Every time we visit the Internet, massive data is collected. So-called trackers collect and process this data. For e.g., our political view, our sexual preferences and our health status is stored. But also our financial status is extremely interesting for business, politics and intelligence services. Our recent survey about the use of data collectors (“trackers”) on internet sites in the financial services sector now reveals a terrifying result: Apart from some exceptions, the analyzed providers seriously violate supervisory authorities. Anyone who wants to protect their data as intended by the legislature is lost.
Blunt sword: German Teleservices Act law
The German Teleservices Act is supposed to regulate the legal framework for electronic information and communication services in Germany. It includes, for e.g., the obligation for enterprises which collect profile data of website visitors to inform the according visitor if they a) collect data at all, b) for what purpose and c) to whom they transmit the data. In addition, the user has the right to object to the data storage (so-called “opt-out”) at any time and this right must be implemented independently on the website. However, our analysis reveals that in practice the law turns out to be effectless with five major problems.
Problem 1: Hidden and complex
The data protection information must be provided by the website visitors themselves. For this purpose, it is necessary to study the data protection regulations, which are hidden in the small print. The remarks are usually several pages strong. An example with the German website smava.de: The data protection agreement covers a total of 7 DIN A4 pages. A big chunk, if you just want to compare short credit terms. In this case it is necessary to find out the links to the opt-out pages of the data collectors and then to switch them off. This inconvenient procedure is, in principle, a must when visiting any website; after all new trackers must be switched off.
Problem 2: Data protection clarifications are often incomplete and outdated
The data protection clarifications only help against data collection if they are up-to-date. But this is not always the case, as we discovered in our analysis of financial websites. A particularly extreme case is interest-recycling.com. With 76 trackers on the homepage, the sheer number is surprisingly high. Even worse: for data protection, the operators declare only three possibilities. In this case, users do not have the option to block the trackers via opt-out.
Problem 3: Technical obstacles for the contradiction
Problem 4: Effect not verifiable
Let’s say there are surfers who really study the data protection rules and block tracker manually at every website visit. Whether this elaborate, unrealistic procedure works at all, can hardly be controlled. In the review of the German website commerzbank.de, the Commerzbank even allows trackers to enter the sensitive online banking sector. Not only is this an immense risk to privacy but also a major security risk. Finally, hackers could manipulate the program code that is loaded by the data collector in online banking.
Problem 5: Lack of supervision
No matter if site providers offer completely outmoded data protection regulations or even work without them completely: the state does not seem to care. It is incomprehensible why supervisory authorities do not intervene in the case of highly frequented services, which are obviously contrary to the German Teleservices Act. One reason could be that the data protection authorities do not take it seriously enough. In Bavaria, for example, there are 700,000 companies that collect personal data. There are 16 employees, who handle and inspect the compliance. In other federal states it looks similarly bad. The result: companies can allow themselves to act carelessly when it comes to data protection.
Within this survey, we analyzed 10 most popular financial institutions at random. We found out that each of them used at least two trackers. Two main lessons have emerged. First, data protection does not play a large role for many site providers. Second, the telemedia law does not simply work in practice. hacked.press also reported about our analysis. Read the article here
New solutions have to be provided that allow surfers to protect themselves effectively from data gathering with a few clicks. As long as these solutions are not provided, the comprehensive protection of private data remains dependent on each individual – for e.g., with using the eBlocker.
Connected to the home network, the eBlocker
anonymizes the online behavior of all web-enabled devices in the network. It protects not only the computer but also tablets, smart TVs, game consoles and IoT devices – for which there is hardly any other possibilities for protecting the privacy.