I was preparing to do something for Data Privacy Day on January 28th, when I discovered something truly alarming…This year and every year since 2007, Data Privacy Day is sponsored by the “National Cyber Security Alliance”, or NCSA for short. The NCSA took over the “Stay Safe Online” website from Microsoft sometime in 2005 and heavily promotes their Data Privacy Day page each year. The Stay Safe Online website features a tool to “help people” check the privacy settings for a variety of popular websites and services in a variety of categories. The problem, is that the NCSA website has a Hotjar tracking script on every page.
What is Hotjar?Hotjar is a “behavior analytics” company that offers click, move and scroll heatmaps as well as full blown visitor recordings (a recreation of the persons viewing session, showing where and when they scrolled, where they moved their mouse, what they hovered over – EVERYTHING they did on the website.
Someone using this tool on the Stay Safe Online website to “update their privacy settings”, would actually be helping Hotjar build a profile of information about themselves, including the sites they shop on, the email service they use, the type of mobile device they have, how they listen to music, share photos and videos, the ride share services they use, their favorite search engines, social networks, web browsers and more.
As long as these two terms continue to be misunderstood or interchanged for one another, businesses will struggle to protect the privacy of consumers online. Security software may address the challenge of protecting your devices from viruses and intruders, but it doesn’t provide control over how your information is shared online.
Here is an archive of the page, so you can view it without Hotjar tracking you: http://archive.is/fp4Br
Here is the link to the original live “Update your privacy settings” page (Disclaimer: click at your own risk – this page WILL track you!)
Hotjar Tracking Script on Every PageThe StaySafeOnline website uses WordPress for its CMS, and the tracking script for Hotjar appears to be placed in the footer template of their WordPress theme, so it is not unique to the “Update your privacy settings” page. Hotjar is tracking your behavior on every single page of the “Stay Safe Online” website. While the use of these behavioral analysis tools is especially dangerous on that page, a website claiming to help people protect their privacy should not be tracking and analyzing user behavior in any capacity, but especially not to the extent done by using tools like Hotjar.
Here is the code as seen in the source code of their website:
What is Hotjar?
In their own words: “Behavior analytics made easy.” They help people visualize their users’ behavior with tools such as:
- Click, move & scroll heatmaps
Understand what users want, care about and do on your site by visually representing their clicks, taps and scrolling behavior
- Visitor recordings
See what your users see – eliminate guesswork with Recordings of real visitor behavior on your site. By seeing your visitor’s clicks, taps and mouse movements…
AddThis Script on Every PageTo make matters worse, the NCSA has also allowed the infamous “AddThis Button” script on every page. According to the AddThis website, “AddThis offers unparalleled insight into the interests and behaviors of over 1.9 billion web visitors.” Here is the code as seen in the source code of their website:
According to their website, AddThis collects:
- unique IDs such as a cookie ID on your browser;
- IP addresses and information derived from IP addresses, such as geographic location;
- information about your device, such as browser, device type, operating system, the presence or use of ‘apps’, screen resolution, or the preferred language;
- the date and time you visited a Publisher Site or you used the AddThis Toolbar;
- the referring URL and the web search you used to locate and navigate to a Publisher Site;
AddThis uses this information for many reasons, including:
- b) to enable AddThis Publishers and Oracle Marketing & Data Cloud customers and partners to market products and services to you;
- d) to link browsers and apps across devices;
- e) to sync unique identifiers;
“We may share or sell AddThis Data with the following third parties for a commercial purpose: Oracle Marketing & Data Cloud customers and partners, including digital marketers, ad agencies, web publishers, demand side platforms, data management platforms, supply-side platforms and social media networks.”
As well as:
“To respond to government requests, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes.”
Choosing providers that support data residency helps companies satisfy their customers’ increasingly regional expectations of privacy — especially when paired with a robust, globally-focused privacy program.Working with service providers that support data residency helps ensure that information can be collected, processed, and stored in a way that meets different expectations.
Who is the NCSA?
The National Cyber Security Alliance (NCSA) is a unique partnership among the Federal government, leading private-sector companies, trade associations and educational organizations.
Let’s first look at their board members, which include people from:
- Raytheon – a US Defense contractor, which also owns Raytheon Intelligence, Information and Services which specializes in intelligence, surveillance and reconnaissance; advanced cybersecurity solutions and information-based solutions for homeland security.
- Uber (now that rideshare section makes more sense)
- Eli Lilly (a pharmaceutical company)
- ADP Payroll Services
- American Express
- Bank of America
- U.S. Bank
“He has collaborated and worked closely with a variety of top government agencies, including the Central Intelligence Agency, Federal Bureau of Investigation, Department of Defense, National Defense Information Sharing and Analysis Center, National Security Agency and internally with the Department of Homeland Security’s Office of Cybersecurity and Communications. He has also worked on the President’s National Security Telecommunications Advisory Committee during portions of George W. Bush and Barack Obama administrations. In the early stages of Obama’s first term, Coleman served as a member of the White House National Security Staff, coordinating cybersecurity policy with the intelligence community as well as state, local, international and private-sector organizations.”We reached out to the NCSA and Stay Safe Online for comment and will update this article with any responses we receive. This website certainly seems legit, and is presented as a useful non-profit website dedicated to helping you protect your privacy. However, a quick review of their website source code reveals extremely powerful 3rd party tracking scripts capable of recording every mouse movement, scroll and click that you make. As we have said before – “Don’t Trust. Verify “.
About Chris Miller
SVP of Marketing for Private Internet Access, online privacy and freedom advocate and activist, musician, marketing geek and nature lover.