RKN: Using analytics can lead to site blocking.
Incorrect use of Google Analytics and Yandex Metrics analytics services may result in restricted access to the site, Roskomnadzor said.
On December 19, the Tagansky Court of Moscow, following the suit of Roskomnadzor against the French domain registrar Gandi SAS, ruled to block the “collective voting” site 2019.vote. Earlier, on December 14, a decision was published to add the site to the register of violators of PD handlers as an interim measure on the claim, and from December 7, access to the site by providers began to be restricted :
In a meeting on December 19, as one of the arguments, the plaintiff cited the fact that the site uses Google Analytics and Yandex Metrics analytics systems in violation of the Personal Data Protection Act and the Terms of Use. Photographs of the HTML code of the site in Opera browser were given as evidence. This information today ILS confirmed in an official press release on its website :
There is no question of consent to the collection of data on the website of the United Russia party , where the “Live Internet”, “Yandex-metric”, “Facebook Pixel” (2 copies), “Rambler Top 100” services are installed. There is no such thing on the Vesti.ru website, where the pleiud from Piwik, Adblockmetrics, Rating@Mail.ru, Yandex Metric, LiveInternet, Google Analytics, as well as and ad networks "AdFox", "1banner". Their colleagues from the “first” channel are not lagging behind the “second” channel - on their website there are “undeclared” “LiveInternet Counter”, “Yandex-Metric”, “Google Analytics”, and widgets from Facebook, VK, Odnoklassniki "," Twitter ", also collecting analytics.
It is worth noting that a full-fledged blocking of the site’s work on the territory of the Russian Federation is not yet provided. According to some users, the site is available from their providers when using Google’s 8.8.8.8 DNS server. Judging by the records ( from 4.12 and from 14.12 ) on the Roskomsvoboda website, the site has already changed more than 330 IP addresses, and “for the company” access could be limited, according to estimates, to 362 domains.
Habrupt users using analytics services are advised to check if the regulator’s requirements are met on their sites.
Addition : A.Litreev found a discrepancy to the requirements on the State Duma website in addition to those mentioned in the article He also discovered that there is a feedback form on the State Duma website that collects user data. On this occasion, he wrote an appeal to Roskomnadzor .
Supplement . According to the user Habrahabr, the Sberbank site may also not meet the requirements of the RKN. If you go to www.sberbank.ru with the developer’s tools opened on the Network tab, you can see a lot of calls to analytics systems: “RetailRocket” (a script with a talking name tracking.js ), “RuTarget”, “Google Analytics”, “Google Adsense ”,“ Yandex-metric ”(about 8 counters with different id), Facebook scripts,“ Artfut.com ”,“ Doubleclick ”,“ Top Mail.ru ”. Recall that the RKN has long had claims against foreign companies Google and Facebook, in addition to the latter, the United States is investigating the transfer of user data to third parties.
Also, the Sberbank website contains a “retargeting” script from Vkontakte . This script transmits Vkontakte information that the user of the network went to the Sberbank site, and can be used to display more relevant advertising, and also allows Sberbank to “explore the audience that visits the site.” How this system works is described in the documentation on the social network site . It states that:
If these opportunities are not enough, Vkontakte offers more accurate methods for targeting advertisements to specific users:
With all this, the site of Sberbank does not show the user a warning about the collection of information about it, nor does it ask for its consent. There is only a warning about the use of cookies, and it does not say anything about the transfer of data to third parties.
The bank and the social network should double-check the compliance of the regtargeting mechanism with the current legislation in order to avoid blocking their services.
Addition : according to users, on the page with the press release of the site of the RKN , an analytics script from Sputnik, a company which is Yandex Metric, was also found. Also, on the site of the RKN there is a script that contains the code for scanning the user's computer for the presence of programs for analyzing traffic, such as Fiddler. Here is a sample code to detect this tool:
In addition to Fiddler, the presence of the acunetix, beef, burp, zap, netsparker, sleepypuppy, sonar, xbackdoor, xenotix, dominator, littleDoctor and use of utilities Casper.js or Phantom.js. The site does not request the consent of the user to conduct scanning and data transmission of the Sputnik company at the time of publication.
Update: Tagansky Court published a decision on the case . From it you can learn a lot of new things, in particular:
From this we can draw the following conclusions:
- the address of the office of the company in Whois is recognized by the court as the address of the location of the server with this IP
- by whois, you can determine the geographical location of the site database
Note that according to whois, the United Russia site uses Cloudflare, and it turns out that it also risks being blocked.
The court spoke about the use of analytics:
It is impossible to interpret this paragraph ambiguously: the use of analytics is a collection of personal data . Recall that the analyst is used on a huge number of sites, including the site of United Russia, Channel One and "Vesti".
Habrupt users are recommended to study the court's decision in order to check if their sites contradict it.
