SBE student believes that the UM is violating his privacy

SBE student believes that the UM is violating his privacy

UM registers which links students and staff click on

04-05-2022 · News

Maastricht University follows employees and students when they click on links in UM e-mails or the newsletter. Is the university violating privacy regulations by doing so? Also, how ‘necessary’ are cookies that register which pages you visit on the UM website?

Anyone who clicks on a link in the UM newsletter or other e-mails such as the announcement of the Foundation Day, does not go directly to that specific website, but first makes a stop-over on the UM server. That is where there is a programme running that uses a unique code embedded in every single e-mail sent, takes a note of which employee or student clicked on which link, and so who finds which information interesting. But also at that time and from which IP-address the user accesses the site and via which provider. 

With these tracking links, the UM gathers information from students and employees without them being aware of it, says third-year student of Econometrics Peter van Mill, skilful with computers and partial to his privacy. “I expect these kind of marketing tricks from businesses, but not from a university. This is not right from a privacy point of view. I want to be able to read the newsletters without the university monitoring which links I click on.”

Trust

Spokesperson Koen Augustijn states that the university works with Tripolis, a programme that indeed registers who clicks on what links. However, for the university it is not about an individual’s choices, says Augustijn, but about “the number of clicks to assess whether actual use is being made of the available content”. 

With regard to the tracking links, the UM informs its students and employees in the privacy statement on its website, the spokesperson said. This states: “In order to be able to measure the efficiency and relevance of the above-mentioned newsletters, statistics are collected with respect to the interaction of the recipients with the information sent.”

Aside from the unclear phrasing, the question is whether such a statement suffices. The Dutch Data Protection Authority (DDPA) reported when asked: “As soon as tracking links yield data that can be redirected to an IP or e-mail address, explicit permission from the user is required.” 

Why is there no option to not be followed, Van Mill wondered? “The UM claims that it does not monitor individuals, but there is no way of checking whether that is true. You just have to put your trust in the university keeping its word. And suppose that individual data is not looked at, is it generated and stored? Who can get at it?” 

Anonymised

Then there are the cookies. As is the case on so many websites, students and employees also encounter them on the UM website. On the first visit, a pop-up window appears from which you can choose: allow all cookies, customize, use necessary cookies only. But anyone who chooses the ‘necessary’, Van Mill says, still receives five analytic cookies, plus one for Google Analytics, which - among others - records which pages you visit, and how long. 

How necessary is that?

The UM states that it doesn’t use any other analytic cookies than Google Analytics. Augustijn: “We did an extra check last week. This showed that on a website associated with the UM, five analytic cookies were placed. This has since then been adapted.” 

To use Google Analytics, the UM does not need permission, because they anonymize the data. In doing so, the university meets the privacy requirements, says Augustijn.

AutoDelete

To place analytical cookies, the Dutch Data Protection Authority states in its reaction, “you don’t usually need to ask for permission, if the website only uses those cookies themselves to count visitors and in doing so does not (further) process the personal data. Using analytical cookies, you gain better insight into the functioning of your website.”

Van Mill: “You can consider these cookies as being useful, but as far as I am concerned, they are not necessary. The same applies here: why does the university not allow people to choose whether or not to accept the cookies.” 

Another possibility: download free files, or browser extensions, which continuously get rid of these cookies from your computer. Van Mill recommends, among others, AutoDelete. 

DDPA investigates complaints about Google Analytics 

Google Analytics, a file that measures the number of visitors to websites, may soon be no longer permitted, the Dutch Data Protection Authority states. “In January 2022, the Austrian privacy supervisor completed an investigation into the use of Google Analytics by an Austrian website. According to the Austrian supervisor, this investigation shows that Google Analytics does not meet the requirements of the GDPR. The DDPA is currently investigating two complaints about the use of Google Analytics in the Netherlands. After completion of that investigation, at the beginning of 2022, the DDPA can say whether Google Analytics is permitted or not.” 

Photo: Rhino Neal

Tags: cookies, privacy,website,instagram

Responses

Peter van Mill

Back in March I gave a talk about this, which can be viewed online: see https://umprivacy.nl.eu.org and for the video itself https://tube.tchncs.de/w/auEwbc1T63LwudB1FLckpD . That's how it all started.
In the talk I explain how various online tracking methods work. The point is that although the UM probably doesn't do much evil with this, many internet companies make use of these methods to the fullest extent, and that means it's important for people to be informed about how online tracking works and what they can do to protect themselves.
Additionally I'd like to mention Privacy Badger, a second browser add-on that is strongly recommended for anyone.

Add Response

Click here for our privacy statement.

Since January 2022, Observant only publishes comments of people whose name is known to the editors.