The article highlights the findings of a research study on Google Tag Manager (GTM) that uncovered data leaks, security vulnerabilities, arbitrary script injections, and instances of consent for data collection enabled by default. The study, conducted by researchers and legal experts, evaluated both versions of GTM, including the Client-side and the newer Server-side GTM.
The analysis revealed issues inherent to the GTM architecture, including hidden data leaks, instances of tags bypassing permission systems to inject scripts, and consent set to enabled by default without user interaction. Of particular concern was the discovery that Server-side GTM allows tags running on the server to secretly share user data with third parties, bypassing browser restrictions and security measures.
The researchers detailed their methodology, which involved setting up GTM infrastructure on a domain and conducting experiments on a live website. The results of the analysis included multiple critical findings, such as the “Pinterest Tag” collecting user data without disclosing it to the publisher, and Google Tag Manager allowing injections of third-party scripts, posing privacy and security vulnerabilities.
Additionally, the study found issues with Consent Management Platforms (CMPs) for GTM, including undefined variables resulting in GTM considering all such variables as accepted by the end user, even if the user has not given consent.
A legal analysis identified potential violations of data protection laws, including CMP scanners missing purposes, non-compliant mapping of CMP purposes to consent variables, and defaults that allow tags to run without consent. The findings also raised concerns about GTM’s compliance with GDPR, making it difficult for publishers to comply with data subject rights, monitor built-in consent, and configure consent on GTM Server Containers.
In conclusion, the researchers criticized GTM for its security flaws and non-compliant defaults, stating that it introduces more legal issues than solutions and complicates compliance with regulations. They highlighted the challenges for regulators to monitor for compliance and emphasized the need for GTM to address these shortcomings.
The research paper “Google Tag Manager: Hidden Data Leaks and its Potential Violations under EU Data Protection Law” provides detailed insights into the findings and implications of the study.
Read Full Article