How Venezuela May Be Using Google Analytics to Track Political Dissidents

Atlas News reached out to Google for comment, but has not received a response regarding the allegations at the time of publication. .On July 28, Venezuela's National Electoral Council declared that President Nicolas Maduro had secured victory in the country's disputed election with a 51 percent to 44 percent lead over oppositional candidate Edmundo Gonzalez. The election results were ultimately rejected by the opposition amid claims of fraud and ballot rigging..Opposition leader Maria Corina Machado, who had previously been barred from running for office by the Supreme Court earlier this year, has come out to claim that independently collected voter tallies show that Gonzalez won in a landslide with a 37 percent lead. With that, the opposition declared Gonzalez as the rightful winner..Protests against the results of the election quickly spun up within hours of Maduro declaring victory, which grew in size and intensity over the next several nights. The protests saw an intense crackdown by Venezuelan authorities and pro-Maduro Colectivos paramilitary forces as clashes across Caracas and its surrounding areas sprung up..The crackdown resulted in security forces arresting thousands of people and sending them to various prisons for detention. President Maduro announced on August 1st, during a televised address, that the country would build two prisons that would function as reeducation camps where the prisoners would conduct forced labor. While detainees have the ability to list their family members as part of the booking process to inform them of their whereabouts, they rarely do so out of fears the family members would also be arrested. However, one more option that family members and friends have to locate the detainees is the Venezuelan penitentiary website. This presents a significant threat because the Venezuelan government could monitor and target them using digital tools..Investigation into Venezuelan Prison Administration Website .A cyber investigation identified information that indicates the Venezuelan government is likely leveraging Google Analytics for surveillance purposes, which presents "significant privacy and security concerns associated with the Venezuelan government's prison administration website," http://www.ipsfa.gob[.]ve. There is "irrefutable evidence" that points to this, according to Chris Kubecka, a cybersecurity expert and freelance journalist. Her analysis uncovered "extensive data collection mechanisms on this site, including the automatic collection of Personally Identifiable Information (PII) such as names, emails, phone numbers, and addresses." The mechanisms are aided through Google Tag Manager and Google Analytics, with the data potentially being sent to external servers, "increasing the risk of interception or misuse." The evidence is that the website receives a "code 200," meaning that information was sent from the website. The transmission can be verified through the use of third-party marketing tracking and tagging software. The specific Google Analytics ID is UA-115412505-1, and the below HTML code "confirms the active use of Google Analytics.".Google Analytics' scripts allow companies or individuals to use the company's APIs to obtain information about their account and complete performance reports. While the use of scripts on Venezuelan websites is usually not a concern, the Google Analytics script on the prison administration website allows the website's administrators to track individuals who visit the site. The tracking script accomplishes this by transmitting information about the individual, such as their location, duration of visit, type of device and browser, and user's interactions with the website. The Google Tag Manager allows users to add or change the Google Analytics tracking scripts, events scripts, and other codes to their websites. The manager allows users to test them to ensure they are activated when you load a specific page or click a specific button..Analysis of the script by Kubecka indicated that geolocation data is collected, which can identify the physical location of visitors. Kubecka warned that the data can pose a significant risk to detainees' relatives or asylum seekers who visit the site and can be subject to harassment or retaliation by Venezuelan security services. Asylum seekers could inadvertently expose their locations and jeopardize their safety while human rights observers or journalists could risk compromising their missions and personal safety. Because the Venezuelan government has a documented pattern of human rights abuses, visiting the website poses a significant risk to visitors, but especially those who are or could be perceived as dissidents or activists and may be subject to surveillance and reprisal actions..The abuse is significant because Venezuelan detainees "often do not record their family members' information out of credible fear that their relatives will be arrested or worse," the researcher added. This fear is prevalent among Venezuelans, who've previously discussed with Kubecka how the threats "are real and persistent." An analysis of data from an older detainee list corroborates the individuals' accounts that detainees rarely list