Who tracks me – A two year review.

In response to a toot from Privacy International on Mastodon I thought it would be a good idea to review the sites I looked at in “Who Tracks Me part 1” and see if any improvement had been made.

In 2018, I wrote the original Who Tracks Me piece as part of The Privacy Shop (a failed attempt to create a more space that was more understandable to the every day person where they could source privacy enhancing software and services). The results of my research were astounding and shocking….if only to me.

ServicesTrackers 2018
Mental Health Foundation of New Zealand19
Inland Revenue Department14
Work and Income New Zealand2
Womans Refuge New Zealand23
New Zealand Labour Party14

In my opinion none of these organisations should have had any trackers attached to them. Some of them serve the most vulnerable people in New Zealand and yet they were allowing this information to be gathered about the people using their services. This could have had serious repercussions for some people.

Thankfully, over the past two years there appears to have been some improvement (It is possible that this may also be partially due to the first measurements being taken with Lightbeam, a Firefox extension that is now unavailable). Now, using the EFF’s Privacy Badger extension the results are,

ServicesTrackers 2020
Mental Health Foundation of New Zealand7
Inland Revenue Department1
Work and Income New Zealand1
Woman’s Refuge New Zealand1
New Zealand Labour Party (For a look at political party tracking in 2020, go here.)4

Hopefully this shows that privacy awareness is growing in the New Zealand community. Still, I don’t think it is good enough. Does the Mental Health Foundation of New Zealand really need seven potential trackers attached to it’s homepage? Does their Privacy Policy cover these trackers? Apparently not if you read their Privacy Policy,

The MHF website will have links to third party websites and resources. The MHF is not responsible or liable for the availability or accuracy of any such link or resource, or for the content, products, or services on or available from such websites or resources. Links to such websites or resources do not imply any endorsement by the MHF. Visitors to the MHF’s websites assume all risk arising from their use of any link to third party websites or resources.

Mental Health Foundation Privacy Policy

Is that really good enough? Those attached links are,

  • s7.addthis.com
  • ajax.googleapis.com
  • www.google-analytics.com
  • www.google.com
  • static.olark.com
  • p.typekit.net
  • use.typekit.net

For instance s7.addthis.com is owned by Oracle and as part of the Privacy Policy on their site they reference the publisher (who I assume in this case is the Mental Heath Foundation of New Zealand) as allowing,

Collection on Publisher Sites. When installed on a Publisher Site, the Enablement Code allows Oracle and Oracle Partners to set Cookies to collect Publisher Data. These technologies are described in detail in the Privacy Policy. When an End User visits your Publisher Site, Oracle and Oracle Partners may set a Cookie and track such End User’s use of your Publisher Site (e.g., the web search that landed the End User on a particular page or categories of the End User’s interests), including allowing Oracle Partners to incorporate Cookies and pixels to enable the synchronization of internal unique identifiers between Oracle and our third party partners to facilitate online behavioral advertising.

Addthis Terms of Service

So when I went to the Mental Health Foundations website somehow before visiting the website I should have been aware that my visit will be shared not just with Oracle but with its Partners and that it involves a unique identifier that can track me across the Internet. It also refers to another Privacy Policy,

In our AddThis Terms of Service with the publisher, we require that the publisher informs you directly of how it collects and uses your personal information in this context, and gets your consent where appropriate.

Addthis Privacy Policy

At no time when visiting the site was I informed directly that my information could be used to track me. This is something I would have liked to have known, whether or not if I was suffering from a mental health condition and/or reaching out for help. Other parts of the Addthis Privacy Policy say that the information can be used by them for business purposes to uniquely identify across multiple devices. It even gives an example at one point,

Example: You are interested in vacations offered by a travel company and have clicked on their online advertising. You are logged into several devices (your desktop, smartphone, and tablet) using the same login. Oracle partners have indicated that you are likely the same user across those same devices. The travel company is able to send vacation offers to you (via de-identified cookie ID) to these different devices.

Addthis Privacy Policy

So, in the case of the Mental Health Foundation what exactly does that turn into?

Example: You are interested in mental health advice offered by the Mental Health Foundation of New Zealand and have clicked on their website. You are logged into several devices (your desktop, smartphone, and tablet) using the same login. Oracle partners have indicated that you are likely the same user across those same devices. Oracles partners are able to send metal health advertising offers to you (via de-identified cookie ID) to these different devices.

Example example

Well, that is going to be great. I might now have mental health advertising being sent to me across all my devices. There is even a list of conditions on the site that I might be associated with and then targeted for.

  • ADHD in adults
  • ADHD in children
  • Alcohol
  • Alzheimer’s disease
  • Anger
  • Anorexia nervosa
  • Anxiety
  • Asperger syndrome
  • Attention deficit hyperactivity disorder
  • Autism spectrum disorders
  • Autistic disorder
  • BPD
  • Bipolar affective disorder
  • Body dysmorphia
  • Body dysmorphic disorder
  • Borderline personality disorder
  • Bulimia
  • Bulimia nervosa
  • Deliberate self-injury
  • Dementia
  • Depression
  • Depression – Youth
  • Depressive disorder with seasonal pattern
  • Dissociative identity disorder (DID)
  • Eating disorders
  • Fear
  • GAD
  • Gender dysphoria
  • Gender identity disorder
  • Generalised anxiety disorder
  • Grief and loss
  • Manic depression
  • Multiple personality disorder (MPD)
  • Narcissistic personality disorder
  • Non-suicidal self injury (NSSI)
  • OCD
  • Obsessive compulsive disorder
  • Panic disorder
  • Personality disorders – general
  • Phobias
  • Post-traumatic stress disorder
  • Postnatal depression
  • Postnatal psychosis
  • Postpartum psychosis
  • SAD
  • Schizoaffective disorder
  • Schizophrenia
  • Seasonal affective disorder
  • Self-harm
  • Self-mutilation
  • Suicidal ideation
  • Suicide prevention resources
  • Suicide: after a suicide attempt
  • Suicide: coping with suicidal thoughts
  • Suicide: supporting someone online
  • Suicide: worried about someone?
  • Tourette syndrome

I am sure most people can see why a they would not want to be associated with these conditions whether or not they have them and why they would not want to be advertised to across their devices on the basis that Oracle thinks they might have one.This is not only because of the stigma around mental health, but also because of the business decisions that can be made on the basis of the information. Could an insurance company buy this information in a claim in order to make the case that there was a breach of contract? Could Linkedin buy it to better match people with jobs? We just don’t know and once this information, that we didn’t know we were providing nor consented to provide, is in the wild it may affect our life or the lives of those around us in a myriad of unseen ways that can none the less have concrete outcomes. Additionally, the provision of that information appears to have been in breach of the Mental Health Foundations contract with Oracle which doesn’t give me a huge amount of faith that they are truly invested in privacy.

While it’s clear that there has been some improvement in the data collection activities of all of the websites I looked at in 2018, even having one company that then sells or data-shares onto other parties isn’t good enough. In the case of visiting the Mental Health Foundation of New Zealand, they have apparently just shared my information and given permission for me to be tracked across multiple devices without asking for my permission or seeking my consent at any time. Apparently they are doing this to hundreds of caregivers, family, friends and to the vulnerable people themselves.

Is that really what they mean by their motto, “Getting through together”?

Leave a comment