Blockmetry Personal Data Auditor (PD Auditor) is an analytics service for Data Protection Officers and other compliance professionals that monitors in real-time the third-party services added on a their websites, who in turn get visitors’ personal data (like the IP address) and can set cookies, fingerprint devices, and otherwise track individuals. Understanding, documenting, and monitoring these third-party services is part of a data controller’s obligations under the GDPR.
Personal Data Auditor is a separate service to Blockmetry Analytics, and can be used alone or in conjunction with Analytics.
Personal Data Auditor reports
This screenshot summarizes the kinds of reports PD Auditor produces, which highlights the two main concepts at the heart of PD Auditor: Operators and Providers.
An Operator is the entity whose code you embed in the page. For customers of Blockmetry, we would be an Operator. An ad network network like Google Ads, Google would be the Operator. Third-party analytics vendor like Chartbeat are also Operators.
In the GDPR, they would be your data processors or joint controllers.
In the example above, Outbrain is the Operator.
Operators listed as IP addresses
Sometimes Blockmetry lists an Operator as an IP address (e.g. 111.222.333.444). This means that the embed in the webpage used a URL that had an IP address not a host. For example, instead of embedding a third-party tracker as https://example.com/track.js, the webpage embedded the tracker as https://111.222.333.444/track.js. In these cases, the Operator may not be clear, and the IP addresses is reported as the Operator.
Regardless, the Operator would have its Providers listed.
An Operator uses services to deliver its code and functionality, and these are called the Providers.
Providers are hosting providers or content distribution networks. Some large companies like Adobe and Google use their own infrastructure to deliver their services, meaning the Operator and Provider would be the same entity. Most of the time, however, Operators use other vendors as their Providers, including Amazon Web Services, Fastly, and Akamai.
Sometime, Providers have been called “subprocessors”.
In the example above, Outbrain is detected to be using Akamai, Fastly, ServerCentral (a hosting provider), and their own infrastructure.
A special Operator called “Self”
PD Auditor recognizes a customer is its own Operator. Further, customers may operate multiple websites that are part of the same infrastructure (for example, a CDN in addition to your hosting provider). PD Auditor allows you to configure all these websites are “first-party” Operators and are counted under the special Operator called Self.
Of note, are subdomains. A common practice is to use a third-party vendor on a subdomain on your website. For example, if your website is example.com, you may use cdn.example.com to point to a content distribution network like Fastly or Akamai. In this case, the Operator would be yourself (i.e. PD Auditor classifies it as Self) because you operator the domain name, but the Provider would be your CDN vendor (e.g. Akamai).
Detecting Operators and Providers
PD Auditor detects a large number of Operators and Providers using a deep technical analysis. However, the number of vendors is huge and any detection is, by definition, always missing some. Further, vendors rebrand, shut down, or get acquired, meaning that a vendor identified correctly today may be misclassified in the future.
Links to websites and privacy policies
PD Auditor uses a manually-curated list that maps Operators and Providers to their websites and privacy policies.
Some vendors have several country-specific privacy policies, and some have policies (and websites) in different languages. Although examples of this are uncommon, in these cases, we would try to identify the mot appropriate links, such as the policy in the language of where the vendor’s headquarters are.
Country listing, and international data export
Blockmetry detects, at the time of processing, the geographical location of the IP addresses of the servers the Provider is using to process the data. This allows you to audit data export.
There are three very important points about the country detection, which we’ll explain in detail below:
- The list can be incomplete, depending on how the Provider has configured their servers.
- Sometimes the country cannot be detected.
- Sometimes the country is detected incorrectly.
Country list completeness
It is possible that DNS lookups return different results based on the perceived location of the user, routing the user to the closest datacenter. This helps users access websites faster. For example, a content distribution network (CDN) may point a user in Germany to a datacenter in, say, France, if the France datacenter happens to be the closest to the user in Germany. The same may point a user in the USA to a USA datacenter, or one in Canada, as they would be closer to the user than the France datacenter.
Blockmetry does all its processing in the Ireland-based datacenters, meaning that the report currently would report what an EU-based user in Ireland would see. If you have customers elsewhere in the EU or outside the EU, they may see different results.
If completeness is important to your audits, you have two options:
- Ask the Operator for full details about their routing policy of their Providers.
- Ask us to audit your Providers as a custom analysis.
Sometimes Blockmetry cannot detect the geographic location of an IP address. This is common with content distribution networks (CDNs). At the time of writing, Akamai exhibits this behavior. In these cases, Blockmetry reports that it found IP addresses it cannot geolocate. We recommend asking your Operator about the contracts they have with their Providers.
Incorrect country detection
No IP to country database is 100% accurate, Typically, databases are wrong for a tiny percentage of IP addresses (usually, less than 0.5% of the time). Please keep this fact in mind when looking at the Blockmetry reports.
Like Blockmetry Analytics, Personal Data Auditor filters out measurements detected to be coming from bots, including bots that identify themselves and stealth bots.
Data integration options
Personal Data Auditor gives you two data integration options:
- You own and manage the data completely like with Blockmetry Analytics.
- Blockmetry hosts the data, and you get online reporting dashboards in your Blockmetry account.
You can configure the service to do both: Write data to your database and keep a copy.
Self-hosting PD Auditor data
For hosting your own database, please see these two documentation articles:
Blockmetry-hosted PD Auditor data
If you choose for Blockmetry to host your PD Auditor data:
- All data processing will be carried out in a datacenter in the EU (just like with Blockmetry Analytics).
- We will agree a data retention schedule to suit your needs.
We use Amazon Web Services for our hosting and processing infrastructure, specifically the AWS Ireland datacenter.
Signing up to Personal Data Auditor
Please see this page to sign up to PD Auditor and Analytics.
Questions and getting in touch
Please contact us here.