British privacy regulator breaches privacysecurity privacy data-protection
In April 2018 I emailed the ICO about Twitter receiving identifiable tracking data of what pages users of the ICO website were visiting.
curl 'https://platform.twitter.com/widgets/widget_iframe.1966f64be47cf16b7a48642c76cc6202.html?origin=https%3A%2F%2Fico.org.uk&settingsEndpoint=https%3A%2F%2Fsyndication.twitter.com%2Fsettings' \ -H 'Referer: https://ico.org.uk/global/cookies/' \ -H 'Cookie: personalization_id="v1_1axooVApMv4kdQlRP0kJOA=="; guest_id=v1%3A151762216238340054; _ga=GA1.2.1216735797.1517622164; eu_cn=1; tfw_exp=0; dnt=1; ads_prefs="HBISAAA="; kdt=pZ2uCnWdpMHbENSaC0VyO3qW3GioHnuDLBDUeQUX; remember_checked_on=1; twid="u=66337826"; auth_token=3010b5c28bae881299c6ec636f788ba1931b5e7d; __utma=43838368.1216735797.1517622164.1523130476.1523130476.1; __utmz=43838368.1523130476.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'
I complained; it disappeared.
Today, their website sends identifiable tracking data for some pages to third parties; including Vimeo, Youtube and Google.
Let's be clear, it does not appear to be on many pages.
However, this is a bit like discovering a police commissioner does drugs... don't worry it's just weed and only at festivals.
I hope you can enjoy the irony; but after a giggle, the reality is pretty sad.
The ICO is the UK's data protection regulator, expected to enforce GDPR and ePrivacy (the cookie law).
Not break them
Here are two videos demoing the problem #
Video showing Vimeo cookies
Video showing Youtube cookies
There's no excuse for the ICO not to do a similar thing.
Not exactly surprising, but Youtube lied; which is the ICO's problem as they should have spotted this with a simple test.
ICO misrepresents Youtube cookies
Under the video in the Privacy Notice, you can see
(However, the google.com cookie is already loaded before play if you are affected by it.)
The Cookies Policy states
We embed videos from our official YouTube channel using YouTube's privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. Read more at YouTube's embedding videos information page.
Okay, so let's visit the Youtube page, which states
(The privacy-enhanced mode only relates to tracking of viewer behaviour, not ad-serving behaviour. To disable tracking for advertising purposes, you can add yourself to the Tag for child-directed treatment page.)
I'm not sure I trust Youtube's commitment.
ICO misrepresents Vimeo cookies
We embed videos from our official Vimeo channel. When you press play Vimeo will drop third party cookies to enable the the video to play and to collect analytics data such as how long a viewer has watched the video. These cookies do not track individuals.
Obviously these statements are both false.