Mark Alan Richards

British privacy regulator breaches privacy

security privacy data-protection

In April 2018 I emailed the ICO about Twitter receiving identifiable tracking data of what pages users of the ICO website were visiting.

      curl 'https://platform.twitter.com/widgets/widget_iframe.1966f64be47cf16b7a48642c76cc6202.html?origin=https%3A%2F%2Fico.org.uk&settingsEndpoint=https%3A%2F%2Fsyndication.twitter.com%2Fsettings' \
        -H 'Referer: https://ico.org.uk/global/cookies/' \
        -H 'Cookie: personalization_id="v1_1axooVApMv4kdQlRP0kJOA=="; guest_id=v1%3A151762216238340054; _ga=GA1.2.1216735797.1517622164; eu_cn=1; tfw_exp=0; dnt=1; ads_prefs="HBISAAA="; kdt=pZ2uCnWdpMHbENSaC0VyO3qW3GioHnuDLBDUeQUX; remember_checked_on=1; twid="u=66337826"; auth_token=3010b5c28bae881299c6ec636f788ba1931b5e7d; __utma=43838368.1216735797.1517622164.1523130476.1523130476.1; __utmz=43838368.1523130476.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'

I complained; it disappeared.

Today, their website sends identifiable tracking data for some pages to third parties; including Vimeo, Youtube and Google.

Let's be clear, it does not appear to be on many pages.

However, this is a bit like discovering a police commissioner does drugs... don't worry it's just weed and only at festivals.

I hope you can enjoy the irony; but after a giggle, the reality is pretty sad.

The ICO is the UK's data protection regulator, expected to enforce GDPR and ePrivacy (the cookie law).

Not break them

Here are two videos demoing the problem

Neither video uses cookies, the ICO doesn't need them on its website either.

Video showing Vimeo cookies

Video showing Youtube cookies

There's no excuse for the ICO not to do a similar thing.

Youtube

Youtube offers a more private version of their player that claims to not use cookies

Not exactly surprising, but Youtube lied; which is the ICO's problem as they should have spotted this with a simple test.

youtube-nocookie.com is a video player that promises no cookies. However, the player includes a dependency on a request to google.com, which will be paired with Google cookies including Google account identifiers.

Note: the dependency currently has a cache expiry of 365 days, so the chances of being affected may be slim.

Google can match this data to the user and the ICO page view if you have a Google account or likely if you've used Google.

    GET /js/bg/HrK92udDk6HoGDmAxeAPjdRCsXObyhVNLwAlDW4jykM.js HTTP/1.1
    Host: www.google.com
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://www.youtube-nocookie.com/embed/NzX3PPddUVo?feature=oembed
    Cookie: CONSENT=WP.27ee3a; 1P_JAR=2019-10-03-20; NID=188=fcHkPZF7m10gNkVCvmI7zmbJ5NiTxatB8xNr5FHnRJcARVGIGOkriNEXzO5Cwhau1A2OlU0ES1ubQi0HqhSyYtoK-rM1r59pTMHNNBvmWklLHiTp_Rkc46SK29ZRmZl0_WpqCH4dXRCeYPS67d0J1k_FbWtmCTFS_0O5o8E4bR4; ANID=AHWqTUmW7cZgZqHuOE0LcehhZQ0_RZNDj2AnQULVayYFBiGs-WrFedtZxz39Og28
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

So a lot of people have a reason to use subtitles. Do it and Youtube get tracking data that will pair to a Youtube account if you have one.

