Google Spies on .gov Sites

It is hard to believe, but most US government and military websites contain Google Analytics, which sends information about every visitor on every page back to Google. Google combines this data with the information it has on that visitor, collected on other websites and in other Google products, and uses it across its products.

This is a grave violation of our Constitutional rights, especially under the Fourth Amendment. This is also another way in which Google is assuming the role of a state actor, one still subject to all Constitutional restrictions on the government powers.

The presence of Google Analytics on a web page can be detected by sources located under google-analytics[.]com. or by presence of the file analytics.js under any Google domain, like doubleclick[.]net. One can determine when Google Analytics calls home by monitoring traffic to Google domains. Other files from Google domains can also serve as beacons. Some government websites also send data to Facebook, Twitter, Adobe, and less-known aggregators.

Google uses this information for many purposes, ad targeting being the most benign of them. For example, one might target audiences that are like the visitors on a certain government website. Some Google insiders have direct access to this information.

The following traffic logs and sources were collected using the Microsoft Edge browser in Texas on October 10, 2021, except where noted. In the Edge menu, this data can be found under More Tools > Developer Tools.

Filtered Traffic Logs

A log of calls to Google after a few clicks on WhiteHouse.gov. Each collect sends visitor’s data to Google.

 

Calls to 3rd parties, including Google and Facebook, when after a few clicks on the U.S. Cyber Command:

 

Calls to 3rd party domains after about a dozen clicks on HHS.gov, FDA.gov, and CDC.gov. Domains ending with .com:

 

Doubleclick.net is another Google domain. Domains ending with .net:

 

3rd party calls on Army.mil homepage (URLs instead of domains).

 

Sources

The CDC (2021-09-01)

 

The Air Force used to be the most cybersecurity aware military branch. Not anymore.

 

U.S. Cyber Command is supposed to protect at least the government websites from data leaks. Instead, it sends information about every viewer, including military and government officials, to Google and Facebook!

 

The US Digital Office (2021-09-01)

 

The Florida Government tries to rein in Google – but its website informs Google about each step of each visitor.

 

The Government of Texas tries to rein in the vicious Big Tech – but its website informs Google, Facebook, and Twitter about each step of each visitor.

 

The Government of California sends visitors’ data to Google and Twitter.

 

The Washington state, home to Microsoft and Amazon, sends information to Google.

 

Google sweet-talks small businesses into installing Google Analytics on their websites because its dashboard nicely presents the data collected from the websites and can provide a better cost/benefit ratio for the sites’ Google ads, but what is it doing on.gov and .mil websites? Even is the government is allowed to collect this data about its web visitors, it must not share it with untrusted third parties.

From Google Analytics Terms:

Google and its wholly owned subsidiaries may retain and use, subject to the terms of its privacy policy … information collected in Your use of the Service. Google will not share Your Customer Data or any Third Party’s Customer Data with any third parties unless Google (i) has Your consent for any Customer Data or any Third Party’s consent for the Third Party’s Customer Data; (ii) concludes that it is required by law or has a good faith belief that access, preservation or disclosure of Customer Data is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or (iii) provides Customer Data in certain limited circumstances to third parties to carry out tasks on Google’s behalf (e.g., billing or data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google.”

There are few exceptions. One is congress.gov, which does not have Google Analytics, but does call Google YouTube, Adobe, and arcgis[.]com.

Minor editing on October 20, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *