Sunday, 18 September 2016

mindless data sharing

with the internet came massive tracking of its users. it was inevitable. it can not be stopped, nor be reversed. what can be done though, is to work on guidelines for tracking, and increase people's awareness about privacy.

personally i believe a great rule of conduct, when using the internet, should be:
"every action you do, observed by an internet device, can be tracked by someone you can not trust".

i am exaggerating here. a lot. i know. however, i would argue that exaggeration sometime is useful. why not be careful, instead of getting surprised? there are already plenty of examples of systems that thought to be safe, having sensitive information revealed. the most paradoxical example is when snowden published top secrets about nsa's massive surveillance.

when it comes to online tracking you have some major players, next to the state-sponsored surveillance. the first commercial "tracking company" to pop up in my mind is google, also known as alphabet.

in 2005 google acquired urchin, a service now recognised as google analytics. google has kept this service "free". users of google analytics gets wonderful features for the cost of sharing all their user data with google. google analytics is the most widely used tracking tool on the internet. most likely the majority of website you are visiting do have google analytics tracking code "installed". from wikipedia: "[google analytics is] currently in use on around 55% of the 10,000 most popular websites". the tool is cross platform, with the goal of enabling tracking on any device.

the knowledge google analytics gives google is massive. since their tool is widely used, they can follow people's actions around the internet. they can follow the same user, across sites, and across devices. they continually gather data, from every service you use under their control, or every page using their code. next to google analytics, google do provide a lot of other services, like google tag manager, google plus buttons, google hosted libraries and google hosted content, android phones, google chrome, chrome os, blogger. and the list goes on, and on. over the years google has increasingly tracked more information about its users. in 2012 google updated their privacy policy. they removed the privacy-protective separations in between different google services. that means they can cross-reference and store data from all their services, in one massive database. one result of this is that google analytics can deliver detailed demographics and interest reports

most likely google know very much about you. like where you live, your sex, your age, your interests, who you friends and family are, where you are located throughout the day. how fast you are walking, or driving. i could go on. there should be no need though. you get my point. 

i sold my soul to google a long time ago. they know what there is to know about me, more or less. one key difference in between myself and several i discuss this issue with, is the awareness. as well, if i really want to go private, on the internet, i have a few tricks up my sleeve, which at least gives me some protection. like using a different internet connection than my own, via tails os through tor. having said that. if a government somewhere has flagged me as an interesting subject, worth tracking (no idea why they should do this though, and i don't think they are doing it either), they would most likely have some nifty low level code running on all my devices already. code that capture data before it gets encrypted.

ok. time for me to get to the point. a few days ago i got an email from the ministry of health here in norway (helsedirektoratet). the info stated i had gotten an online health journal. it also stated that strict guidelines related safety and privacy were followed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Du har fått kjernejournal 
Du mottar denne e-posten fordi Helsedirektoratet har opprettet en kjernejournal for deg. Kjernejournalen er laget for at helsepersonell skal kunne gi deg bedre behandling.

Kjernejournal viser utvalgte helseopplysninger, men er ikke en fullstendig journal. Den erstatter ikke den journalen du har hos legen.

Med din kjernejournal får legevakt, sykehus og fastleger raskt tilgang til de samme oppdaterte opplysningene om deg. Har du ikke kjernejournal, ligger opplysningene om deg bare lagret i journaler ved hvert sted du har fått behandling.

Kjernejournal ivaretar strenge krav til sikkerhet og personvern. Det er kun helsepersonell som får tilgang til din kjernejournal, via sitt journalsystem.

