Mark Alan Richards

Ad tracking of Childline

security privacy data-protection children

You may have spotted news about period, fitness and weather apps sharing data about their users.

This is a bit darker, primarily because the victims are children, the perpetrator a charity and the tracking companies are once again household names.

Childline put ad tracking on their online help chat, whilst promising anonymity and confidentiality.

This tracking can often identify kids and included their activity on the site, posing three risks

  1. Ad algorithms are supposed to match data collected with adverts likely to be clicked on.

    So, when a child visits pages about drug addiction and abuse at home, then joins a counsellor session, what adverts do you think the algorithms paired them with?

    Maybe just teddy bears or maybe alcohol and painkillers. This pairing doesn't even require the real identity of the child

  2. These companies combined employ thousands of staff in the UK

    Whether they're kind people or not, their kids may not want their parents to have access to knowledge they're using Childline.

  3. These companies have a history of information security failures, so how much of this data is likely sitting in servers ready to be leaked or already has

Who is affected?

All users of the site, including children seeking help from counsellors.

What was sent to the ad companies?

Their activity

The pages children visited, including those to chat with counsellors


The ad companies are well known to track users by cookies or even device identifiers (like IP addresses) that identify a device.

They may also hold advertising profiles they build up and potentially user accounts too.

But these identities are isolated from tracking Childline activity, until Childline adds their tracking software to their own site too.

Just in case they didn't already have identities, Childline's actions resulted in ad tracking cookies being set, allowing subsequent tracking off the Childline site.

The extent

I'm guessing most Childline pages were affected, so have a browse around the site and see how bad it might be.

These pages alone are enough to worry about

Why did Childline do this?

You'll have to ask Childline for a clear answer

At a guess...

The advertising companies offer a nasty bargain. You let them track your users and they'll give you useful data back about them.

Confused? Imagine a child browsing the web might be something like this:

Then there's Youtube

Childline decided to reach children using Youtube and not just by having a channel on Youtube, but by integrating Youtube into the Childline site.

By default Youtube videos added to your own site track users

And Youtube is very obviously an advertiser and one that companies were boycotting because of other risks to children

Duck Duck Go (a growing alternative to Google Search) warn about privacy risks on their own site if you try watching a Youtube video.Try searching for Cats. This is a known problem with Youtube.

Video has been supported by default on the web for years without needing Youtube and Childline added Youtube's tracking to pages in their chat system that don't even show videos.

Childline's response

Within hours of contacting the NSPCC on the 26th Feb, about their Childline site including tracking, much of it was removed. Notably, this included Facebook and their terms of service advise that Chidline needed consent and shouldn't send data for under 13s.

However, Childline insist on keeping Youtube as it's "unavoidable" .. given they load tracking on pages that don't have video, that's a lie. Also, within hours you can start moving video on your own site to html5 video with self hosting files... it is really simple to do.

I've asked them repeatedly to tell the children affected by this. In order to keep their trust, the organisation has to be open and honest about failings, but this has not happened and hence I'm writing this blog post about it.

What does a request look like?

Here's an example of Youtube request. I've hidden my cookie values as the session ones may have security implications for my Youtube account

You may not understand the structure, but everything in the following block went to Youtube's server when I made a request and more (like IP address)

        GET /iframe_api HTTP/1.1
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
        Accept: */*
        Accept-Language: en-GB,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        Connection: keep-alive
        Cookie: SID=...; HSID=...; SSID=...; APISID=...; SAPISID=...; CONSENT=YES+GB.en+20160501-18-0; LOGIN_INFO=...; VISITOR_INFO1_LIVE=...; PREF=...; enabledapps.uploader=0; SIDCC=...
        DNT: 1
        Pragma: no-cache
        Cache-Control: no-cache

APISID is an interesting one but I'm sure you can find out more about the others too.

Because those same cookies will be used when a user visits Youtube, Youtube can pair this web page visit with a user account.

What next?

If you're a child or know one who should know, then tell them not to trust their privacy is protected on Childline.

If you need Childline services, their phone line may protect privacy appropriately on 0800 1111

Tracking protection mechanisms in web browsers (including Privacy Badger) may reduce the amount of tracking that would be sent.

If you've used Childline and feel upset or angered, then please beware that Childline is not alone in this behaviour and it is common to breach users' privacy like this, although not usually with such sensitive data.