    GET /api/timedtext?v=ZqzGM8nUsDo&asr_langs=de%2Cen%2Ces%2Cfr%2Cit%2Cja%2Cko%2Cnl%2Cpt%2Cru&caps=asr&xorp=true&hl=en-GB&ip=0.0.0.0&ipbits=0&expire=1570167963&sparams=ip%2Cipbits%2Cexpire%2Cv%2Casr_langs%2Ccaps%2Cxorp&signature=D1395DA0C2116757EAA453EEE78B761FC2A18F07.12E6A1E623A964A2C5D3346DDA7C2511B98FA90B&key=yt8&kind=asr&lang=en&fmt=srv3&xorb=2&xobt=3&xovt=3 HTTP/1.1
    Host: www.youtube.com
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://www.youtube-nocookie.com/embed/ZqzGM8nUsDo
    Origin: https://www.youtube-nocookie.com
    Cookie: PREF=f1=50000000; VISITOR_INFO1_LIVE=si2dxYzatEI; GPS=1; YSC=ZQ9Sf3PAtT8; CONSENT=WP.27ee48
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

ICO misrepresents Youtube cookies

Under the video in the Privacy Notice, you can see

Pressing play on the video above will set a third-party cookie Please read our cookie policy for more information.

(However, the google.com cookie is already loaded before play if you are affected by it.)

The Cookies Policy states

We embed videos from our official YouTube channel using YouTube's privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. Read more at YouTube's embedding videos information page.

Okay, so let's visit the Youtube page, which states

(The privacy-enhanced mode only relates to tracking of viewer behaviour, not ad-serving behaviour. To disable tracking for advertising purposes, you can add yourself to the Tag for child-directed treatment page.)

I'm not sure I trust Youtube's commitment.

Vimeo

Vimeo cookies

Loading the page with a video present, regardless of playing it, results in a request to Vimeo.

For users who've never been to Vimeo, you might be lucky and just have a vuid cookie set; pairing you to a tracking id that may reveal your identity to vimeo later.

For users who've got a Vimeo account, Vimeo get cookies that identify exactly who you are and the ICO page you are visiting.

Without a Vimeo account 

    GET /video/358070413?loop=1 HTTP/1.1
    Host: player.vimeo.com
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-and-brexit-for-small-organisations/
    Cookie: vuid=pl935718006.582706622
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    Cache-Control: max-age=0

With a Vimeo account: some cookies look like they are from Google and Facebook analytics software 

    GET /video/358070413?loop=1 HTTP/1.1
    Host: player.vimeo.com
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-and-brexit-for-small-organisations/
    Cookie: vuid=pl538282171.1754524407; _bpsid=e21af1b1-1ae2-4aaf-aa7d-914d2ae050d5; _gcl_au=1.1.117979163.1570144889; _ga=GA1.2.1411508309.1570144890; _gid=GA1.2.1730788029.1570144890; _fbp=fb.1.1570144893155.1441182793; __qca=P0-1981308565-1570144892675; vimeo_gdpr_optin=1; vimeo=OHL4SeXt4SeMVHLeZ4LdeLX4MxHXcBae%2CZPcDccceZ4c4tLN4XeS%2Cd4a3NZB43%2C4c4DMw3h_OI3uHLM5i_Ic9j3H9ubNwizNVi9wMIHeNa4ateePPDPN4X4tDet4%2CaZPNZacDNPNZP44XLBtZaXBBLXPd4ca%2C3BPaeSdN4D; __ssid=8a862efc-ebab-4cb4-9f9f-0700fdee5887; player=""; has_logged_in=1; site_settings=%7B%22browse_format_vid%22%3A%22video%22%7D; continuous_play_v3=1; __gads=ID=9de2d6ff5570d131:T=1570145696:S=ALNI_MYR0_jgJOqKfNfRRJ5jBUsfJfFwZg
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    Cache-Control: max-age=0

ICO misrepresents Vimeo cookies

Stated below the video

Pressing play on the videos above will set third-party cookies necessary for the video to play and collecting analytics such as the length of time the video was played. The third party cookies do not track users. Please read our cookie policy for more information

The Cookies page then states

We embed videos from our official Vimeo channel. When you press play Vimeo will drop third party cookies to enable the the video to play and to collect analytics data such as how long a viewer has watched the video. These cookies do not track individuals.

Obviously these statements are both false.

Har data; Vimeo account was deleted.