaragdakis (TU Delft) and Nikolaos Laoutaris (IMDEA Networks).
The researchers considered studying the behavior of government websites and their compliance or non-compliance with data protection laws during the COVID-19 pandemic, a time when citizen information was provided through official websites of international organizations and governments. “Our results indicate that official governmental, international organizations’ websites and other sites that serve public health information related to COVID-19 are not held to higher standards regarding respecting user privacy than the rest of the web, which is an oxymoron given the push of many of those governments for enforcing GDPR,” comments Nikolaos Laoutaris, Research Professor at IMDEA Networks.
A total of 5,500 websites of international organizations, official COVID-19 information and governments of G20 countries were analyzed: Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Mexico, Russia, Saudi Arabia, South Africa, South Korea, Turkey, UK and USA.
Types of cookies
There are several types of cookies. “There are first-party cookies, which are those created by the visited website itself, while third-party cookies are those commonly created by external agents through content embedded in the website. In addition, there is the cookie ghostwriting, in which an external entity creates the cookie on behalf of another party and therefore its origin is unknown”, highlights Srdjan Matic, Research Assistant Professor at IMDEA Software.
This paper also distinguishes between cookies by their duration: session cookies active only during the visit to the page or persistent cookies of short, medium or long duration.
Results: G20 government websites
Most of the websites of the G20 countries analyzed install at least one cookie without the user’s consent. Japan is the country with the lowest percentage of websites with cookies, with 77.2%, and South Korea, Saudi Arabia and Indonesia lead the ranking with almost 100%.
Together, third-party cookies and third-party tracking cookies add up from about 30% in the case of Germany to 95% in the case of Russia. Germany is the only country where this percentage decreases significantly, with only 9% of official websites including a TPT cookie.
In 16 of the 19 countries analyzed, more than 50% of TP and TPT cookies take more than one day to expire.
The study shows that around 95% of the websites of international organizations set cookies and around 60% of these websites use at least one third-party cookie. Matic explains that “there are no special measures to neutralize third-party cookies on these websites since 52% of the websites of international organizations set at least one cookie associated with a tracker”.
Results: COVID-19 wbsites
More than 99% of the websites analyzed in the COVID-19 information study add at least one cookie without the user’s consent. In contrast, there is a lower presence of third-party cookies, at around 62%.
As Laoutaris points out, with this publication the research team aims to “put more pressure on governments to clean up their own house first and, by doing so, set an example and be more convincing about the importance of implementing the GDPR in practice”.