British Political Party adds some Russian tracking and control to their website
security privacy data-protectionBritain First have loaded web content from a Russian social media site VK
The loading will sometimes result in identifiable tracking data being sent to VK about the visit to Britain First
The content is code and can do what it likes on the Britain First page.
Britain First #
Britain First is well documented online and I do not support them.
Most UK political parties are failing on privacy, please read the ICO report on political parties to understand the landscape if you are interested in learning more.
This post is about a new aspect to the existing problem of online tracking and security of political party websites.
What does it load? #
Britain First has been banned by Facebook (although somewhat surprisingly, their website still includes Facebook JavaScript SDK and tracking).
So, Britain First has adopted a different social media network: VK, a Russian social network.
As part of this it appears they load VK's JavaScript SDK which sometimes shares tracking data with VK https://vk.com/js/api/openapi.js?168
Not every request to the pages will be tracked, as there is a cache header from VK, so a local copy may be used, but not if since deleted (like user cleared cache, max age reached or for the browser saving space may do this), in which case a request with fresh tracking data is sent.
However, the website is vulnerable to whatever VK put in the JavaScript code, so the behaviour can change at any time and present or capture anything on the pages it is loaded on.
What tracking can they get? #
VK get two types of tracking data, those with cookies and those without.
Without cookies VK get #
- IP Address: Typically unique to your WiFI router, but can be unique to your browsing device
- User-Agent: Browser version, OS
- HTTP Referer: the web address your are at, like https://www.britainfirst.org/join
- VK have the potential to get more through fingerprinting techniques server side and as they load JaveScript, assisted by the browser side too.
With cookies VK also get #
- Unique identifier: Identifies your browser and if VK is loaded on other pages you use, then VK can play a game of Guess Who to work out who you are or may just be given the data, like an email address in query parameters (this happens too much on the internet)
- Account identifier: If you have a VK account, then they'll know about your visit to Britain First, regardless of whether you expressed interest in Britain First on the VK site
What does this all mean? #
I know nothing about VK. Apart from they are getting data from some visits to Britain First. They may ignore it, they may use it.
My Opinion #
Given the news stories about social media targeting in elections and also Russian meddling, we should be cautious of more companies getting browsing habit data.
If VK intend to protect privacy, why load the JS from their domain and not one with no cookies.
If VK intend to protect privacy, who not drop the referer with a referer-policy on their script tag.
If VK intend to invade privacy, why are they setting cache headers that will miss many requests?
Whatever their intent now, they are a single number change in their own code base from tracking every request; maybe not in the most efficient manner, but they could easily add pixel tracking with a little more.
HTML fragment #
This html is loaded in the root document
<script type="text/javascript" src="https://vk.com/js/api/openapi.js?168"></script>
Video demo #
Video showing VK cookies paired with a referer header for the page to Join Britain First