Google Spies on .gov Sites

Shockingly most US government and military websites contain Google Analytics, which sends information about every visitor, on every page, back to Google. Google combines this data with the information it has on that visitor, collected on other websites and in other Google products, and uses it across its products. By itself, the data sent by these websites to Google might be of little value, but Google identifies the visitor via his/her IP address and/or cookies, and adds this data to the user’s ever-growing profile. All of this is done without the knowledge or permission of the user.

Google and its subsidiary YouTube use this information for many purposes, the most benign of which is ad targeting. For example, one might target audiences who were interested in the information on a certain government website. Some Google insiders have direct access to this information.

Theoretically, Google employees can correlate visits to the FBI Tips website with other web activities by the same person, and to aid the persons of interest. Also theoretically, Google can use data from visits to courts’ websites to forecast litigation against it and its partners.

These are  grave violations of our Constitutional rights, especially under the Fourth Amendment. This is also another way in which Google assumes the role of a state actor, which is still subject to all Constitutional restrictions on  government powers.

The presence of Google Analytics on a web page can be detected by sources located under google-analytics[.]com. or by presence of the file analytics.js under any Google domain, like doubleclick[.]net. One can determine when Google Analytics calls home by monitoring traffic to Google domains. Other files from Google domains can also serve as beacons. Some government websites also send data to Facebook, Twitter, Adobe, and less-known aggregators.

Brave browsers with ads blocking eliminates most of these calls.

January 7, 2022 addition

www.uscourts.gov: Google, YouTube, and other companies are notified about each visitor on each page visit! traffic:

9th Circuit of Appeals: Google is notified about each visitor on each page visit! sources:

FEMA: Google analytics is called on each page

DHS: Google analytics is called on each page

tips.fbi.gov: Google Analytics sources. Google knows about every visitor to the FBI tips website.

October 10-20, 2021

The following traffic logs and sources were collected using the Microsoft Edge browser in Texas on October 10, 2021, except where noted. In the Edge menu, this data can be found under More Tools > Developer Tools.

Filtered Traffic Logs

A log of calls to Google after a few clicks on WhiteHouse.gov. Each collect sends visitor’s data to Google.

 

Calls to 3rd parties, including Google and Facebook, when after a few clicks on the U.S. Cyber Command:

 

Calls to 3rd party domains after about a dozen clicks on HHS.gov, FDA.gov, and CDC.gov. Domains ending with .com:

 

Doubleclick.net is another Google domain. Domains ending with .net:

 

3rd party calls on Army.mil homepage (URLs instead of domains).

 

Sources

The CDC (2021-09-01)

 

The Air Force used to be the most cybersecurity aware military branch. Not anymore.

 

U.S. Cyber Command is supposed to protect at least the government websites from data leaks. Instead, it sends information about every viewer, including military and government officials, to Google and Facebook!

 

The US Digital Office (2021-09-01)

 

The Florida Government tries to rein in Google – but its website informs Google about each step of each visitor.

 

The Government of Texas tries to rein in the vicious Big Tech – but its website informs Google, Facebook, and Twitter about each step of each visitor.

 

The Government of California sends visitors’ data to Google and Twitter.

 

The Washington state, home to Microsoft and Amazon, sends information to Google.

 

Google sweet-talks small businesses into installing Google Analytics on their websites because its dashboard nicely presents the data collected from the websites and can provide a better cost/benefit ratio for the sites’ Google ads, but what is it doing on.gov and .mil websites? Even is the government is allowed to collect this data about its web visitors, it must not share it with untrusted third parties.

From Google Analytics Terms:

Google and its wholly owned subsidiaries may retain and use, subject to the terms of its privacy policy … information collected in Your use of the Service. Google will not share Your Customer Data or any Third Party’s Customer Data with any third parties unless Google (i) has Your consent for any Customer Data or any Third Party’s consent for the Third Party’s Customer Data; (ii) concludes that it is required by law or has a good faith belief that access, preservation or disclosure of Customer Data is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or (iii) provides Customer Data in certain limited circumstances to third parties to carry out tasks on Google’s behalf (e.g., billing or data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google.”

There are few exceptions. One is congress.gov, which does not have Google Analytics, but does call Google YouTube, Adobe, and arcgis[.]com.

Minor editing on October 20, 2021; Major addition on January 7, 2022

Leave a Reply

Your email address will not be published. Required fields are marked *