Assessing discrepancies between network traffic and privacy policies of public sector web services

Abstract

Online services are increasingly being used to complete everyday tasks, and ordinary users with very little technical knowledge have learned to use web services and applications. At the same time, many user applications are gradually moving from the traditional desktop environment to the web. Because of these developments, it is not surprising that user privacy has become a very important consideration when developing web services. In the current study, we assess the privacy of 34 web services provided and maintained by Finnish public sector bodies. We perform a network traffic analysis in order to find out what kind of personal data the studied services deliver to third party analytics services. We then take a look at the privacy policy documents of these web services and gauge their transparency and clarity by comparing their contents to the actual network data sent out by the web services. Our findings reveal numerous inconsistencies between what is said about handling personal data in the analyzed privacy policies and the actual traffic of the studied web services. Another prominent finding is the sheer amount of analytics services employed by the studied websites. We conclude that there is still an obvious need for web developers and public sector bodies to improve their awareness of existing privacy regulations and personal information their online services deliver to third parties. A lot of work also remains to be done in clearly and transparently communicating privacy-related matters to users.