UK government websites discovered sending user data to controversial Chinese adtech vendor

Silent Push threat analysts have discovered 18 UK public organizations sharing data with a controversial Chinese adtech vendor Yeahmobi

RESTON, VA, USA, April 24, 2024 /EINPresswire.com/ -- Researchers at Silent Push, a cyber threat intelligence vendor, have discovered 18 UK public sector organizations using a controversial Chinese ad tech vendor – Yeahmobi – to serve ads on .gov.uk domains.

Yeahmobi have previously had their software blacklisted as malicious by Google, following an investigation into ad fraud and attribution abuse.

In the United States, the Cybersecurity Infrastructure and Security Agency (CISA) – via the Registry Team – specifically prohibits .gov websites being used for any commercial purposes that benefits private individuals or entities, including online advertising.

In the UK, the rules aren’t as clear cut, and .gov.uk sites are not prohibited from running programmatic ads to generate revenue.

Through forensic analysis of .gov.uk website metadata, Silent Push analysts were able to establish the presence of Yeahmobi in the ads.txt file - a file that shows what companies are able to collect visitor data and serve ads on a website - of numerous public sector websites.

Research points to a Chinese ad vendor, linked to questionable practices, profiting from UK public sector organizations, and collecting unknown amounts of data from visitors to the following gov.uk websites:

- Transport for London - https://tfl.gov.uk
- Derbyshire Dales District Council - https://www.derbyshiredales.gov.uk
- Walsall Council - https://go.walsall.gov.uk
- Sheffield City Council - https://www.sheffield.gov.uk
- Milton Keynes City Council - https://www.milton-keynes.gov.uk
- Lancashire County Council - https://lancashire.gov.uk
- London Borough of Redbridge - https://www.redbridge.gov.uk
- Monmouthshire County Council - https://www.monmouthshire.gov.uk
- Torbay Council - https://www.torbay.gov.uk
- Wandsworth Council - https://wandsworth.gov.uk
- East Hampshire District Council - https://www.easthants.gov.uk
- Havering London Borough - https://havering.gov.uk
- Newcastle City Council - https://newcastle.gov.uk
- Tameside Metropolitan Borough - https://tameside.gov.uk
- Cheltenham Borough Council - https://cheltenham.gov.uk
- Havant Borough Council - https://havant.gov.uk
- Met Office - https://www.metoffice.gov.uk
- South Gloucestershire Council - ttps://southglos.gov.uk

A UK organization called the Council Advertising Network (CAN) manages the ads.txt files of all of the domains listed above. CAN is a private company that generates income for local authorities across the UK, by providing “socially responsible digital advertising” services.

Jason Kint, CEO of Digital Content Next, a trade group for digital content producers, said: "I think it's fair to say a UK or US government website wouldn't intentionally pass its citizens' data to a Chinese entity, so this just speaks to the unbridled nature of ad tech and user data that is mined and monetized through it.

"It's also reasonable to assume most UK citizens wouldn't want their personal data passed to a Chinese entity," Jason Kint added.

Zach Edwards, Senior Threat Researcher at Silent Push, said: “Adtech integrated into government websites is generally a bad idea, and there's good reason the US government bans the practice across their .gov namespace.

“It's alarming to see so many UK council websites with online ads, and even more shocking to learn that they share data with controversial Chinese adtech vendors.

“At Silent Push, our hope is that making government officials more aware that this is happening in the UK will lead to stronger policies that explicitly ban ads on government websites”, Zach Edwards said.

Silent Push has contacted CAN for comment, but has not received a reply.

Gareth Howells
Silent Push
+44 7375 027005
ghowells@silentpush.com