Du kan selv finne din kjernejournal ved å gå til helsenorge.no og logge deg inn på Min helse. Her kan du se all informasjon som er lagret om deg, endre dine personverninnstillinger, legge inn egne opplysninger og se hvilket helsepersonell som har åpnet din kjernejournal. Du kan også lese mer om kjernejournal.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

as soon as i visited the helsenorge.no i saw that google analytics was used for tracking users. in the time of writing the following tracking code is executed:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
var query = document.location.search;
var hash = document.location.hash.replace('#k=', '');
if (hash) {
  if (query) {
    query += '&k=' + hash;
  } else {
    query += '?k=' + hash;
  }
}
ga('create', 'UA-23869685-1', 'auto');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview', {'page' : document.location.pathname + query});
 </script>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

this is standard google analytics tracking code, with the exception of the tag "ga('set', 'anonymizeIp', true);". this tag, or feature, disables storage of user's ip addresses with google analytics.

but does this tag prevent google from identifying you as a user? no! you might be logged in to some google service, somewhere else. there is most likely already a google analytics tracking cookie on your device. via other internet services, owned by google, or using tracking code from google, google has already gotten your ip address and loads of more information about you. so google might very well know who you are when you visit helsenorge.no. technically there is nothing that prevents google from tracking all your actions on helsenorge.no. i can see nowhere in the documentation that google says this is not done, using "anonymizeIp" or not. i might be wrong here. if i am, please do set me straight.

we should be aware that google can, on their side, chose to ignore the 'anonymizeIp' setting. they can store it all. i am not saying they are doing this. i am pretty sure google doesn't want a new "wiretap case". in the end you just have to chose to trust a company or not. google's corporate motto is "don't be evil". so that means they are not evil, right? not being a tad evil, even if their shareholders are unhappy with their earnings? i find their slogan weird. i have never heard anyone genuinely good having a motto "don't be evil". because someone being good not being evil is a matter of course. and they don't need to state this about how they should act. and how does google define evil? it might only be me, having these thoughts. and despite these thoughts i still use google services every day of my life.

another aspect to consider is that no one, not even sergey brin or larry page , can know for sure where google is 10, 20 or 30 years from now. the same goes with all the data google is collecting and storing. including data from your visits to helsenorge.no, like when ordering free condoms or reading about "als". very interesting data. what would happen if google, or alphabet, would end up in the insurance business? or if they would start selling data to insurance companies?

there might be no need to worry at all. there are a lot of positive outcomes of google's data collection. they develop amazing services, for "free". they do amazing research into new technology. they have some great visions of the future of humanity. as stated above, i am fully aware that google knows all about me, and even so i keep using their services. personally, i am not that worried.

despite this, it still worries me that a page like helsenorge.no, a governmental health portal for norwegians, is using google analytics for tracking its users. most users are not tech savvy enough for disabling the tracking. most users, i guess, are not even aware that they are being tracked by a huge american company as they visit helsenorge.no. isn't this a bit like letting a corporation tracking your visits to the doctor, and listen in on what you discuss? 

there is no valid excuse for a page like helsenorge.no for using google analytics. there is no excuse for sharing detailed user information with google, or anyone else. absolutely none. i would argue that the only reason for doing so is laziness or incompetence. maybe both. and this should not be the case for sites like helsenorge.no. not when it comes to privacy. there are free alternatives to google analytics. alternatives where you don't share data with a third party. like piwik, and several other.

unfortunately, helsenorge.no, as a govermental online service, is far from being alone in the mindless data sharing business. below are some other examples.

*. kommune.no (google tag manager)
altinn.no (google analytics)
difi.no (google analytics)
dubestemmer.no (google analytics)
forsvaret.no (facebook & google plus)
nettvett.no (google analytics)
norge.no (google analytics)
regjeringen.no (google tag manager)
slettmeg.no (google analytics)

by judging from the list above you might think that there is no need to worry. you should trust that at least government owned internet sites has thoroughly gone through the implication of the technology they are using. right? i am afraid it's not the case.










No comments:

Post a Comment

Allowed HTML tags:
<b>bold</b>
<strong>strong</strong>
<i>italics</i>
<em>emphasis</em>
<a href="">hyperlink</a>


Please, show the courtesy of identifying yourself when adding a comment. Anonymous comments will, most likely, be removed.