Tracking cookies found on G20 government websites • The Register

We expect some amount of cookie-based tracking on retail websites and social media, but in some countries up to 90% of government sites have trackers in place – and apparently distribute them without the user’s consent.

A study rated over 118,000 URLs from 5,500 government websites – think .gov,,, etc. – hosted in the world’s twenty largest economies – the G20 – and discovered a surprising tracking cookie issue, even among countries party to the European GDPR and those with their own data privacy regulations.

On average, the study found that more than half of the cookies created on G20 government websites were third-party cookies, meaning they were created by outside entities typically to collect information about the user. At least 10%, up to 90%, comes from known third-party cookies or trackers, we’re told.

The report, published by IMDEA, a research center in Madrid, Spain, explained the ramifications of tracking cookies on government websites beyond regulatory violations.

“Firstly, it breaks trust between citizens and authorities. Secondly, it enables large-scale surveillance, monitoring and tracking. If this happens by third parties, it is worrying because it shows poor site design web that relies on external entities that can monitor interactions [between] the public [and] the government,” the IMDEA team writes in their article.

“It appears that despite great efforts to promote regulations like GDPR, government sites themselves are still unclear about the tracking practices targeted by such regulations,” the report concludes.

As well as focusing on government agency websites, the study also put international organizations and COVID-19-related websites under the lens, finding that more than 90% of these sites hosted tracking cookies. , of which just over 60% are from third parties.

Who put these cookies at hand?

The natural conclusion might be to suspect government spying, but the study concluded that third-party tracking cookies are usually the product of negligent webmastering.

“Many of these trackers are added because many government sites include links to social networks such as Facebook and LinkedIn and links to videos hosted on YouTube or Vimeo,” IMDEA said. Additional trackers can come from analytics tools and the use of web code libraries, which according to the study can also act as trackers.

Tracking cookie data varies wildly from country to country, but the existence of cookies on government websites does not change: even among the countries with the fewest cookies – Japan and India – nearly 80% of government sites used cookies.

Third-party and tracking cookies are the worst in Russia, where more than 90% of sites contain one or both. Mexico, China and Indonesia follow, with around 70% of their websites containing third-party and/or tracking cookies.

In the US, just under 60% of government sites have such cookies, and the UK is only a few points better. Canada actually does worse than the United States, but only by a few percentage points. Australia fares slightly better, with just under 50% of its government sites offering problematic cookies.

Those in Germany are the safest, where less than 30% of government websites contain third-party or tracking cookies. India, South Korea and Argentina follow, with less than 40% of their sites containing cookies.

Website designers and contractors working for G20 governments “should take extra care to avoid including plugins for social media, commercial video portals, publishers and avoid links that download content from from these websites”, as well as avoiding software and libraries known to leak private information.

Third-party tracking cookies have become a common target for privacy advocates in recent years. Mozilla has taken steps to kill third-party cookies in Firefox, for example, and the privacy-conscious browser Brave has done the same.

Google also announced plans to break third-party cookies in Chrome, but pushed the date back to 2023 and may not go down the originally promised path. ®