family information due to safety concerns. The analysis of the old list "underscores the severity of the situation and the potential for human rights abuses facilitated by the use of Google Analytics on government websites." This is more significant given that family members use the prison website as their own way to find information about their detained relatives. The Venezuelan government, however, would track their IP, location, and other data when they visit the website. Other cybersecurity researchers verified that the Venezuelan government gathered their data when they visited the website..While the evidence of the Venezuelan government's misuse of digital tools is evident, Google's Analytics checker website "has been down for an unknown amount of time." While the Google website would offer definitive verification, Kubecka independently verified the scripts' validity and active use through other analytics sites. Furthermore, she pointed out that this was not the first time that Google allowed an entity to access user data despite being sanctioned. In 2022, it was revealed that Google allowed RuTarget, a Russian company that specializes in assisting agencies and brands to buy digital ads, "to access and store data about people browsing websites and apps in Ukraine and other parts of the world." Adalytics, a digital ad analysis firm, identified approximately 700 instances of the company "receiving user data from Google after the company was added to a US Treasury list of sanctioned entities in February 2022. Google, however, stopped sharing the data with RuTarget in June after news outlet ProPublica contacted the company about the activity..Google Notified of Issue Through Email Notifications, August 3rd to 5th.Kubecka previously communicated with Google's internal threat teams to notify them about the Venezuelan government's use of Google Analytics and Google Tag Manager. She spoke with Google's Vice President of Security Engineering, Heather Adkins, via email in the first week of August to notify her of the issue so it could be handled through backchannels. Adkins did reply and said she received the email, notified the internal threats team, and asked if she could connect them with other Google employees who would help in the situation on August 3rd. The researcher sent Adkins an email on August 4th for an update regarding the issue due to "the urgency and potential legal implications involving both EU and US sanctions, as well as data protection laws.".Heather replied to Kubecka's email and included Erica Walsh, the Communications Manager for Google Ads, so she could share "some helpful points" on Google Analytics and the company's terms of service. Erica then followed up with an email to Kubecka, who provided her with three points. The first point is that Google "is committed to compliance with applicable sanctions and trade compliance laws and enforces related policies under our Terms and Service." She said that if Google discovers an account that violates Google's Terms of Service, then Google will take appropriate action. Erica then explained how Google Analytics "helps businesses understand how users engage with their websites and apps through aggregate reports that provide insights into patterns of behavior of their traffic and the performance of their online properties all without identifying individual users." The last point Erica mentioned is that Google Analytics "does not store or log IP addresses and is not able to use IP addresses or location data to identify individuals.".Kubecka stressed that she wanted to work with Google to resolve the issue because of the compliance and human rights concerns. She then pointed out that "the use of Google Analytics puts individuals, including EU residents and potentially asylum seekers, at significant risk." Kubecka then contacted the Netherlands' National Cyber Security Center (NCSC) about the issue and received an email on August 5th. The respondent thanked her for the information she provided, but said that while the potential personal information leakage is "a serious problem," she should contact the Cybersecurity and Infrastructure Security Agency (CISA) because it is better equipped with contacts in Latin America. The respondent asked Kubecka to email the center if they believed this not to be the case..Patria and Ven App Have Similar Issues .The Venezuelan government also has other methods to electronically track citizens. The Patria and Ven App (Venapp) are the most notable examples of the methods that the Venezuelan government uses to track its citizens. The government designed the apps to simplify citizens' lives by streamlining how they interact on social media, file complaints, and access government and general services. Furthermore, the government marketed the app as an educational, mapping, organizational, and social network tool to make life easier for Venezuelan residents. Authorities released a similar app called Patria for older phones or citizens with less income. Most citizens use Patria, while about 30 percent of citizens use the Ven app, which is for new phone models or iPhones..While the apps make life easier for the citizens, they also allow the Venezuelan government to track, record, and monitor individuals. The app will ask