A common theme when trying to report unlawful tracking on websites and apps is that it can be ambiguous whether CVD is meant for these kinds of issues. Is it really a security vulnerability or even a breach of security? My assumption is that generally security policies dictate that security measures are in place to protect against unauthorised and unlawful disclosures of personal data. If that’s the case, when I find unlawful disclosure of personal data I assume there has been a breach of security policy or even technical measures and that it’s fair to report under CVD to allow the organisation to stop the breach and take appropriate measures to prevent further breaches.
The alternative is that the unlawful disclosure has been intentional. That’s an uncomfortable situation to admit.
In my experience bug bounty programs tend to have a hard time to accept reports like these. It doesn’t fit the kind of report that are generally handled by bug bounty programs. And it’s not always clear that the security measures that are relevant are there to protect the organisation. While talking about this with someone working at Zerocopter I asked how they would deal with such reports. The response was: why don’t you try it? Fair enough.
On September 2nd 2022 I reported to Zerocopter’s own platform that Zerocopter is collecting and transferring personal data of its website visitors to Bing, Doubleclick, Google Ads and Google Analytics (with some legal nuances for Google Analytics). While Zerocopter has handled the report quite well, there are two significant points to make. Zerocopter promises to respond to reports with an evaluation and expected resolution date within five business days. It has been almost nine months at the time of writing and I have received partial information about a resolution. However Zerocopter is not fully to blame for the long delays and lack of clarity, more details to follow. The second remarkable point is that after 6 months of back-and-forth communication Zerocopter has indicated that there has in fact not been a breach of security. The collection and transfer of personal data of their website-visitors to the earlier mentioned third parties without prior consent was in fact done on purpose by Zerocopter. That was unexpected.
Reported issues and possible remediation steps
Google Aalytics | google.com | Doubleclick | Bing | |
---|---|---|---|---|
Stop the transfer | Yes | Yes | Yes | Yes |
Delete data | Yes | No1 | No1 | No1 |
Inform data subjects2 | No | No | No | No |
Assessment of report
My main goal of the report for me was to see how Zerocopter would assess the report. My assessment, following the Zerocopter guide for assessment leads
to a score of four times high (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
. My main misjudgement was that I assumed the unlawful processing was unintended. On March 9th 2023 (six months after reporting) Zerocopter informed me that my report was assessed to be 0.0 informational: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
. I did get two t-shirts and Zerocopter has spend quite some time to fix the issues I reported. Zerocopter did clarify on June first 2023 that if the data transfer would have been unintentional my calculation of the risk score would have been correct.
In adition to the clarification of the hypothetical score for the report, Zerocopter provided four points of clarification (paraphrased by me):
- The transfer of personal data to the Google and Microsoft advertising networks was intentional and Zerocopter doesn’t see Googel And Microsoft as an attacker.
- Zerocopter trusted a Dutch marketing agency to provide knowlegde of GDPR compliance and to implement to processing in a compliant way.
- Zerocopter is still working on getting Google Doubleclick and Microsoft’s Bing to delete the data.
- Zerocopter has learned from my report and is still learning.
Partial timeline
- 2022-09-02: Report issues to Zerocopter
- 2022-09-06: First informal acknowledgement that Zerocopter has received the report with request to explain the legal underpinning of the report.
- 2022-11-22: Reminder sent to Zerocopter.
- 2022-12-01: Another reminder sent after a short re-check to see that some issues are improved.
- 2022-12-05: First (incomplete) assessment of the report without expected timeline for fix. The same day I responded with an assessment of the response and a table of still unresolved issues.
- 2022-12-14: Send templates for e-mails and contact information to request the personal data to be deleted to Zerocopter as requested.
- 2023-02-21: Another reminder sent about unresolved issues.
- 2023-03-06: Another reminder sent.
- 2023-03-09: Received explanation that GA data has been deleted after four months and multiple escalations. Google and Microsoft seem to be unresponsive for further data deletion requests. The same day I responded to ask for clarification to be able to publish this blogpost.
- 2023-05-21: Zerocopter did not provide a response to my clarification request. I send them the draft of this blogpost for a final opportunity to provide comments.
- 2023-06-01: Zerocopter provided feedback on my blogpost and the feedback is processed in my blogpost.
Lessons learned
While far from perfect, it was obvious that Zerocopter spent quite some time trying to fix the issues I reported. The main blocking issue from my perspective seems to be the complicated nature of dealing with other data controllers who have received the data. Getting Google and Microsoft to delete the personal data seems to be unreasonably hard. The same issue is also apparent from one of my other blogposts about online tracking at the websites of Dutch political parties. However, when the Dutch DPA experienced a similar issue (See page 28 of the yearly report 2022), the Dutch DPA was able to get some third parties to confirm deletion of similarly collected personal data. I hope the DPA will spend some enforcement effort on the issue of cleaning up unlawfully collected personal data.
From a bug bounty platform perspective it is of course unacceptable to take six months to provide an assessment of a report. However I did knowingly report an issue that is on the edge of what bug bounty platforms generally deal with. And the assessment was not really what I was looking for because Zerocopter decided after six months, after spending time to fix it, it was actually working as intended so it’s a non issue. But I do have an answer on how Zerocopter would assess such a report when the unlawful processing is not intentional. That could mean that a common and easy to find issue might be rewarded as a significant finding in bug bounties. It might be a good idea for bug bounty hunters to learn about ePrivacy law.
Checklist
After bothering Zerocopter with a difficult issue, what would I recommend others to do in a similar situation?
- Check your website for unlawful tracking. Don’t (blindly) trust the people building your website (Like the Dutch DPA). You can use Webbkoll or other tools and make sure you have a legal basis for all processing of personal data.
- Consider reporting a data breach (article 33 and 34 of the GDPR) if you discover that personal data is leaking to third parties by accident. This is uncomfortable, but consider that if it’s not accidental you have to inform data subjects anyway.
- Stop collecting/leaking new personal data or make sure you have a legal ground (often consent). The right approach can vary depending on the context but can include:
- Completely remove third party content (tracking pixels/javascripts, embedded videos, social media plugins, etc.),
- Find non-tracking alternatives for some content you want to keep. For example by finding non-tracking video hosting.
- Implement a consent banner and tag manager to make sure that content that tracks users only loads after visitors have given informed consent.
- Contact the companies where personal data has leaked to inform them the personal data has been unlawfully collected and should be deleted. These requests can be send to the DPO or other privacy-related contact points. Below is a sample request:
Dear sir/madam,
On date we at Company name were notified that our websites contained description tracking without consent from data subjects. Tracking Company has collected personal data about the visitors on our website, including the identifier in the cookie name-cookie. We made an effort to stop further collection of new personal data without consent. As joint controllers we are both obligated to also make sure the personal data that has been collected is destroyed. We request that Tracking Company delete all personal data collected from the following websites and let us know when the data has been deleted: Website 1, Website 2, …
Kind regards,
Name
Requests to delete the data have been sent to the respective data controllers but no confirmation of deletion has been received. ↩︎
Data subjects have to be informed according to either article 14 or 34 of the GDPR, depending on if you view this as a breach or as intended processing. Zerocopter is working on a new privacy statement, but that is not sufficient to retroactively inform past visitors about the processing. ↩︎