Participating in the Safer Internet Day (SID) program, the Bavarian State Office for Data Protection Supervision reviewed websites with a wide reach and examined the security of user accounts and the use of tracking tools. Although some of the most prominent Internet services were reviewed, the results are sobering from a data protection point of view.
Photo credit: sdecoret – fotolia.com
The data protection audit initially focused on the security of user accounts of the relevant services, in particular examining how website operators handle their users’ passwords. Various types of online services were examined, including streaming and video portals, email services, electronics shops, photo services, health and cosmetics websites, furniture stores, fashion stores, price comparison sites, and social networks. 22 items were examined with regard to registration and 17 in connection with login.
The Bavarian State Office for Data Protection Supervision found that none of these services took sufficient measures to require strong passwords from users. For example, very weak passwords such as “123456,” “Password,” or even “0000” were frequently possible. Only a few of the services offered additional security measures and assistance to protect accounts. The Bavarian State Office for Data Protection Supervision announced that it will follow up on the shortcomings at the companies by written procedure or on site.
In addition, the Bavarian State Office for Data Protection Supervision found that only one of the forty websites offered the option of preventing profiling on the basis of users’ browser settings (results on profiling on page 26 of the results paper).
Thomas Kranig, President of the Bavarian State Office for Data Protection Supervision, commented on the sobering findings as follows:
“The result of this data protection check was significantly worse than that of the cyber security check: all of the examined websites committed data protection infringements in the use of tracking tools. Our audit will have impacts on the relevant companies. We have decided to remedy these deficiencies and to evaluate the initiation of fine proceedings. We expect large companies in particular to be in a position to comply with statutory requirements.”
Recommendation for action:
We strongly recommend that websites be checked for data protection compliance, in particular with respect to the use of tracking tools and obtaining consent. Even though the Bavarian State Office for Data Protection Supervision is currently focusing on well-known website operators, all companies may be subject to a data protection audit.
Link to the results paper of the Bavarian State Office for Data Protection Supervision: