About 92% of major news websites in the United States, Canada, the United Kingdom and Germany have active, externally loaded ad trackers that send readers behavioral data across international borders -- mostly to Russia, according to a recent report.
This poses information security and compliance problems, and puts these companies at a higher risk of user data breaches or data misuse.
One reason is that news sites tend to use twice as many externally controlled scripts and tools compared with other industries monitored. Many of the media sites are not aware of the trackers.
“Google is doing some interesting things to help make the browsing experience safer, but the nature of how advertising and marketing technologies are created can open potential risks,” said Ivan Tsarynny, CEO at Feroot, which has technology that detects personal data collection based on what occurs in web browsers.
It appears that the companies transferring data to Russia are more interested in behavioral data and the types of topics that news site visitors read to more accurately target ads, Tsarynny said. He acknowledges that there is no real way to tell exactly why the data is being collected or whether it is being misused.
Tsarynny can tell that behavioral data is being transferred from media news organizations in the United States to specific companies in Russia.
“I assume the data is being used for commercial purposes to profile and serve better and more personalized ads,” he said. “It would be impossible to know what happens to the data and how it’s used after it’s collected.”
Research from Feroot found that 274,677 unique web trackers and 64,035 pieces of data that crossed borders, transferred across the 1.1 million web pages on 365 websites worldwide were scanned from April 19 through May 31, 2019.
On average, 40 third-party web-tracking tools and five cross-border data transfers are constantly active on major news websites.
The report -- which analyzes the risks -- scanned 13 industries, including government agencies. It aimed to identify the automated collection of personal data and cross-border data transfers on public websites and web apps from anonymous users or customers.
Data-collection practices of web-tracking tools across industries were analyzed, along with the impact of third- and hidden fourth-party tools and behavioral tracking activities based on many regulatory and security standards that impact daily business operations.
It surprised Tsarynny to learn the number of third-party tools and that the ad trackers often have a clear view of user passwords, credit card information and data once the person logs into the website.
About 97% of websites use third-party tools. These are more susceptible to hackers. Some 21 third-party tools active on the average website remain unmonitored to skim sensitive data such as user credentials and credit card information.
Collecting identifiable user data can be sold prior to visitors accepting or rejecting cookies. This is what led to data breaches at Ticketmaster, Forbes, Feedify and others, per the report.
“Rather than hack the company’s website, hackers hacked the chatbot supporting Ticketmaster to gain credit card and other personal information before it gets encrypted,” he said. “The chatbot is controlled by an external company. A few lines of code get injected into the chatbot, where the credit card information is kept. Forbes is another example.”