This article is more than 1 year old

Tracking cookies found in more than half of G20 government websites

Sorry, conspiracy theorists, it's more likely sloppy webdev work rather than spying

We expect a certain amount of cookie-based tracking on retail websites and social networks, but in some countries up to 90 percent of government sites have implemented trackers – and serve them seemingly without user consent. 

A study by IMDEA, a research facility in Madrid, Spain, evaluated more than 118,000 URLs of 5,500 government websites – think .gov,,, etc. – hosted in the twenty largest global economies (the G20) and discovered a surprising tracking cookie problem, even among countries party to Europe's GDPR and those with their own data privacy regulations.

On average, the study found, more than half of cookies created on G20 government websites were third-party cookies, meaning they were created by outside entities typically to collect information on the user. While the proportion of cookies issued by third-party trackers ought to be zero on a government web site, some (in Russia for example) had as many as 90 percent of the cookies come from known third-party cookies or trackers.

IMDEA explained the ramifications of tracking cookies on government websites beyond regulation violations. "First, it breaks the trust between citizens and authorities. Second, it allows for large-scale surveillance, monitoring and tracking. If this takes place from third parties it is worrisome as it shows bad website design that relies on external entities that can monitor interactions [between] the public [and] the government," the IMDEA team wrote in their paper. 

"It seems that despite great efforts to promote regulations like GDPR, governmental sites themselves are not yet clear of tracking practices targeted by such regulations," the report concluded.

In addition to focusing on government agency websites, the study also put international organizations and COVID-19-related websites under the lens, finding that over 90 percent of such sites hosted tracking cookies, with just over 60 percent from third parties. 

Who put those cookies in easy reach?

The natural conclusion might be to suspect a spying government, but the study concluded that third-party tracking cookies are generally the product of careless webmastery.

"Many of these trackers are added because many government sites include links to social networks such as Facebook and LinkedIn and link videos hosted on YouTube or Vimeo," IMDEA said. Additional trackers can come from analytics tools and the use of web code libraries, which the study said can also act like trackers. 

Tracking cookie data varies wildly from nation to nation, but the existence of cookies on government websites doesn't: even among the nations with the fewest cookies – Japan and India – nearly 80 percent of government sites served cookies.

Third-party and tracking cookies are worst in Russia, where more than 90 percent of sites contain one or both. Mexico, China and Indonesia follow, with some 70 percent of their websites containing third party and/or tracking cookies.

In the US, slightly less than 60 percent of government sites contain such cookies, and the UK is only better by a few points. Canada actually fares worse than the US, but only by a few percentage points. Australia fares slightly better, with slightly less than 50 percent of its government sites serving problematic cookies.

Those in Germany are the safest, where less than 30 percent of government websites contain third party or tracking cookies. India, South Korea and Argentina follow, with less than 40 percent of their sites containing cookies.

Website designers and contractors working for governments across the G20 "need to take extra care to avoid including plugins for social media, commercial video portals, publishers and avoiding links that download content from such websites," as well as avoiding software and libraries known to leak private information. 

Third-party tracking cookies have become a common target for privacy advocates in recent years. Mozilla has taken steps to kill third-party cookies in Firefox, for example, and the privacy-minded Brave browser has done similar.

Google also announced plans to break third-party cookies in Chrome, but has pushed the date back until 2023 and may not end up following through in the way it initially promised. ®

More about


Send us news

Other stories you might like