On December 19, the Tagansky Court of Moscow, following the suit of Roskomnadzor against the French domain registrar Gandi SAS, ruled to block the “collective voting” site 2019.vote. Earlier, on December 14, a decision was published to add the site to the register of violators of PD handlers as an interim measure on the claim, and from December 7, access to the site by providers began to be restricted :
The representative of Roskomnadzor explained that at the end of November, the site received complaints from several unnamed citizens who complained about the illegal processing of their data on the “smart voting” page. After that, employees of the department conducted their own audit, which confirmed the existence of violations of the law on personal data: the form for collecting data on the Navalny website did not meet the criteria specified in the law, and besides, there was no prescribed privacy policy on the resource. Ampellonsky also added that user data is stored on foreign servers, which is against the law.
In a meeting on December 19, as one of the arguments, the plaintiff cited the fact that the site uses Google Analytics and Yandex Metrics analytics systems in violation of the Personal Data Protection Act and the Terms of Use. Photographs of the HTML code of the site in Opera browser were given as evidence. This information today ILS confirmed in an official press release on its website :
We are talking about the requirements of the Federal Personal Data Act and the GoogleAnalytics Terms of Use, which require the site administration to collect personal information about visitors to this site to notify them about the data collection, obtain consent for their processing and post a document regulating the privacy policy .Unfortunately, the press release did not specify which categories of “personal data” analytics services collect. So, when studying the official site of the RKN, you can find comments that say that the name, phone number or email may not be personal data, and the counters collect less sensitive data like IP addresses (they do not give you the whole view). For example, full names are not considered as PD :
However, these requirements by the site administrator 2019.vote were not met.
')
Thus, it was not about the claims of Roskomnadzor to the metric programs of Google, OOO Yandex, but about the non-fulfillment by the site administrator 2019.vote of the requirements of the metric programs GoogleAnalytics, Yandex.Metrica specified in the Terms of Use.
In this connection, the Tagansky District Court of Moscow for non-compliance, including the above requirements, decided to restrict access to the site until the violations were remedied.
3. Question: Is the processing of personal data the placement of the last name, first name and patronymic without any additional information?The phone number from the point of view of the RKN is not a PD:
Answer: Placing on the pages of sites on the Internet the last name, first name and patronymic without additional information that allows identifying an individual as a subject of personal data cannot indicate the processing of personal data of a specific individual.
Question: Is the processing of personal data, making phone calls to conduct telephone surveys of citizens?Also not considered PD and email address :
Answer: According to Art. 3 of the Federal Law of July 27, 2006 No. 152- “On Personal Data” personal data is any information relating to a directly or indirectly determined or determined individual (subject of personal data). The subscriber number (telephone number) is the number allocated to the subscriber (set of numeric characters) when entering into an agreement on the provision of telephone services with the subscriber. This number is used to identify and identify the end user equipment in the communication network when the subscriber devices are connected to it, which means that the telephone number without indicating its owner is not information on the basis of which this person (personal data subject) can be uniquely identified and its use may not imply the processing of the personal data of its owner.
For example, a photo, name, phone number and email address allow you to identify a person quite accurately. A photo and the name “Olya” cannot be considered personal data, as well as a single e-mail address or telephone number. It is about the aggregate data.Unfortunately, many sites that use analytics services do not notify visitors and do not get their consent to data collection. Such sites, in order to avoid blocking, should urgently take measures to remedy the situation. For example, if you open the source code of the site “Server of state authorities of the Russian Federation” gov.ru , you can see the use of “Google Analytics” and “Yandex-metrics”, while the warning about data collection is not displayed and the user's consent to data collection is not asked .
There is no question of consent to the collection of data on the website of the United Russia party , where the “Live Internet”, “Yandex-metric”, “Facebook Pixel” (2 copies), “Rambler Top 100” services are installed. There is no such thing on the Vesti.ru website, where the pleiud from Piwik, Adblockmetrics, Rating@Mail.ru, Yandex Metric, LiveInternet, Google Analytics, as well as and ad networks "AdFox", "1banner". Their colleagues from the “first” channel are not lagging behind the “second” channel - on their website there are “undeclared” “LiveInternet Counter”, “Yandex-Metric”, “Google Analytics”, and widgets from Facebook, VK, Odnoklassniki "," Twitter ", also collecting analytics.
It is worth noting that a full-fledged blocking of the site’s work on the territory of the Russian Federation is not yet provided. According to some users, the site is available from their providers when using Google’s 8.8.8.8 DNS server. Judging by the records ( from 4.12 and from 14.12 ) on the Roskomsvoboda website, the site has already changed more than 330 IP addresses, and “for the company” access could be limited, according to estimates, to 362 domains.
Habrupt users using analytics services are advised to check if the regulator’s requirements are met on their sites.
