Commercial sites are not the only ones to collect data on our personal activities. Governments around the world are using, sometimes unknowingly, the same tracking techniques as the private companies they are trying to regulate.
According to a study by Concordia University, 37% of Android apps and 17% of government sites have Google trackers.
“It’s problematic because people [y] enter very sensitive information, and there is no alternative solution”, reacts Nayanamana Samarasinghe, who co-wrote the study. Users can “expect to be tracked [sur les sites commerciaux], since nothing is free. But government sites don’t rely on ad revenue,” he says.
The doctoral candidate considers the practice “dangerous”, since once the data has been collected, “we do not know if the tracers resell the information, what is the volume and who holds it. It’s getting out of hand.”
Some cookies are, for example, capable of recording what is written in a form, without the said form even being sent. Information collected from government sites and commercial sites can then be combined to better identify the user. An insurance company could thus know the state of health of a citizen who would have previously described it in a government form.
However, the researcher specifies that he has not identified this type of tracer in Canada.
And in Quebec?
A year after the experiments, Mr. Samarasinghe has identified at least two sites in Canada that still use tracers, including one in Quebec.
When a user visits the Épargne Placements Québec (EPQ) website, without even logging into an account, a YouTube cookie, which belongs to Google, tracks their data.
This is due to the presence of an embedded YouTube video on the home page of the website. “Although these Cookies can be used for legitimate purposes, such as sharing a video,” Samarasinghe said “the government should avoid reliance on third-party libraries.”
Contacted by The duty, the Ministry of Finance reacted quickly to the researcher’s findings. “EPQ is taking the necessary measures to no longer allow cookies installed by YouTube when citizens want to view promotional videos from the site,” said the ministry’s communications advisor, Philippe Bérubé, by email. “There is no issue of computer security and protection of personal information,” he added.
The website of the Canada Mortgage and Housing Corporation (CMHC) includes a cookies of Twitter, which expires in 2039. In France, the National Commission for Computing and Liberties recommends that the lifespan of tracers should not extend beyond thirteen months.
She also contacted by The duty, CMHC said in an email that it does not collect “personal or sensitive information through the Twitter cookie. The use of this Twitter functionality is linked to the users’ experience, offering them the possibility of easily sharing our content” on the social network.
The federal agency specifies that “most browsers allow […] to activate or block cookies” and says it is considering integrating a “pop-up window for acceptance or refusal” of tracers.
But even with a tracker-blocking browser extension, some slip through the cracks. “There is no 100% effective solution at the moment, let alone for people who know little about computers,” says the researcher.
An unintentional practice
Mr. Samarasinghe clarified that tracers are not always placed voluntarily by governments.
Depending on the budget allocated to the development of a site or an application, the States can call on subcontracting firms, which use the same template as for commercial sites. Developers and governments would therefore not always be “aware” of these security flaws.
Voluntary or not, it remains that the practice is contradictory, believes the researcher. “Governments impose regulations for commercial companies to ensure users’ personal information is protected, but they don’t look inside [de leurs propres sites] “, raises Mr. Samarasinghe, who judges that the presence of tracers in the European Union and in California, where the rules are stricter, is all the more paradoxical.
“In addition to raising awareness [les gouvernements et les développeurs]we would like them to take these kinds of issues seriously and scrutinize their sites as they do commercial sites, [et ce,] in the interest of their own citizens. »
This content is produced in collaboration with Concordia University.