You may have spotted news about period, fitness and weather apps sharing data about their users.

This is a bit darker, primarily because the victims are children, the perpetrator a charity and the tracking companies are once again household names.

Childline put ad tracking on their online help chat, whilst promising anonymity and confidentiality.

This tracking can often identify kids and included their activity on the site, posing three risks

  • Ad algorithms are supposed to match data collected with adverts likely to be clicked on.

    So, when a child visits pages about drug addiction and abuse at home, then joins a counsellor session, what adverts do you think the algorithms paired them with?

    Maybe just teddy bears or maybe alcohol and painkillers. This pairing doesn't even require the real identity of the child

  • These companies combined employ thousands of staff in the UK

    Whether they're kind people or not, their kids may not want their parents to have access to knowledge they're using Childline.

  • These companies have a history of information security failures, so how much of this data is likely sitting in servers ready to be leaked or already has

Who is affected?

All users of the site, including children seeking help from counsellors.

What was sent to the ad companies?

Their activity

The pages children visited, including those to chat with counsellors

Identity

The ad companies are well known to track users by cookies or even device identifiers (like IP addresses) that identify a device.

They may also hold advertising profiles they build up and potentially user accounts too.

But these identities are isolated from tracking Childline activity, until Childline adds their tracking software to their own site too.

Just in case they didn't already have identities, Childline's actions resulted in ad tracking cookies being set, allowing subsequent tracking off the Childline site.

The extent

I'm guessing most Childline pages were affected, so have a browse around the site and see how bad it might be.

These pages alone are enough to worry about

Why did Childline do this?

You'll have to ask Childline for a clear answer

At a guess...

The advertising companies offer a nasty bargain. You let them track your users and they'll give you useful data back about them.

Confused? Imagine a child browsing the web might be something like this:

  1. The ad company collects demographic data as a child visits other web sites (like Google does).
  2. Childline puts the ad companies' tracking on their site
  3. A thirteen year old girl from Wales visits childline's website to join a counsellor session
  4. The ad company tracks a visit has happened and also adds it to stats for Childline.
  5. Childline may get aggregated data, so this would be part of a report like 40% of users are under 18, 10% from Wales and 49% female
  6. The ad company then gets a visit soon after by that child from a site that shows its ads.
  7. Which ones do their algorithms pair up? Perhaps, a childline chat using, thirteen year girl, perform well wih Baracdi Breezer ads. (Sorry Barcadi, maybe they don't, just emphasising the potential here)

Then there's Youtube

Childline decided to reach children using Youtube and not just by having a channel on Youtube, but by integrating Youtube into the Childline site.

By default Youtube videos added to your own site track users

And Youtube is very obviously an advertiser and one that companies were boycotting because of other risks to children

Duck Duck Go (a growing alternative to Google Search) warn about privacy risks on their own site if you try watching a Youtube video.Try searching for Cats. This is a known problem with Youtube.

Video has been supported by default on the web for years without needing Youtube and Childline added Youtube's tracking to pages in their chat system that don't even show videos.

Childline's response

Within hours of contacting the NSPCC on the 26th Feb, about their Childline site including tracking, much of it was removed. Notably, this included Facebook and their terms of service advise that Chidline needed consent and shouldn't send data for under 13s.

However, Childline insist on keeping Youtube as it's "unavoidable" .. given they load tracking on pages that don't have video, that's a lie. Also, within hours you can start moving video on your own site to html5 video with self hosting files... it is really simple to do.

I've asked them repeatedly to tell the children affected by this. In order to keep their trust, the organisation has to be open and honest about failings, but this has not happened and hence I'm writing this blog post about it.

What does a request look like?

Here's an example of Youtube request. I've hidden my cookie values as the session ones may have security implications for my Youtube account

You may not understand the structure, but everything in the following block went to Youtube's server when I made a request and more (like IP address)

    
        GET /iframe_api HTTP/1.1
        Host: www.youtube.com
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
        Accept: */*
        Accept-Language: en-GB,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        Referer: https://www.childline.org.uk/login/?returnPath=/get-support/1-2-1-counsellor-chat/chat-entry/
        Connection: keep-alive
        Cookie: SID=...; HSID=...; SSID=...; APISID=...; SAPISID=...; CONSENT=YES+GB.en+20160501-18-0; LOGIN_INFO=...; VISITOR_INFO1_LIVE=...; PREF=...; enabledapps.uploader=0; SIDCC=...
        DNT: 1
        Pragma: no-cache
        Cache-Control: no-cache
    

APISID is an interesting one https://cookiepedia.co.uk/cookies/APISID but I'm sure you can find out more about the others too.

Because those same cookies will be used when a user visits Youtube, Youtube can pair this web page visit with a user account.

What next?

If you're a child or know one who should know, then tell them not to trust their privacy is protected on Childline.

If you need Childline services, their phone line may protect privacy appropriately on 0800 1111

Tracking protection mechanisms in web browsers (including Privacy Badger) may reduce the amount of tracking that would be sent.

If you've used Childline and feel upset or angered, then please beware that Childline is not alone in this behaviour and it is common to breach users' privacy like this, although not usually with such sensitive data.