Case Study Summary
Case Study Focus
The case study will focus on 2 areas of interest.
Second, the privacy practices will be assessed operationally as practiced with particular emphasis. This assessment relies on various tools designed to identify the presence of electronic ‘trackers’ based on pre-defined fingerprints of cloud devices, including those that fall under the category of cookies, flash cookies, web beacons, local shared objects (LSO), social widgets used for collecting site analytics, behavioral analytics, content filtering, ad programs, and user tracking.
Case Study Findings
Although some compliance issues were expected, the extent of the perceived compliance gaps were so significant spot checks of other public institutions in Arkansas were also performed. Sadly, these spot checks revealed compliance with the 2004 compliance deadline appears to be a major failure amongst colleges and universities.
Effective July 1, 2004 Arkansas Act 1713 of 2003 established requirements for state and local governments and agencies to incorporate machine readable privacy policies into their web sites.
Arkansas Act 1713 of 2003
AN ACT TO REQUIRE STATE AND LOCAL GOVERNMENTS AND STATE AGENCIES TO INCORPORATE MACHINE READABLE PRIVACY POLICIES INTO THEIR WEBSITES.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS:
(1)(A) A description of the data the unit of government or agency collects on its website and how the data will be used by the unit of government or agency;
(B) The type of data and the purposes for which data is shared with other entities;
(C) Whether the unit of government’s or agency’s data collecting and sharing practices are mandatory, or allow a browser to opt in or opt out of those practices; and
(D) An explanation that certain information collected by the governmental unit or agency is subject to disclosure under the Arkansas Freedom of Information Act of 1967, § 25-19-105 et seq.; and
(2) A link to, or instructions for, locating the website’s policy reference file, which shall identify the uniform resource locator for the website’s policy statements and shall indicate those portions of the website and the website’s cookies that are covered by each statement; and
Arkansas Colleges and Universities
To illustrate the privacy concern for this practice a search on “venereal disease” was executed and the Facebook widget traffic examined (below) which reveals the search terms and my personal Facebook profile ID being passed to Facebook.com showing that I have searched for “venereal disease”.
A very similar process of personally identifiable data collection and sharing occurs when using the library catalog search function with Google and Google Books cookies.
To further evaluate the prevalence of web trackers in use by Arkansas colleges and universities an examination was performed on public and private colleges and universities in Arkansas using a seed list of each institution’s main website. This examination was performed using a web crawler designed specifically to crawl sites looking for the fingerprints of trackers using a database of 900+ trackers.
In this context, trackers refer to first-party cookies, third-party cookies, scripts, web beacons and widget technologies used in conjunction with web and user analytics, advertising, tracking, social sharing, and social login.
The scan results shown here (below) reflect only the site homepage, a link level 0 and the known trackers found. The results are color coded to show the institutions in yellow, all Google trackers in green, Facebook in dark blue and all other trackers in red.
“Thank you for visiting the websites of Arkansas State University (ASU). Your privacy is very important to us. We have created this statement to demonstrate our commitment to online privacy and to comply with Arkansas Act 1713 of 2003.
We collect no personal information about you when you visit our sites, unless you choose to make such information available to us. When you visit any site hosted by ASU, our server automatically recognizes the Internet domain and IP address from which you accessed our site. This information does not result in the identification of your personal e-mail address or any other personal information.
In addition, we monitor the volume and timing of access to the site by collecting information on the date, time, and pages accessed by visitors. The information we collect is used to better understand general site usage patterns, improve site usability, and improve the content of the site. None of this information is shared with other organizations or tied to any individual user.
If you choose to share personal information with us — by sending us an email message or filling out an electronic form with personal information — we will use the information only for the purposes you authorized.. Some of the information may be saved for a designated period to comply with Arkansas’ archiving policies, but we will not disclose the information to third parties or other government agencies, unless required to do so by state or federal law.
ASU sites contain links to other sites, not hosted by ASU. Neither ASU, nor any ASU employee, are responsible for the privacy practices or the content of those sites.”
The result of this additional assessment steps is two main conclusions:
- The ASU websites data collection and sharing practiced are not consistent with several formal institutional policies related to privacy, advertising, and data collection.
The following examples illustrate these findings.
Human Research Policy
Human Research Policy (Number 02-03) affirms the ethical requirements for conducting research on human subjects at the university. The Policy establishes the Belmont Report principles as the governing standard which includes among other things informed consent of subjects and confidentiality in reporting research data.
The Policy sets forth the following definition:
“Under the terms of this policy, any systematic activity involving the collection and/or analysis of data on human subjects for the purpose of advancing generalizable knowledge qualifies as human research, unless this activity is specifically exempted by current Federal regulations.”
The Policy is silent on the specific collection of data on human subjects by ASU and third parties via the institution’s websites which in several cases would fall under the definition provided in the Policy.
Moreover, it is assumed that a researcher interested in obtaining social media data on students or employees would be required to seek approval under this policy. Whereas the collection, aggregation and analysis of this same data by others does not.
