One of our security engineers recently discovered that some web hosting companies are adding tracking codes into the web pages that they host without the user knowing. These web hosting companies are able to do this via Javascript. Javascript, in itself, is a known security issue.
The user can turn off these tracking codes, but only if they are looking for a way to do it. Take into consideration that the company or website owner probably doesn’t even know that the hosting firm added this code. Or, even if they see it, they may assume that its normal.
Here is an article that discusses the issue and how It was discovered at one host, Go Daddy.
Why is This a Concern
The extent of this problem is still to be determined. However, the problem does highlight a concern for privacy advocates as well as legal issues. The code is being used to gather data on users who visit the websites. They are most likely gathering location, browser type, date, time, IP address, and possibly some web history.
There are a number of countries that have rules in place, such as General Data Protection Regulation (GDRP). GDPR requires website owners to make known what they are doing on sites. This means that they are required to disclose what they are tracking and what they are doing with the data. The visitor is allowed to reject the company policy and leave the site. However, when a web host does this without the website owner knowing, the owners privacy policy may not equal reality, resulting in some trouble. The trouble could equal fines, so this is a real concern.
Using a shared hosting company always opens you up to some vulnerabilities in areas that you cannot control. So beware of who you are using and make sure you have someone check the website code to ensure it is all on the up and up.