Personal Data Auditor

Blockmetry Personal Data Auditor (PD Auditor) is an analytics service for Data Protection Officers and other compliance professionals that monitors in real-time the third-party services added on a their websites, who in turn get visitors’ personal data (like the IP address) and can set cookies, fingerprint devices, and otherwise track individuals. Understanding, documenting, and monitoring these third-party services is part of a data controller’s obligations under the GDPR.

Personal Data Auditor is a separate service to Blockmetry Analytics, and can be used alone or in conjunction with Analytics.

Personal Data Auditor reports

This screenshot summarizes the kinds of reports PD Auditor produces, which highlights the two main concepts at the heart of PD Auditor: Operators and Providers.

Operators

An Operator is the entity whose code you embed in the page. For customers of Blockmetry, we would be an Operator. An ad network network like Google Ads, Google would be the Operator. Third-party analytics vendor like Chartbeat are also Operators.

In the GDPR, they would be your data processors or joint controllers.

In the example above, Outbrain is the Operator.

Operators listed as IP addresses

Sometimes Blockmetry lists an Operator as an IP address (e.g. 111.222.333.444). This means that the embed in the webpage used a URL that had an IP address not a host. For example, instead of embedding a third-party tracker as https://example.com/track.js, the webpage embedded the tracker as https://111.222.333.444/track.js. In these cases, the Operator may not be clear, and the IP addresses is reported as the Operator.

Regardless, the Operator would have its Providers listed.

Providers

An Operator uses services to deliver its code and functionality, and these are called the Providers.

Providers are hosting providers or content distribution networks. Some large companies like Adobe and Google use their own infrastructure to deliver their services, meaning the Operator and Provider would be the same entity. Most of the time, however, Operators use other vendors as their Providers, including Amazon Web Services, Fastly, and Akamai.

Sometime, Providers have been called “subprocessors”.

In the example above, Outbrain is detected to be using Akamai, Fastly, ServerCentral (a hosting provider), and their own infrastructure.

A special Operator called “Self”

PD Auditor recognizes a customer is its own Operator. Further, customers may operate multiple websites that are part of the same infrastructure (for example, a CDN in addition to your hosting provider). PD Auditor allows you to configure all these websites are “first-party” Operators and are counted under the special Operator called Self.

Of note, are subdomains. A common practice is to use a third-party vendor on a subdomain on your website. For example, if your website is example.com, you may use cdn.example.com to point to a content distribution network like Fastly or Akamai. In this case, the Operator would be yourself (i.e. PD Auditor classifies it as Self) because you operator the domain name, but the Provider would be your CDN vendor (e.g. Akamai).

Detecting Operators and Providers

PD Auditor detects a large number of Operators and Providers using a deep technical analysis. However, the number of vendors is huge and any detection is, by definition, always missing some. Further, vendors rebrand, shut down, or get acquired, meaning that a vendor identified correctly today may be misclassified in the future.

Links to websites and privacy policies

PD Auditor uses a manually-curated list that maps Operators and Providers to their websites and privacy policies.

Since GDPR compliance is one of PD Auditor’s motivations, the list states the most EU-focused privacy policy if more than one policy is found. If a vendor has a general compliance portal, the list would state that as the “privacy policy” URL on the assumption that this is more helpful to data protection and compliance professionals.

Some vendors have several country-specific privacy policies, and some have policies (and websites) in different languages. Although examples of this are uncommon, in these cases, we would try to identify the mot appropriate links, such as the policy in the language of where the vendor’s headquarters are.

Country listing, and international data export

Blockmetry detects, at the time of processing, the geographical location of the IP addresses of the servers the Provider is using to process the data. This allows you to audit data export.

There are three very important points about the country detection, which we’ll explain in detail below:

Country list completeness

It is possible that DNS lookups return different results based on the perceived location of the user, routing the user to the closest datacenter. This helps users access websites faster. For example, a content distribution network (CDN) may point a user in Germany to a datacenter in, say, France, if the France datacenter happens to be the closest to the user in Germany. The same may point a user in the USA to a USA datacenter, or one in Canada, as they would be closer to the user than the France datacenter.

Blockmetry does all its processing in the Ireland-based datacenters, meaning that the report currently would report what an EU-based user in Ireland would see. If you have customers elsewhere in the EU or outside the EU, they may see different results.

If completeness is important to your audits, you have two options:

Missing countries

Sometimes Blockmetry cannot detect the geographic location of an IP address. This is common with content distribution networks (CDNs). At the time of writing, Akamai exhibits this behavior. In these cases, Blockmetry reports that it found IP addresses it cannot geolocate. We recommend asking your Operator about the contracts they have with their Providers.

Incorrect country detection

No IP to country database is 100% accurate, Typically, databases are wrong for a tiny percentage of IP addresses (usually, less than 0.5% of the time). Please keep this fact in mind when looking at the Blockmetry reports.

Bot exclusion

Like Blockmetry Analytics, Personal Data Auditor filters out measurements detected to be coming from bots, including bots that identify themselves and stealth bots.

Data integration options

Personal Data Auditor gives you two data integration options:

You can configure the service to do both: Write data to your database and keep a copy.

Self-hosting PD Auditor data

For hosting your own database, please see these two documentation articles:

Blockmetry-hosted PD Auditor data

If you choose for Blockmetry to host your PD Auditor data:

We use Amazon Web Services for our hosting and processing infrastructure, specifically the AWS Ireland datacenter.

Signing up to Personal Data Auditor

Please see this page to sign up to PD Auditor and Analytics.

Questions and getting in touch

Please contact us here.