Addition : A.Litreev found a discrepancy to the requirements on the State Duma website in addition to those mentioned in the article He also discovered that there is a feedback form on the State Duma website that collects user data. On this occasion, he wrote an appeal to Roskomnadzor .
Supplement . According to the user Habrahabr, the Sberbank site may also not meet the requirements of the RKN. If you go to www.sberbank.ru with the developer’s tools opened on the Network tab, you can see a lot of calls to analytics systems: “RetailRocket” (a script with a talking name tracking.js ), “RuTarget”, “Google Analytics”, “Google Adsense ”,“ Yandex-metric ”(about 8 counters with different id), Facebook scripts,“ Artfut.com ”,“ Doubleclick ”,“ Top Mail.ru ”. Recall that the RKN has long had claims against foreign companies Google and Facebook, in addition to the latter, the United States is investigating the transfer of user data to third parties.
Also, the Sberbank website contains a “retargeting” script from Vkontakte . This script transmits Vkontakte information that the user of the network went to the Sberbank site, and can be used to display more relevant advertising, and also allows Sberbank to “explore the audience that visits the site.” How this system works is described in the documentation on the social network site . It states that:
VKontakte pixel retargeting is a JavaScript code that is inserted into the source code of the site and allows you to track all its visitors: as soon as a person visits the site, the retargeting pixel automatically takes it into account.
If these opportunities are not enough, Vkontakte offers more accurate methods for targeting advertisements to specific users:
When retargeting a file, a pre-prepared list is loaded, which consists of phone numbers, email addresses and / or identifiers (ID) of the VK pages of the users you need. If you have a mobile app, you can also download a list of mobile device identifiers — Apple's promotional ID (IDFA), Android, and Google (GAID).
After uploading the file to the server, all data from it will be processed and compared with the user base of VKontakte.
...
None of the users in the file list will know about retargeting added to the audience, and we will never contact them in any way without your participation.
With all this, the site of Sberbank does not show the user a warning about the collection of information about it, nor does it ask for its consent. There is only a warning about the use of cookies, and it does not say anything about the transfer of data to third parties.
The bank and the social network should double-check the compliance of the regtargeting mechanism with the current legislation in order to avoid blocking their services.
Addition : according to users, on the page with the press release of the site of the RKN , an analytics script from Sputnik, a company which is Yandex Metric, was also found. Also, on the site of the RKN there is a script that contains the code for scanning the user's computer for the presence of programs for analyzing traffic, such as Fiddler. Here is a sample code to detect this tool:
t.src = "http://127.0.0.1:8888/FiddlerRoot.cer", t.onerror = function() { if ((new Date).getTime() - e < f) { var t = "Tool: Fiddler; Open Port: 8888"; In addition to Fiddler, the presence of the acunetix, beef, burp, zap, netsparker, sleepypuppy, sonar, xbackdoor, xenotix, dominator, littleDoctor and use of utilities Casper.js or Phantom.js. The site does not request the consent of the user to conduct scanning and data transmission of the Sputnik company at the time of publication.
Minute of care from UFO
This material could cause contradictory feelings, so before writing a comment, refresh something important in your memory:How to write a comment and survive
- Do not write abusive comments, do not go to the person.
- Refrain from using obscene language and toxic behavior (even in a veiled form).
- To report comments that violate the rules of the site, use the "Report" button (if available) or a feedback form .
What to do if: minus karma | blocked account
→ Code of authors Habra and habraetiket
→ Full site rules
Update: Tagansky Court published a decision on the case . From it you can learn a lot of new things, in particular:
However, according to whois sources, it has been established that the provision of computing power for hosting databases containing personal data of citizens of the Russian Federation, through which recording, systematization, accumulation, storage, refinement (updating, changing), extraction of personal data of citizens is provided Of the Russian Federation, permanently connected to the Internet ... is carried out through the server facilities of Cloudflare, Inc., located in the United States of America
From this we can draw the following conclusions:
- the address of the office of the company in Whois is recognized by the court as the address of the location of the server with this IP
- by whois, you can determine the geographical location of the site database
Note that according to whois, the United Russia site uses Cloudflare, and it turns out that it also risks being blocked.
The court spoke about the use of analytics:
The representative of the plaintiff also notes that the respondent and third parties use the Google Analytics and Yandex Metrika services designed to measure website traffic and analyze user behavior, their servers are also located in the United States, the use of services is an activity for collecting and processing personal data. The Privacy Policy of the Internet resource 2019.vote on the use of services in the processing of personal data does not contain any information, which is also a violation of the Federal Law No. 152.
It is impossible to interpret this paragraph ambiguously: the use of analytics is a collection of personal data . Recall that the analyst is used on a huge number of sites, including the site of United Russia, Channel One and "Vesti".
Habrupt users are recommended to study the court's decision in order to check if their sites contradict it.
Source: https://habr.com/ru/post/433714/
All Articles