• by Ray Schultz , Columnist, January 10, 2019

Yet another privacy violation has come to light — if you believe it.

The Electronic Frontier Foundation (EFF) charged on Wednesday that Granicus -- an email vendor used by over 4,000 federal, state and local agencies -- is tracking opens and clicks through pixels and link shins and exposing this unencrypted data.

This is based on a test that may or may not be accurate.

The EFF studied tracking done for the 1600 Daily email newsletter last October. The White House has since shifted platforms from GovDelivery, which merged with Granicus in 2016, so this may be a little out of date.

What did the EFF find?

“The emails we looked at, sent to subscribers of the Whitehouse.gov email list in October 2018, happen to be an exemplary case study of everything wrong with the email tracking landscape, from unintentional and intentional privacy leaks to a failure to adhere to basic security standards.” it writes 

That’s a broad indictment. 

The EFF adds: “It’s frustrating enough that the government has been using a third-party service to surreptitiously monitor who opens emails they send, what they click on, when, and from where.”

It continues: “What’s worse, in several of the emails we looked at, the tracking is performed over an unencrypted connection using HTTP. This means that all the requests made to Granicus are legible to anyone who could eavesdrop on your connection.”

First, let’s try to de-politicize this. The relationship with Granicus, or govDelivery, pre-dated Donald Trump’s arrival in the White House, so there’s no hint that Trump is sitting in the Oval Office singlehandedly scanning millions of email addresses to determine who is loyal based on readership patterns.    

Second, there is nothing unusual about tracking of email metrics, especially when it comes to fundraising and newsletter opens.  

But the EFF has raised the issue. “Every time I open this email, my device sends Granicus my email address and a unique identifier for the email that I opened. Granicus knows exactly who I am, which email I’m reading, and when I opened it — and potentially, so might a network observer,” the author writes.

The EFF notes that Granicus continues to be used by the Department of Veterans Affairs newsletter, My HealtheVet, newsletter, the Social Security administration and HealthCare.gov Alerts.  

Granicus had not yet responded to a MediaPost query at deadline. However, Bob Ainsbury, its chief product officer, wrote to the EFF that the private information of both Granicus govDelivery users and govDelivery subscribers is secure. Any claim to the contrary is a very serious allegation and completely inaccurate.”

He added that the firm utilizes FedRAMP, a standard that requires encryption of all traffic, that it conducts an annual penetration review and is compliant with the GDPR.