Mark Alan Richards

British Political Party adds some Russian tracking and control to their website

security privacy data-protection

Britain First have loaded web content from a Russian social media site VK

The loading will sometimes result in identifiable tracking data being sent to VK about the visit to Britain First

The content is code and can do what it likes on the Britain First page.

Britain First

Britain First is well documented online and I do not support them.

Most UK political parties are failing on privacy, please read the ICO report on political parties to understand the landscape if you are interested in learning more.

This post is about a new aspect to the existing problem of online tracking and security of political party websites.

What does it load?

Britain First has been banned by Facebook (although somewhat surprisingly, their website still includes Facebook JavaScript SDK and tracking).

So, Britain First has adopted a different social media network: VK, a Russian social network.

As part of this it appears they load VK's JavaScript SDK which sometimes shares tracking data with VK https://vk.com/js/api/openapi.js?168

Not every request to the pages will be tracked, as there is a cache header from VK, so a local copy may be used, but not if since deleted (like user cleared cache, max age reached or for the browser saving space may do this), in which case a request with fresh tracking data is sent.

However, the website is vulnerable to whatever VK put in the JavaScript code, so the behaviour can change at any time and present or capture anything on the pages it is loaded on.

What tracking can they get?

VK get two types of tracking data, those with cookies and those without.

Without cookies VK get

With cookies VK also get

What does this all mean?

I know nothing about VK. Apart from they are getting data from some visits to Britain First. They may ignore it, they may use it.

My Opinion

Given the news stories about social media targeting in elections and also Russian meddling, we should be cautious of more companies getting browsing habit data.

If VK intend to protect privacy, why load the JS from their domain and not one with no cookies.

If VK intend to protect privacy, who not drop the referer with a referer-policy on their script tag.

If VK intend to invade privacy, why are they setting cache headers that will miss many requests?

Whatever their intent now, they are a single number change in their own code base from tracking every request; maybe not in the most efficient manner, but they could easily add pixel tracking with a little more.

HTML fragment

This html is loaded in the root document

<script type="text/javascript" src="https://vk.com/js/api/openapi.js?168&quot;&gt;&lt;/script&gt;

Video demo

Video showing VK cookies paired with a referer header for the page to Join Britain First

Har data.