Taping/Filming of Movies, Commercials and Documentaries Policy
Taping/Filming of Movies, Commercials and Documentaries Policy (Number 06-20) defines the requirements for filming on campus. The particular provision of this policy relevant to online privacy is the Taping/Filming Policy requires the producer to ”obtaining permission for taping/filming of occupants of all university housing facilities”.
However, the online browsing histories of university housing residents are collected by ASU websites which many would argue is far more invasive and potentially detrimental than capturing their images.
This then begs the question as to the privacy rights of those persons whose images are being captured, potentially tracked or analyzed by behavioral analytics software using these systems. Systems which almost certainly contain analytics or other web tracking elements.
- What are all of the ASU operated or maintained website(s)?
- A description of the data the unit of government or agency collects on its website and how the data will be used by the unit of government or agency;
- The type of data and the purposes for which data is shared with other entities;
- Whether the data collection and sharing is mandatory, or allows a browser to opt in or opt out.
- An explanation that certain information collected is subject to disclosure under the Arkansas Freedom of Information Act of 1967, § 25-19-105 et seq.
- Determine what data are being collected by each of the websites operated or maintained by ASU.
- Determine what data is being shared by ASU with other entities.
- Are each of data being collected and/or shared described including how it is used?
- Does the description of any data being shared include the purpose for sharing the data?
- For the data being collected and/or shared does the description indicate if it is mandatory or allowances for opt-in or opt-out?
- For the data being collected or shared does the description indicate if the data are subject to FOIA?
“None of this information is shared with other organizations or tied to any individual user.”
This declaration appears to be wholly inaccurate technically and operationally.
The evidence for this conclusion comes from examining the ASU websites for evidence of known web trackers which collect and share site user data. Shown here is the Collusion graph for just three ASU websites.
This particular output shows the results from visiting only 5 university website pages. The 3 sites actually visited, astate.edu, mycampus.astate.edu, and asbtdc-asu.com are highlighted by the blue halo.
Also shown are the 32 other sites that were not visited but were informed of the page visits. 5 of these sites, shown with a red halo, are advertising, market researchers and data aggregators.
Additional insights were developed by using the Track the Tracker crawler on select university sites to link level 1 shows similar results in a more simplifed visual showing a variety of analytics, social sharing, trackers, and widgets used just on these sites at a very shallow link level.
To gain a truer picture a URL harvester was used to obtain the primary subdomains, the internal link level 2 and 3 URLs, and the university sites operated outside of the .edu domain. This list of URL’s was refined to create a seed list for a deeper crawl at link level 2 & 3 and below revealing an even greater number of trackers.
For a regular user of Arkansas State University websites, this more detailed examination reveals the reality of the data collection and sharing of user browsing history across all properties. This detail also offers a perspective that is likely going unrealized by the ASU privacy or compliance officer or the CIO and other members of the university leadership.
Additionally, it would seem reasonable to also conclude the users of ASU websites, the students and employees and public, are also not aware of the extent their online history is being tracked and shared with third party commercial entities.
To better understand the implications of this degree of user tracking, some specific ASU websites were examined in more detail.
Arkansas State University MyCampus Portal
Although this policy acknowledges the use of Google tracking tools it fails to address the other tools collecting and sharing the user’s browsing history data.
Arkansas State University Library
An examination of the ASU catalog website in operation reveals the search page and search results pages sets a series of cookies under the ASU library domain for syndetics.com a third party and Google.com and books.google.com. Some of the Google cookies will not expire for 10 years.
Similar issues exist with the searchable databases some of which include ezproxy authentication.
Arkansas State Univeristy Event Tickets
Choice Ticketing does use its own cookies and Google Analytics.
Arkansas State University Google Sites
NOTE: The examination of the ASU Google sites also revealed a likely configuration error which allows navigation to the ASU Google Sites from ASU links including site search results which are not accessible directly. Additionally, the URL of ASU Google sites can be explored allowing authentication to be bypassed.
Arkansas State University Athletics
Astateredwolves.com is an official Arkansas State University website, even though it is hosted by a third party, which would seem to be covered by Arkansas Act 1713 or 2003.
If the site is operated directly under contract by the university as an outsourced service, then the site might be considered an official site under the Arkansas Privacy law.
One method commonly used to establish clarity on what is or is not an official site is a notice to the user that they are leaving an official site or a site covered by the Arkansas Privacy laws. That method of notifying users has not been employed on any third party site regardless of its status as an official university site or not.
Together, the 2 athletics sites depicted here share data with 9 other third-party sites of which 4 are considered trackers.
ASU Small Business and Technology Development Center
NOTE: It should be noted that in the footer of this site’s pages is a copyright attribution for a third party reserving all rights to the third party not to the university.
More than any other university website examined in this assessment, the SBTDC sites employ a significant number of widgets, analytics, and social sharing tools. This is especially the case with the second SBTDC blog site which shares site user information with 20 other sites, 7 of which are common to the main university website pages 3 of which are known tracker sites.