The National Cyber Security Alliance’s Data Privacy Day Honeypot on StaySafeOnline.org

I was preparing to do something for Data Privacy Day on January 28th, when I discovered something truly alarming…

This year and every year since 2007, Data Privacy Day is sponsored by the  “National Cyber Security Alliance”, or NCSA for short. The NCSA took over the “Stay Safe Online” website from Microsoft sometime in 2005 and heavily promotes their Data Privacy Day page each year.

The Stay Safe Online website features a tool to “help people” check the privacy settings for a variety of popular websites and services in a variety  of categories.  The problem, is that the NCSA website has a Hotjar tracking script on every page.

What is Hotjar?

Hotjar is a “behavior analytics” company that offers click, move and scroll heatmaps as well as full blown visitor recordings (a recreation of the persons viewing session, showing where and when they scrolled, where they moved their mouse, what they hovered over – EVERYTHING they did on the website.

Someone using this tool on the Stay Safe Online website to “update their privacy settings”, would actually be helping Hotjar build a profile of information about themselves, including the sites they shop on, the email service they use, the type of mobile device they have, how they listen to music, share photos and videos, the ride share services they use, their favorite search engines, social networks, web browsers and more.

Here is an archive of the page, so you can view it without Hotjar tracking you: http://archive.is/fp4Br

Here is the link to the original live “Update your privacy settings” page (Disclaimer: click at your own risk – this page WILL track you!)
https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/

Hotjar Tracking Script on Every Page

The StaySafeOnline website uses WordPress for its CMS, and the tracking script for Hotjar appears to be placed in the footer template of their WordPress theme, so it is not unique to the “Update your privacy settings” page.  Hotjar is tracking your behavior on every single page of the “Stay Safe Online” website.  While the use of these behavioral analysis tools is especially dangerous on that page, a website claiming to help people protect their privacy should not be tracking and analyzing user behavior in any capacity, but especially not to the extent done by using tools like Hotjar.

Here is the code as seen in the source code of their website:

<script>
(function(h,o,t,j,a,r){
h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
h._hjSettings={hjid:1038682,hjsv:6};
a=o.getElementsByTagName('head')[0];
r=o.createElement('script');r.async=1;
r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
a.appendChild(r);
})(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=');
</script>

What is Hotjar?

In their own words: “Behavior analytics made easy.”  They help people visualize their users’ behavior with tools such as:

• Click, move & scroll heatmaps
  Understand what users want, care about and do on your site by visually representing their clicks, taps and scrolling behavior
• Visitor recordings
  See what your users see – eliminate guesswork with Recordings of real visitor behavior on your site. By seeing your visitor’s clicks, taps and mouse movements…

Source: https://www.hotjar.com/tour/

Hotjar mentioned in their privacy policy

In the Stay Safe Online Privacy Policy page, they state:

We also use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device’s IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

AddThis Script on Every Page

To make matters worse, the NCSA has also allowed the infamous “AddThis Button” script on every page.  According to the AddThis website,  “AddThis offers unparalleled insight into the interests and behaviors of over 1.9 billion web visitors.”

Here is the code as seen in the source code of their website:
<!-- AddThis Button -->
<script>var addthis_config = {"data_track_addressbar":false};</script>
<script src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-51c770552f90ce31">
</script>

According to their website, AddThis collects:

• unique IDs such as a cookie ID on your browser;
• IP addresses and information derived from IP addresses, such as geographic location;
• information about your device, such as browser, device type, operating system, the presence or use of ‘apps’, screen resolution, or the preferred language;
• the date and time you visited a Publisher Site or you used the AddThis Toolbar;
• the referring URL and the web search you used to locate and navigate to a Publisher Site;

AddThis uses this information for many reasons, including:

1. b) to enable AddThis Publishers and Oracle Marketing & Data Cloud customers and partners to market products and services to you;
2. d) to link browsers and apps across devices;
3. e) to sync unique identifiers;

Also:

“We may share or sell AddThis Data with the following third parties for a commercial purpose:  Oracle Marketing & Data Cloud customers and partners, including digital marketers, ad agencies, web publishers, demand side platforms, data management platforms, supply-side platforms and social media networks.”

As well as:

“To respond to government requests, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes.”

Source: http://www-uat.addthis.com/privacy/

The unscrupulous nature of AddThis is well documented in internet history.  As detailed in this ProPublica article, AddThis also got caught using advanced canvas fingerprinting techniques back in 2014.

The point should be clear – AddThis should not be on any website claiming to help people protect their privacy.  The strangest thing is this – I can’t find where they are using the AddThis social media icons, which is supposed to be the point of the script.  I see icons, but the icons aren’t using AddThis.  There is also no reference to it in their privacy policy – it seems possible that they don’t even realize it is on their website, which is grossly irresponsible at best.

Who is the NCSA?

The National Cyber Security Alliance (NCSA) is
a unique partnership among the Federal
government, leading private-sector companies,
trade associations and educational organizations.

Source: http://www.oecd.org/sti/ieconomy/35488934.pdf

Let’s first look at their board members, which include people from:

• Raytheon – a US Defense contractor, which also owns Raytheon Intelligence, Information and Services which specializes in intelligence, surveillance and reconnaissance; advanced cybersecurity solutions and information-based solutions for homeland security.
• Comcast
• Facebook
• Uber (now that rideshare section makes more sense)
• Eli Lilly (a pharmaceutical company)
• ADP Payroll Services
• American Express
• Mastercard
• Bank of America
• U.S. Bank

The Executive Director of the NCSA is Kelvin Coleman, who spent 2 decades working for the White House and U.S. Department of Homeland Security in addition to the private sector.

“He has collaborated and worked closely with a variety of top government agencies, including the Central Intelligence Agency, Federal Bureau of Investigation, Department of Defense, National Defense Information Sharing and Analysis Center, National Security Agency and internally with the Department of Homeland Security’s Office of Cybersecurity and Communications.

He has also worked on the President’s National Security Telecommunications Advisory Committee during portions of George W. Bush and Barack Obama administrations. In the early stages of Obama’s first term, Coleman served as a member of the White House National Security Staff, coordinating cybersecurity policy with the intelligence community as well as state, local, international and private-sector organizations.”

Source: https://staysafeonline.org/about/staff/

We reached out to the NCSA and Stay Safe Online for comment and will update this article with any responses we receive.

This website certainly seems legit, and is presented as a useful non-profit website dedicated to helping you protect your privacy. However, a quick review of their website source code reveals extremely powerful 3rd party tracking scripts capable of recording every mouse movement, scroll and click that you make. As we have said before – “Don’t Trust. Verify”.