T 2.159 Inadequate protection of personal data in web applications

The user's behaviour during operation of web applications can be recorded by means of User Tracking (usually without the explicit consent of the user). Since the data evaluation is often not carried out by the operator of the web application, but integrated as a service, the collected data is generally stored on third-party systems. By means of User Profiling, the recorded data can be used to create personal profiles which are not compliant with the data protection regulations. Therefore, there is a risk of breaching legal regulations.

The following lists examples for unauthorised collection of personal data:

• Detailed information on accessed pages and data entered in web applications are assigned to users (e.g. by means of cookies) and logged for an extended period. This data collection can be used to create personal profiles of users of the web application without their knowledge which can be used for advertising purposes, for example.

• Images from external servers are embedded in the websites of the web application which are then loaded by the clients of the users. Using the requested images, the operators of the external servers can compile access statistics on the websites of the web application. If IP addresses are also logged on the external server, then it is possible to assign IP addresses (and thus even users) to the accessed pages.

• JavaScript code containing instructions regarding the collection of data via the client (e.g. plugins installed, graphic resolution) is embedded in the HTML pages of the web application. When the website is accessed these instructions are executed by the client without being noticed. The collected data can then be used as identifiers for creation of user profiles, without the knowledge and consent of the user.

• Although the web application collects personal data in a legal manner, the data is not appropriately stored so that unauthorised access by third parties is possible.