BOOK THIS SPACE FOR AD
ARTICLE ADExclusive At least 18 public-sector websites in the UK and US send visitor data in some form to various web advertising brokers – including an ad-tech biz in China involved in past privacy controversies, a security firm claims.
Silent Push, which identified the websites, will today argue in a report provided to The Register that this raises concerns about compliance with rules limiting ads on government websites as well as concerns about online privacy.
In the US, .gov websites are not supposed to run ads. In the UK, ads are allowed on .gov.uk websites, subject to some limitations. The .gov and .gov.uk sites flagged by Silent Push each publish an ads.txt file that spells out the businesses allowed to automatically sell that site's ad space to advertisers as a visitor arrives.
For those who don't know, websites can sell ad space to advertisers in real-time via exchanges or brokers just as visitors land on pages; this typically involves trading pseudonymous information about those visitors so that, for instance, an advertiser can bid higher for an ad slot if the netizen is deemed valuable. Ads.txt lists the outfits allowed to sell this ad space inventory on behalf of a site, and Silent Push found a bunch of UK and US government websites with that file listing various advertising exchanges and resellers ranging from Google (like what El Reg uses) to one in China.
"Ad tech integrated into government websites is generally a bad idea and there's good reason the US government bans the practice across their .gov namespace," explained Zach Edwards, senior threat analyst at Silent Push, in an email to The Register. "It's slightly shocking to see so many UK council websites with online ads."
One of the ad-tech vendors used by the .gov.uk sites, and highlighted by Silent Push, is Yeahmobi. This Chinese entity reportedly had its mobile ad SDK removed from the Google Play Store in 2018 for alleged ad fraud. Yeahmobi did not respond to requests for comment.
Edwards' concern is that these advertising brokers may have access to data associated with website visitors, such as their IP addresses and other identifiers. Netizens may not expect this when visiting a public-sector portal.
Silent Push's report identifies four .gov sites that, in our experience, do not display adverts though do ping web ad platforms, do list various exchanges in their ads.txt files, and may break US government CISA rules. In the UK, it's a different story, as 18 sites identified by Silent Push use Yeahmobi among others to display ads somewhere on pages. Here's a selection:
Transport for London: ads.txt Derbyshire Dales District Council: ads.txt Walsall Council: ads.txt The Met Office: ads.txtThe .gov.uk websites have the files app-ads.txt and sellers.json as well as ads.txt that declare approved ad tech partners. App-ads.txt is used for adverts delivered through mobile apps. They're all designed to, ideally, mitigate advertising fraud.
"Ad bidding is a complex process," the Silent Push report explains. "In a nutshell, on these sites, user data is ingested via Google advertising endpoints. The visitor's IP address (or partial IP address), user agent device (ie device type), and browser details then are shared with ad exchange partners via server-side data sharing."
The entities in the ads.txt file then get that data, unless the publisher has taken the unusual step of opting out.
Thereafter, the report explains, those ad platforms and any intermediaries have the chance to submit bids in the ad space auction. The winning bidder gets to serve an ad to the website and also has the opportunity to sync data back through ad tech partners, which may include click data if the person seeing the ad navigates through to the advertised destination page.
The Register asked a technologist familiar with government websites (who asked not to be identified) about the Silent Push findings. They were not worried, absent any evidence the ads are funneling data back to China.
'Unbridled'
Jason Kint, CEO of Digital Content Next, a trade group for digital content producers, showed a bit more concern. "I think it's fair to say a UK or US government website wouldn't intentionally pass its citizens' data to a Chinese entity, so this just speaks to the unbridled nature of ad tech and user data that is mined and monetized through it," he told The Register.
"It's also reasonable to assume most UK citizens wouldn't want their personal data passed to a Chinese entity," he added.
Silent's Edwards pushed back against the suggestion there's nothing to see here. "Ads.txt and app-ads.txt includes the entities authorized to bid on the website visitors to show ads," he noted.
"The organizations do not drop trackers onto the page by default, [but] they are getting data via the advertising bid stream – the server-side data sharing that occurs globally trillions of times per day.
"So these organizations don't all immediately get JavaScript access to drop on the page but they do get payloads from the bid stream – and by default it includes sensitive fields, like the device IP address. There are settings that publishers can toggle on to limit some of the personal data from being shared via the bid stream, but there's no indication this is on for these UK sites – especially based on the significant number of vendors that are authorized by the domains."
UK government to set deadline for removal of Chinese surveillance cams UK elections are unaffected by China's cyber-interference, says deputy PM Five Eyes intel chiefs warn China's IP theft program now at 'unprecedented' levels Over a million Neighbourhood Watch members exposed through web app bugThis is not quite the same concern as tracking pixels on public-sector websites. But it's similar, according to Edwards, who noted privacy promises in the ad-bidding world have been challenged in court.
"The JavaScript of [tracking] pixels captures similar data that the JavaScript of real-time bidding endpoints collects, with the core difference being that pixels can set a cookie on your browser immediately, whereas in ad tech the thousands or tens of thousands of entities with opportunities to bid don't get an opportunity to put a cookie on your computer unless they win an auction – and then only through approved attribution vendors," he explained.
"Ad buyers only get their own direct opportunity to put cookies or execute JavaScript in your browser if you click on the ads."
Edwards said his hope is that making government officials more aware that this is happening in the UK and US will lead to stronger policies that explicitly ban ads on government websites. ®