Home > All, Politics, Security Issues > What is the UK government doing in embedding Google Analytics into confidential government websites?

What is the UK government doing in embedding Google Analytics into confidential government websites?

February 4, 2014 Leave a comment Go to comments

Perhaps the biggest news today is that the NHS has been redirecting its web visitors to a site hosting malware. It’s OK, though, because the NHS hasn’t been hacked – it managed to endanger its users without any outside help from the bad guys.

The problem was a typo. One of its own developers input googleaspis.com instead of googleapis.com. A bad guy found this before the NHS found it. He registered googleaspis.com and simply waited while the NHS thoughtfully sent its visitors along to be infected – and nobody knows how many may have been.

Typo found… problem solved… nothing to see here… move along please…

But it’s not a problem solved; it’s a problem found – and most of the press reports have missed it. Infosecurity Magazine (NHS Website Not Hacked, Just Exploited) did not miss it. The problem is this: what is the NHS doing using googleapis.com at all? The practice is, according to privacy expert Alexander Hanff, illegal under the EU’s ePrivacy directive.

Alex told me more. The law in question is specifically article 5.3 of the ePrivacy directive and the Privacy and Electronic Communications Regulations (PECR) – better known as the ‘cookie law’; and the biggest culprit is the UK’s own privacy regulator, the Information Commissioner’s Office. “The problem is,” Alex told me, “the ICO refuses to enforce PECR on the issue of 5.3 of the ePrivacy Directive (aka, the cookie law), despite the fact that ICO itself stated that the use of third-party analytics does not meet the requirement of strict necessity. This was before it did a complete 180 after Google reached a deal with the Department for Culture, Media & Sport (DCMS).”

Alex set about discovering more, and used the Freedom of Information Act to get to the bottom of why the ICO had changed its standpoint. If your blood pressure will take it, it is worth reading Who Regulates the Regulator? But be warned, you will indeed find that bureaucratic boilerplate:

Having considered all of these factors we have taken the decision that the public interest in withholding the information outweighs the public interest in disclosing it. Therefore in this instance we are unable to provide you with the correspondence in question.

To Alex, this just smacks of corruption. “The perpetual threesome between Big Data, ICO and the UK Government is an orgy of corruption which flies in the face of European Regulation and is one of the most significant illustrations of why the ICO should be disbanded and replaced with a regulator that is truly detached from government and industry.”

This is not actually an extreme position. Last week European justice commissioner Viviane Reding highlighted some of the things she would like to change, including to ‘correct’ the situation in Germany, where the minister of the interior can take disciplinary action against the data protection commissioner. “Is effective supervision really possible under these circumstances?” she asked.

Clearly the actual independence of the UK’s ICO from the UK government can also be questioned – and perhaps we should all hope that the Eye of Reding turns towards the UK. But in the meantime, I repeat my earlier question: What is the UK government doing in embedding Google Analytics into confidential government websites?

Categories: All, Politics, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s