Researchers Matthias Götze (TU Berlin), Srdjan Matic (IMDEA Software), Costas Iordanou (Cyprus University of Technology), Georgios Smaragdakis (TU Delft) and Nikolaos Laoutaris (IMDEA Networks) have presented at the 'Web Science Conference' the paper: "Measuring Web Cookies in Governmental Websites", in which they investigate governmental websites of G20 countries and evaluate to what extent visits to these sites are tracked by third parties.
The results reveal that in some countries up to 90% of these websites add third-party tracker cookies without users' consent. This occurs even in countries with strict user privacy laws.
The researchers considered studying the behavior of government websites and their compliance or non-compliance with data protection laws during the COVID-19 pandemic, a time when citizen information was provided through official websites of international organizations and governments. "Our results indicate that official governmental, international organizations' websites and other sites that serve public health information related to COVID-19 are not held to higher standards regarding respecting user privacy than the rest of the web, which is an oxymoron given the push of many of those governments for enforcing GDPR," comments Nikolaos Laoutaris, Research Professor at IMDEA Networks.
A total of 5,500 websites of international organizations, official COVID-19 information and governments of G20 countries were analyzed: Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Mexico, Russia, Saudi Arabia, South Africa, South Korea, Turkey, UK and USA.
Methodology: types of cookies
There are several types of cookies. “There are first-party cookies, which are those created by the visited website itself, while third-party cookies are those commonly created by external agents through content embedded in the website. In addition, there is the cookie ghostwriting, in which an external entity creates the cookie on behalf of another party and therefore its origin is unknown”, highlights Srdjan Matic, Research Assistant Professor at IMDEA Software.
This paper also distinguishes between cookies by their duration: session cookies active only during the visit to the page or persistent cookies of short, medium or long duration.
Results: G20 government websites
Most of the websites of the G20 countries analyzed install at least one cookie without the user's consent. Japan is the country with the lowest percentage of websites with cookies, with 77.2%, and South Korea, Saudi Arabia and Indonesia lead the ranking with almost 100%.
Figure 1. Percentage of government websites (number in parenthesis) that contain ≥ 1 cookie per G20 country.
Of the cookies located the article analyzes the number of third-party cookies (TP) and third-party tracking cookies (TPT). Together, they add up from about 30% in the case of Germany to 95% in the case of Russia. Germany is the only country where this percentage decreases significantly, with only 9% of official websites including a TPT cookie.
Figure 3. Percentage of government websites with third-party (TP) and third-party tracker (TPT) cookies per G20 country.
In 16 of the 19 countries analyzed, more than 50% of TP and TPT cookies take more than one day to expire.
Figure 5. Percentage of TP and third-party trackers (TPT) cookies with expire times ≥ a day for G20 countries.
In the table below, the cookie expiration times divided by first party, TP and TPT by country are shown. France leads the ranking of countries for TP and TPT of more than one-year duration.
Figure 7. Expiration times for first-party (FP), third-party (TP), and third-party trackers’ (TPT) cookies at G20 countries.
Results: International Organizations websites
The study shows that around 95% of the websites of international organizations set cookies and around 60% of these websites use at least one third-party (TP) cookie. Matic explains that "there are no special measures to neutralize third-party cookies on these websites since 52% of the websites of international organizations set at least one cookie associated with a tracker (TPT)".
Results: COVID-19 Websites
More than 99% of the websites analyzed in the COVID-19 information study add at least one cookie without the user's consent. In contrast, there is a lower presence of third-party (TP) cookies, at around 62%.
As Laoutaris points out, with this publication the research team aims to "put more pressure on governments to clean up their own house first and, by doing so, set an example and be more convincing about the importance of implementing the GDPR in practice".