UK charity Crimestoppers ‘breaches privacy law’ in the way it tracks online users
Image credit: Dreamstime
An analysis carried out by the investigations team at E&T and in collaboration with Cybot, a Danish privacy and analytics company based in Copenhagen, found that British charity Crimestoppers tracks users in ways that breach the charity's promises of anonymity as well as national and European privacy law.
The Crimestoppers Trust, an independent crime-fighting charity in the UK with an annual income of more than £5m, allows people to call or pass on information about crime via an "anonymous online form".
"The problem with Crimestoppers is that the website promises 100 per cent anonymity. The fact that they are allowing the users to be monitored is deeply concerning", Daniel Johannsen, CEO of Cybot told E&T.
Cybot's initial scan found that Crimestoppers-uk.org allows a number of third parties to track the visitor: Google via Analytics, AdSense, AdWords, YouTube and Google's marketing branch DoubleClick, as well as Facebook and LinkedIn, including the IP-number of the user. This would also include analytics that is not anonymised.
In addition, the website was found to link to a cookie-info page from its cookie-pop-up. "But this page only mentions a few of the cookies being set and the third parties that are monitoring their users. On the website, the most intrusive cookies and third parties are not mentioned at all."
Diego Naranjo, the head of policy at international advocacy group European Digital Rights (EDRi), told E&T that the results are deeply worrying. Nonetheless he has some sympathy for Crimestoppers UK in the sense that most people building websites do not have privacy by design as a core concern when doing their work. [Failings] are very common, and even public websites do not always comply.
Site-builders may be aware of using certain analytics or cookies, Naranjo said, but they might not be aware of the problems of re-identification from those cookies and how third parties have access to those identifiers. It is a problem the whole industry would struggle with.
However, the lack of strong enforcement of the ePrivacy Directive by competent authorities in the UK and elsewhere does not help to fix the problems, he added.
Another data privacy company confirms Cybot's findings. Kazient, a consultancy specialising in privacy, data protection and GDPR, was asked by E&T to look into the matter. Experts at Kazient scrutinised the website of Crimestoppers and found three major problems with it. Firstly, the cookie banner is illegal. Secondly, its transparency information is lacking. And lastly, the way they are trying to obtain consent is also illegal, according to an expert who ran the analysis.
Jamal Ahmed, a privacy consultant at Kazient, said: "We found additional cookies that are not mentioned in the transparency notice and as such not meeting compliance requirements".
This is a great example of how not to manage your Cookies. It's really disappointing to see an organisation such as this get it so wrong. The cookies banner, fair processing notice and attempt at consent wholly non-compliant and totally unacceptable.
Johannsen confirms that Crimestoppers-uk.org was found not to be honouring the requirement of "prior consent", blocking all cookies until the user has consented, according to the analysis. This is a clear requirement by the ICO (the Information Commissioner’s Office), the UK’s independent authority for upholding information rights in the public interest.
When prior consent is not enabled, the findings suggest the user is tracked from the second they enter the website. This renders the cookie pop-up on crimestoppers-uk.org as mere window-dressing, providing a false sense of security to the user.
“Let us assume I am the person who wants to help by tipping off some kind of crime, an assault for instance, but it is not possible for me under the circumstances to contact the police, for example, so I would put myself at risk by telling about it. When these companies register that I am on this website, that I am reporting a crime, the type of crime I am reporting, where I am from, and match all this with the user-profile they have built about me already from other sites on the web, they can use that information in various ways, so when I, in a totally different context, visit other websites online, they can use that information to target me. If this is happening in a different context where I may not be alone, it can reveal to others the fact that I have told somebody about this crime. That is what I mean when I say they put themselves at risk [using the site], Johannsen explained.
"The headline 'Stay safe' on the front page of the website sounds kind of hollow when it comes to online privacy and data protection", Johannsen added.
Looking deeper, analysing the full extent of Crimestoppers' sites on the web, it was found that users who click on the big, red button "Give information anonymously", are monitored throughout the whole submission process by the companies mentioned earlier as well as HotJar, an analytics company with the vision to "change the way the web is built and improved by democratizing user analytics and feedback”.
This way, Google, Facebook, Microsoft (LinkedIn) and HotJar would know when the user, the reporter of a crime, reports what, because they can read out information about the type of submission by the URL of the page and submit information back to their own servers in the background for each step in the process of submitting information.
"If you only have a focus on marketing efforts, and you neglect to take the privacy focus into consideration, then you end up in a situation like this", Johannsen says.
When E&T presented the headline results found by the experts to Crimestoppers UK, the charity responded to us stressing that anonymity is at the heart of its offer to the public, "whether they contact us by phone or online. We do not track in any way shape or form the individuals who pass information to Crimestoppers anonymously.”
The charity has promised to launch its own internal investigation into the claims presented by E&T.
The scan of the website revealed more. All of these trackers are deployed through Google Tag Manager (GTM), which is fully managed by the site's owner or authorised agency.
The scan revealed that users are also being tracked by Issue.com (a suite of digital publishing products) on a single page which opens a backdoor, or so-called trojan horse, for Quantserve by behavioural advertising company Quantcast by sending information about the visit to pixel.quantserve.com/pixel, a so-called pixel tracker, Johannsen explains.
As this only happens on a single page it is not as high-risk for the user as all the other trackers that are deployed site-wide. But still, one would not expect this, and they do not inform the user about it, he says.
Johannsen said he and his team see this on a lot of websites that are using Google Tag Manager, which covers 98 per cent of the tag manager market. But it is especially alarming when Crimestoppers promises the user full anonymity, he said.
In a report earlier this year, Johannsen's company Cookiebot revealed that ad-tech companies are extensively tracking EU citizens who visited non-ad-funded government and public sector websites. Even on websites that feature sensitive health information, vulnerable citizens are unknowingly being tracked, it concluded, and stated that EU governments and public sectors would serve as platforms for online commercial surveillance.
The experts disagree over whether Crimestoppers is likely to be aware of the shortcomings on its website. Johannsen said that it is possible that they do not even know about it. Privacy expert Ahmed is convinced that people at Crimestoppers must know about it. "They are the ones that agreed to have them [the cookies] on there. It is like buying a car and not looking inside of the boot and being later made responsible for what is in the boot."
Ahmed comes across a lot of websites that do not meet basic legal requirements set out by the ICO. But "the fact that it is Crimestoppers", makes it important to share with the public, he says.
Cookies and trackers Crimestoppers uses, but only a fraction of these are highlighted on its website:
How can online users of Crimestoppers stay anonymous, despite the tracking? Johannsen argues that digital self-defence is definitely an option, but this is often only a thing for technically strong users. "A VPN or virtual private network alone will not protect you against tracking. It merely hides your IP-number, but you will be recognised by the unique identifiers stored in third-party cookies and other types of trackers”.
Using privacy-focused browsers in combination with a VPN could protect users against the kind of tracking that is used on Crimestoppers-uk.org. Examples like the American browser Brave or the German browser Cliqz are configured to use maximum protection. It will break some websites and give a poor user experience on others, but the majority of sites seem to work well on these browsers, Johannsen told E&T.
The Spanish Data Protection Agency (AEPD) announced this week that an airline faces a fine of up to €30,000 because its website did not provide an option to reject cookies. It only informed visitors on the possibility to set cookie preferences by configuring their browser settings, similar to the way Crimestoppers website does it, Ahmed told E&T.
A study published by Privacy International in September of this year reveals how popular websites about depression in countries including France, Germany as well as in the UK share user data with advertisers, data brokers and large tech companies.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.