Last Updated:

Who tracks me?

Tane Harre
Tane Harre Privacy

Earlier this week arXiv from the Cornell University Library released one of the first papers to study who is tracking users in depth. The data was sourced by Who Tracks Me using more than 780 million page loads over the course of 10 months. Previous attempts at measuring tracking on the Internet were flawed as the didn’t replicate actual users interacting with web pages. WhoTracks.me used Cliqz and Ghostery Anti-Tracking data (consented to by users) to collect the data and have released it on their website.

The new data points to the prevalence of tracking with 77% of pages having at least one tracker present and individual trackers present on 60% of the top 1,000,000 websites. These trackers are hidden and in most cases users don’t know they are connected to a third party service.

New Zealand is no exception to these third party services. They are attached to pages that we should be able to trust and assume we can. The Mental Health Foundation of New Zealand website has 19 third party services, IRD has 14, WINZ has 2, Womans Refuge New Zealand has 23 and the New Zealand Labour Party has 14. In many cases these third party services are semi legitimate in that they make calls to a service that makes the website operate such as to a font service. But since I didn’t connect to the font service by choice and it wasn’t revealed to me that I was connecting to it then they are also quite morally dubious.

If you take Womans Refuge New Zealand (sorry , you had the most) then the third party sites you are attached to include;

Google

  • www.gstatic.com
  • maps.googleapis.com
  • ajax.googleapis.com
  • fonts.googleapis.com
  • googleads.g.doubleclick.net
  • www.google-analytics.com
  • www.google.com
  • www.youtube.com
  • s.ytimg.com
  • static.doubleclick.net

Google and Youtube are mixed together here as they are both owned by Alphabet. At first glance there are things that could be considered legitimately attached to the page. Font and script calls, maps and a call to Youtube as there is a video on the page. So leaving out the fact that by going to the page you have informed Google of your connection to the Womans Refuge website I can accept that they might serve some purpose to me as the person begin served the page.

However, both of the doubleclick.net addresses are used for Ad serving, Ad delivery and Behavioral targeting. Basically Google uses the information to target you for advertising basing the ads content on your browsing.

Stripe

  • m.stripe.com
  • js.stripe.com
  • m.stripe.network

Stripe is a payments network and is on the page as there is a donations form. A Polisis analysis of their Privacy Policy 3rd Party sharing show there is a large amount of information gathered by Stripe and around a quarter of the information collected has no specified purpose.

Adobe

  • p.typekit.net
  • use.typekit.net

Typekit is a font service from Adobe. It’s Privacy Policy is short but unfortunately doesn’t specify what it means. An example is,”Adobe uses the information received from third party websites using Typekit fonts to provision the Typekit service. Such information is also used to diagnose delivery or download problems and to pay font foundries.” Short, but what do they mean by provision the Typekit service?

Vega

  • connect.vega.works
  • dashboard.vega.works

Vega is a global software company specializing in the community, club and charity sector. It is based in Auckland (Go NZ!). They also have a short Privacy Policy and it places a lot of emphasis on the protection of personal information. The down sides are that they are collecting personal information in the first place, they don’t specify what other information is being collected or how it is used and they don’t specify what information is considered personal and which isn’t.

Ezidebit

  • static.ezdebit.com.au

Ezidebit is a payments provider based in Australia, part of Global Payments Inc. Their Privacy Policy states “they collect personal information and share it with third parties including for the purposes of marketing”.

MaxCDN

  • maxcdn.bootstrapcdn.com

MaxCDN is a content distribution network. I was unable to find what their policy was for non-customer information.

Taranaki Women’s Refuge

  • a1test.info

I am unsure why this page is connected or what it is serving. As their website developer is A1 Websites it would appear to be for a website in testing. It is part of the Womens Refuge network though so probably not tracking.

jQuery Foundation

  • code.jquery.com

The URL is from the jQuery Foundation in order to serve javascript for the web-page.

GoDaddy

  • seal.godaddy.com

Go Daddy provides a protected site seal for the website. They also collect information, share it with third parties and use it for, processing credit card payment, serving advertisements, conducting contests or surveys, performing analysis of our Services and customers demographics, communicating with you, such as by way email or survey delivery, and customer relationship management.

Who tracks me? – In conclusion

Just taking this one website it is obvious that there is a large amount of data that could be leaked about the users of the site. A site that should be trusted and is used by some of the most vulnerable members of New Zealand society is unknowingly connecting them to 9 different companies. Some of whom appear to collect their information without their knowledge or informed consent.

To make matters worse, many of the privacy policies attached to those companies use the word customer and that brings up a new problem. The customer is the website paying for the services, not the people using it. It is possible this makes large amounts of the privacy policies non existent when applied to  the users of the site. That information can be used to target those people with advertising, media, politics, news. There are lists in other countries of people suffering from rape. We don’t want a list of New Zealand woman suffering from abuse. We need to start protecting our on-line privacy and we need to do it now. If you don’t believe me then get Firefox and install the Lightbeam addon for a week and see how many third party sites you connect to.