Cookies, keystrokes and clicks: Columbia knows where you’ve been

By Kendall Polidori and Mari Devereaux

Lucas Martinez

Complex coding algorithms allow websites to track users’ clicks and keystrokes and monitor actions across the internet for marketing and site optimization purposes, and Columbia’s website is no exception.

A user-tracking inspection report found that Columbia’s website, colum.edu, has around 11 ad trackers, 18 third-party cookies and may be monitoring users’ keystrokes and mouse clicks, informing Facebook when a user visits and allowing Google Analytics to follow users across the internet.

The number of ad trackers on Columbia’s website, according to the report, is more than the average of seven found on “popular sites,” and the number of third-party cookies is more than the average of three found on “popular sites.”

While this may seem alarming, Surya Mattu, an investigative data journalist from The Markup who had a hand in developing the inspector site Blacklight, said tracking and similar practices are not unusual to find among various institutions’ websites. He said the main issue is that people are unaware they are being tracked.

“It is in the question, like ‘why is this really useful?’” he said. “Something we have found in our study is [institutions] don’t often know these things are happening on their website.”

In January 2019, The Markup—a nonprofit organization focused on data-driven investigations of technology and how it influences society—began looking at an internal tool to report on surveillance. Mattu said at first the organization wanted to look at local websites, but it slowly turned into a larger scale study. The point is to identify exactly how a user engages with a website and how that user is being monitored.

Michael Towns, publicity chair for Columbia’s part-time faculty union, or CFAC, said the real question is whether students, faculty and staff have any say or get insight into the usage of the data collected.

Towns, an adjunct faculty member in the Business and Entrepreneurship Department, said there needs to be more disclosure on any data collected, analyzed and used “to make decisions that are a function of student, staff and faculty activity” on the college’s website and its digital properties.

In an Oct. 16 email to the Chronicle, Senior Director of Campus Communications Keisha Cowen said the college does not collect or host sensitive personal information, such as social security numbers and credit cards on the public facing website. She said the college’s website is its “primary marketing tool used to raise awareness, share information and attract a variety of audiences” to the college.

“To learn more about our audiences and how we might communicate and connect with them most effectively, we use a range of industry-standard tracking tools such as pixels, cookies and heatmaps,” Cowen said. “These tools help us create a better experience for our audiences as they reveal to us whether or not information can be found easily; what information is being sought out [and] how long people are willing to stay.”

When looking at the numbers from the report, Cowen said the number of ad trackers and cookies found on the website is not “constant,” meaning it changes based on the college’s different campaigns, how long they are running and how many metrics the college is trying to track.

Since the roll out of Duo security, a two-factor authentication and endpoint security platform, Craig Sigele, academic manager in the Communication Department and president of the United Staff of Columbia College, said staff have had major concerns of being tracked through email, personal messages and location.

The security system was put in place after the college was named the victim of a ransomware attack by NetWalker on May 30, as reported by the Chronicle. And in the last two weeks, employees of the college have had to download GlobalProtect, a web browser based virtual private network service that runs on a device to protect sensitive networks, in order to log work hours and access other essential employee information.

Associate Vice President of Strategic Communications and External Relations Lambrini Lukidis said a VPN can help protect against identity theft by protecting data and that it creates an encrypted tunnel for data sent and received that is “out of reach of cyberthieves.”

Sigele said Columbia’s staff union, USofCC, is “particularly concerned that we are being forced to use our personal devices as part of the college security strategy.” He said the college did not offer employees other devices to use, instead indicating it was too expensive.

“Besides being asked to use our personal devices … we are also concerned the school is tracking employees with their phones, and the Duo system, I am told, has a tracking feature,” he said.

Duo’s privacy information states that it uses “a pseudonymized mobile data analytics provider, Firebase,” which it describes as “Google Analytics for Duo Mobile. It helps us understand how Duo Mobile users interact with our app. Our usage analytics only collect information about how you use Duo Mobile, it cannot ‘see what you do’ in other applications on your phone.”

Sigele said he is not concerned with the requirement to use GlobalProtect.

Lukidis said those who do not wish to install GlobalProtect can go to campus to use the college’s private network to complete tasks that are on software protected devices.

She said Duo is “an additional security feature to protect the institution and the user, and does not increase risk or violate privacy.” Additionally, she said those who do not want to install Duo on personal devices can request a FOB, or token from IT.

According to an FAQ on Duo issued by the college, the token is about the size of a lighter. “Should the token be lost or damaged, the user will be responsible for the replacement cost,” the FAQ states.

When comparing Columbia with other nearby colleges, the report shows that DePaul University’s website has 10 ad trackers, 11 third-party cookies as of publication but does not monitor keystrokes or clicks. Like Columbia’s site, it does tell Facebook when users visit the site, and it allows Google Analytics to follow web visitors across the internet. Loyola University has six ad trackers, 11 third-party cookies and does not monitor or track keystrokes and clicks; and Roosevelt University has 10 ad trackers, 18 third-party cookies and also does not track or monitor keystrokes.

Section five of the Federal Trade Commission Act prohibits websites in the U.S. from using unfair or deceptive marketing practices, meaning owners must clearly inform visitors about the ways the website collects their information and how it may be used or shared with third-parties.

On its website, Columbia lists its privacy policy and outlines its use of cookies, remarketing, web analytics, sharing, links, security, compliance and cooperation with regulatory authorities and notification of changes.

Cowen said the site does engage with third-party vendors, like Technolutions/Slate (for the application, inquiry forms, etc.), Shopify (the Museum of Contemporary Photography store) and Lightspeed (ShopColumbia). But, “they are external companies [and] services and none of the information collected by those companies is hosted on our web servers,” she said.

Aaron Stevens, vice president of strategic partnerships at Osano, a data privacy software platform, said often institutions are unaware of the analytics and marketing tracking or third-party cookies left over on the site from previous administrations or marketing department staff.

To help companies find out what is on their site, Stevens said Osano’s software scans websites for cookie scripts and miscellaneous advertising coding.

“These reports that we can run are usually pretty eye-opening to companies. Sometimes it’s good. Sometimes it’s bad. Sometimes it’s nothing,” said Stevens, who also assessed Columbia’s site. “But I wouldn’t say that [Columbia is] doing anything over the top.”

Lori Andrews, a professor at Chicago-Kent College of Law, said it is common that institutions or companies will not specifically disclose what they are tracking on their websites and why.

With Facebook being notified each time a user visits Columbia’s website, Andrews said the user’s information can then be sold for marketing purposes and data can be combined to create a profile for someone. Lukidis said the college does not sell any form of data to Facebook.

Andrews said she advises people to search and use the internet “incognito mode,” close out of Facebook tabs when not in use and question whether some apps or websites are worth using.

She said although it is not illegal, the use of tracking can lean toward strong invasions of privacy, and the issue is that many people do not know or understand what information is being collected when they visit certain websites.

“We really need some social pressures to change this,” Andrews said.