Police Website Privacy Concerns

The new asklistenrespect.co.uk website is supposed to be anonymous. It contains tracking code from an advertising company. That isn't anonymous. Posted 28 March 2013

The States of Jersey Police have a new website asklistenrespect.co.uk. It purports to have an “Anonymous report form” for rape victims and witnesses to use for reporting attacks. This is a very serious issue and I am pleased to see them confronting it, obviously.

I think that victims of sexual assault need to be able to trust that anonymous really means anonymous, not something else. If we met on the street and I told you “The police may be leaking rape victim’s data to an advertising company in America” you would think I was talking crazy. Read on.

I first heard of the website through Jersey Police’s Twitter feed 15 March. I clicked the link, saw the report form, and then looked at the page source code out of habit. (Hit Ctrl + U on any website in Firefox or Chrome, or look for ‘View Source’ menu option in most browsers.)

I can tell you I was very surprised to see that they are using third-party scripts from an advertising company to track visitors to that page. Since the advertising company is Google, visitors that have Google accounts can easily be identified. This is not my definition of anonymous, and it probably isn’t yours either. A summary of some concerns with Google Analytics are on the Wikipedia page describing it.

I replied, asking them about the tracking code, but my reply was ignored. For me, using Twitter to interact with the police reminds me of the scene from 2001: A Space Odyssey. Me: “Open the pod bay doors HAL.” - JerseyPolice: “I’m sorry, Dave. I’m afraid I can’t do that.”

At least Dave got a reply eventually. I waited a few days to see if the police would remove the tracking code voluntarily. When they failed to, I sent a follow up email a week ago. Still no reply.

I’m writing about your new Ask.Listen.Respect. website at http://www.asklistenrespect.co.uk/
The site looks great and I am pleased to see this important message being highlighted.
I have one technical concern about your use of a third-party tracking script, particularly on your ‘Report anonymously’ page.
Are you aware that this script is running on all your pages? I’ll copy it below so there is no confusion about what I refer to:
<code redacted>
You, or a website developer acting on your behalf, added this tracking code to your website. It sends very detailed visitor data to Google, and is contradictory to the “Anonymous Report Form” stated in your page title.
It is really important that rape victims are able to trust in the security of your website’s code, and that their data not be shared with third-party advertising companies.
Google Analytics is an interesting service but I think it is a bad idea to use it on this particular website. There are a number of ways to track visits without using third-party services.
Perhaps this went unnoticed until now? A simple oversight? I’d like to know if this tracking code is something you plan to keep or remove. Please reply to this email once you have made a decision.
Kind regards,
Tom Brossman

So, after being ignored for two entire weeks, and with that tracking code still present on the “anonymous” reporting page, I think the responsible thing to do is to publicly disclose the issue and let you decide for yourselves if this is important. You can’t have third-party tracking code running on your website and tell visitors they are anonymous. It simply isn’t true, especially for those of us with Google accounts.

If you are concerned about being tracked online there are a number of good resources out there to learn more. The EFF’s Surveillance Self-Defense website has good information. I use and recommend Firefox with the NoScript Add-on, but it’s not for everybody. It blocks all scripts by default, and you have to “white-list” sites you wish to allow.

Free and open-source analytic programs already exist, such as Piwik, which I use on this site. It isn’t necessary to share visitor data with an advertising company just to get statistics about visitors. I hope that whoever is responsible for asklistenrespect.co.uk sees this post and can address these serious privacy concerns. I’ll be happy to update this post if and when the advertiser’s tracking code is removed.

Edit: Some (but not all) of the Google tracking code was removed yesterday, 2nd April, immediately after a BBC radio Jersey reporter contacted both myself and the States of Jersey Police about this.

@tombrossman Emailed you RE one of your articles! Thank you. I'm on the newsroom number 01534 837 260. Harriet Bradshaw, BBC Radio Jersey

— Harriet Bradshaw (@BradshawHarriet) April 2, 2013