Dutch Municipalities websites put citizens privacy at risk

Karina Meerman
Jul 19, 2019 · 6 min read

An analysis of Dutch municipal websites and their data relationship with social media

Image for post
Image for post

Dutch municipalities that direct their website visitors to Facebook or Whatsapp use foreign technology to communicate with their citizens, exposing them to the data collection practices of those companies and the inherent privacy risks. As such, they indirectly, aid these parties in making a profit, even though they do not pay taxes in the Netherlands.

In April 2019 (#30), Dutch iBestuur Magazine published an article quoting D’66 senator Kees Verhoeven that municipalities should disengage from foreign technology companies and develop their own communication channels. In the Dutch article ‘Facebook and Twitter are not utilities’, Verhoeven says: “In our recent tech vision, we also explained that the government should no longer communicate with its citizen through Whatsapp or Facebook”. I and my colleagues at the Mercator Working Group for Mapping Disinformation completely agree.

Mark Z. owns it all

Anyone with a Facebook, Instagram and/or Whatsapp account has given permission to the company Facebook to process his or her posts, messages, photos and data for the benefit of Facebook and its advertisers. This is stated in the company’s privacy policy and every user clicked ”I agree” when they created an account. This makes it rather remarkable that the majority of Dutch local governments puts communication with its citizens in the hands of this technological giant and others. By referring citizens to social media for contact with, or more information about, the municipality, government in fact endorses Facebook’s policy. And hands the privacy of Dutch citizens over to a foreign party. Parties that do not pay taxes in the Netherlands and do not contribute in any way to public society, yet do profit from it.

Data = money

Think of the amount of data that is collected and used to deliver advertisements to specific target audiences online. So-called micro targeting is not just about location, age, and gender, but also about reaching people with a specific political preference, hobby, or medical condition. Facebook’s business model is about selling ads on the basis of what people ‘like’ and visit on the Internet. And what to think of fake news (and now deepfake videos) and how it is used in politics and the polarisation of society? Facebook uses our humanity to increase its profits, by using our need for social contact and selling that data to the highest bidder.

Verhoeven’s quotes inspired the Mercator working group to investigate which Dutch municipalities use foreign technology to communicate with its citizens, to what extent this occurs, and what other parties are there with which their websites have data relationships.

Image for post
Image for post
Foto: Mabel Amber (Pixabay)

We created a list with the URLs of all 355 municipalities in the Netherlands. We then used open source software (OpenWPM) to see what happens in someone’s browser that visits one of the 355 municipal websites. The browser was newly installed and did not contain any cookies or search history. In addition to the ‘normal’ data traffic required to make a website work, we saw other parties with which the websites exchange data, for example, for analytics and accessibility purposes. As was expected, many websites have data relationships with companies that enable speech recognition and support for people with visual disabilities (ReadSpeaker).

Our analysts then looked specifically for relationships with social media and software for analysing and tracking visitors. This was done at the top level of the website. What the data told us, was that on the 16th of May 2019, 83.3% of all Dutch municipalities had a direct link from the homepage to Twitter; 81.1% to Facebook; 33.5% to Instagram, 27% to YouTube and 23.9% to LinkedIn. Hilversum municipality was the only one with an account on SnapChat, an app that deletes a message after the user has opened it.

Image for post
Image for post


More worrying is the fact that the websites of the municipalities of Helmond and Waterland contain code for a Facebook tracker. We also found this so-called pixel on www.leiden.nl, a URL that appears to be owned by the city of Leiden, but we could not verify that. The visitor can click through to the official municipality website, which is a subdomain of www.leiden.nl. The pixel is left in the browser of people who visit the website, to collect data for Facebook for advertising purposes. So, if someone visits the pages on debt support or medical benefits, that data is stored on Facbook’s servers. The citizen has not given the municipality permission to do so, he is probably not even aware that it happened. This is how data from a supposed private interaction between a citizen and his municipality contributes to Facebook’s business model: to sell ads on the basis op what people ‘like’ and visit online. Tilburg, Arnhem, and Meppel are the only three municipalities that have no data relationship with social media at the top level of their websites. This may be the case with underlying pages, but we have not investigated those as yet.

Analytics software

We then looked at other parties to which municipalities have outbound links. We mainly saw data relationships with commercial companies that provide analytics and/or improve search optimisation. A number of municipalities work with SimAnalytics, a company from Finland that provides a paid service and has a solid privacy policy. Most widely used, however, is Google Analytics, which offers a free service. Users often have less control over the data they exchange with this company. Data collected with Google Analytics can be used by Google for advertising purposes. And if you have concerns regarding the interactions between 355 municipal websites and Facebook, you will have even more now: The interactions with Google Analytics are over a thousand times more intense than they are with Facebook.

Image for post
Image for post
design by Zeppa

Is it worth it?

We can conclude that a large number of Dutch municipalities contribute to the business model of foreign software companies. That is in itself unfortunate, but there is a lot more at stake. The Dutch government has a civic duty to protect citizens and their data. Not to throw it to the wind by casually choosing technology owned by companies that have proven time and time again that their view on privacy has little to do with protecting people. The question we want to ask is this one: what is the added value of social media for the core activities of Dutch municipalities and is it worth paying that price with the personal data of its citizens?

Mercator Working Group for Mapping Disinformation is an initiative of A Lab Amsterdam. We are an international collective of data scientists, researchers and journalists that help digital citizens and policy makers to better understand the risks of disinformation and the consequences for civil participation. Disinformation is the strategic deployment of a.o. misinformation and fake news in order to influence citizens. For more information, go to www.mappingdisinformation.org

The data and analyses mentioned in this article are available on https://github.com/mercator-working-group/gemeente-social

Written for iBestuur Magazine. Read the original (Dutch) here.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store