Saturday 20th October 2018

The EU’s website is serving third-party content and spreadsheets containing hundreds of names and email addresses

Some subdomains on the EU's website are serving third-party content from YouTube and Twitter. The spreadsheets on the EU's website contain personal information on individuals who have attended its workshops and conferences.
Jason Smith
by on 27th May 2018

The website of the European Union, Europa.eu, is serving publicly accessible spreadsheets containing the names, email addresses, telephone numbers and mobile phone numbers of individuals that have attended its various workshops and events, according to an Indivigital analysis.

One of the spreadsheets identified also contains columns labelled “Post Code” and “Address”.  Some of the postcodes published in one of the spreadsheets appear to belong to residential addresses.

Our analysis also identified a number of EU agencies, including the European Centre for the Development of Vocational Training (Cedefop), serving third-party scripts and content on their websites.

The Cedefop website features a frame that contains its Twitter feed and appears to set at least 17 third-party cookies. It also features third-party content from video sharing platform YouTube, which appears to set upwards of 10 third-party cookies on users’ computers (these cookies only appear to be set after the user plays a video).

The Cedefop website serves a cookie notification, however the only options available to users are “close” or “learn more” and neither needs to be clicked to view the third-party content.

Meanwhile, the website of the European Foundation for the Improvement of Living and Working Conditions (Eurofound) also sets a number of third-party cookies from YouTube.com.

While it features a consent message at the top of its page, the user doesn’t need to provide consent before cookies are set on his or her computer. Cookies from YouTube.com are also set before the user has clicked the play button in the embedded video on Eurofound’s website.

The basis for retaining data on each of the thousands of individuals whose personal information we’ve identified published in spreadsheets on the EU’s website is unclear.

Each record could have been published owing to a legal obligation to do so, for the performance of a contract to which each individual is a party or with the explicit consent of each user.

Our analysis has identified thousands of personal records however it hasn’t spanned the full extent of spreadsheets available on the Europa.eu domain.

According to the figure displayed at the top of Google’s search results, there are roughly 24,000 results for a search relating to excel documents on the EU’s website; the spreadsheets in Google’s index from Europa.eu can be accessed by any user capable of using advanced search operators.

One of the spreadsheets appears to have been published by the European Food Safety Authority (EFSA) and logs personal data on 101 individuals who attended its “Scientific Colloquium Series” in November 2013.

The data includes last names, first names, email addresses, post codes, addresses, cities, telephone numbers, mobile phone numbers and fax numbers for the individuals listed in the document.

Some of the other publicly accessible spreadsheets containing personal data include:

  • A spreadsheet that contains an image with the text “Cultural Infodays 2009” and 437 rows of data, including names, email addresses and organizations. It appears to relate to an event that took place in 2009. Some of the people listed are employees of governmental bodies or universities while some are from non-profits or privately owned organizations. Many of the email addresses are also for governmental and non-profit organizations, however some are from free email services like GMail;
  • A spreadsheet that appears to belong to the Marine Expert Group and that lists the names and email addresses of participants as well as whether they’ve confirmed they’ll be attending. Many of the email addresses are for governmental bodies however some are for non-governmental organizations; and
  • A spreadsheet that appears to be published by the European Commission that includes personal data on 63 individuals, including their names and email addresses. The email addresses consist largely of GMail addresses. A column in the spreadsheet is labelled “nature of involvement” and appears to contain short descriptions on the capabilities of each individual e.g. “skills in IT and social media,” “offers help to draft documents on WB RAA,” “experienced in project management,” etc.

The latter spreadsheet appears to relate to an event titled “Balkan Connexion,” which took place between the 3rd and 4th November 2016. According to the EU’s website, the event was attended by 90 participants, including students.

Many of the spreadsheets, including one that contains 684 rows of personal data, appear to have been published with each individual’s explicit consent and are linked to from pages on Europa.eu that outline the nature of consent and provide a link to the spreadsheet.

Another example is a spreadsheet listed on a website dedicated to the “FOREST project”. The spreadsheet containing users’ personal details, including their names and mobile phone numbers, is linked to from workshop pages published between 2010 and 2018.

It’s unclear what the basis is for the EU retaining this data. Moreover, it isn’t always immediately apparent where the other spreadsheets that contain information on delegates attending events or conferences are linked from.

This doesn’t mean the spreadsheets aren’t linked to internally; according to a Google search, the Europa.eu website contains 16.5 million pages.

Our analysis also uncovered subdomains on Europa.eu utilizing third-party services like Google Analytics to track visitors. That the EU utilizes Google Analytics may be of interest to webmasters concerned about the GDPR implications from using the web measurement platform to track user activity on their websites.

The European Food Safety Agency’s analytics tracker has anonymized all IP addresses being sent to Google while the European Central Bank appears to have implemented an analytics tracker through Google Tag Manager.