for permissions to access various functionalities when users initially install it on their phones. For example, the app will ask you to access the phone's microphones, its GPS locations, read, add, or modify its calendars and USB storage, run while it is turned on, and prevent the device from falling asleep. The government could easily track people who attended the recent anti-government protests and listen in on their conversations through these apps..The Venapp is notable because of its alleged connections to the United Socialist Party of Venezuela (PSUV). The app's connection to the PSUV is evident when comparing the app's version 2.16.8 that was released in November 2021 to its current version. The 2021 version has a completely different layout and design than its current version, specifically the incorporation of the "1×10" policy into its design. "1×10" is a political strategy developed by the PSUV to increase voting among its supporters and consists of one Chavista (party member) registering 10 voters to guarantee their attendance at party events and voting in elections..The 2021 version of the app allowed the government to automatically add PSUV events to people's phone calendars, which is evident by a message sent by a PSUV Government Party Commission member to a Local Supply and Production Committees (CLAP) WhatsApp group in February 2022. The individual asked the members to download the Venapp after receiving guidance during a meeting in the capital city of Caracas. He also told the group that Maduro would officially launch the app and that all the organization's service reports would appear there "in the coming months." Maduro likely launched the app in March 2022 at a ceremony that commemorated CLAP's sixth anniversary..Another connection that Venapp has with the PSUV is its historical sharing of IP addresses with the Honduras' Liberty and Refoundation (L&R) political party and its leader and current Honduran President Xiomara Castro's website. Both Castro and her husband, Manuel Zelaya, have close ties to the PSUV and its founder Hugo Chavez and current leader Nicolas Maduro. Before the Honduran military removed Zelaya in a 2009 coup, he had deep relations with Chavez, Maduro, and the PSUV. Zelaya met with both Chavez and Maduro in 2010 after he was ousted as president of Honduras. The app is related to the L&R party at the hosting and tracking tag levels to enable the government to identify the app's users at all hours of the day..The Panamanian Government Connection to VenApp .During an investigation into any ties that the Venezuelan government would have with VenApp, Kubecka discovered that the sole legal representative listed in the Panamanian business registry is Judith Elisa Caicedo Sanjur. However, Kubecka also discovered that Sanjur is a Panamanian government employee by finding her CV on the Panamanian employee website through a misconfiguration that left the server unsecured and allowed them to view the CV..The vulnerability allowed Kubecka to view all the CVs of all employees who worked for the Panamanian government going back several years. Kubecka emailed the NCSC to inform them of the vulnerability and the potential leak of employees' PII. In the email, she pointed out that they attempted to disclose the issue to the Computer Incident Response Team for Panama, but their website was down due to a misconfigured DNS system..Implications of Venezuelan Government's Continued Use of Scripts and Manager with Prison Administration Website and Apps .There are implications that Google is allowing the Venezuelan government to continue to use Google Analytics on its various websites and apps. Google, however, has a recent history of allowing sanctioned countries or entities to use Google Analytics and its scripts for purposes other than what they were originally intended for. The most significant implication is the potential for Google to assist in potential human rights violations by allowing the Venezuelan government to use the scripts to track and monitor individuals..Venezuelan authorities could use the information transmitted from the website to track and monitor the friends and relatives of detainees who do not know the risk of visiting the website. Authorities could cross reference the information gathered from the website with information obtained from the Patria and Venapp apps or other government websites that also have the tracking scripts. The security services would have the ability to use the information to verify individuals' details and build profiles on them for monitoring purposes. The information would also allow security forces to verify the information contained in complaints people submitted about them via Patria or the Venapp app..The verification would consist of confirming people's details gathered from both the website and the apps. Specifically, the security forces would confirm the phone model, the locations, and the websites the individuals visited using the apps. This would allow for authorities to narrow down their focus to certain individuals or areas that are associated with the recent anti-government protests. The Venezuelan security services could combine the information from the apps and websites with other datasets, including intelligence, to build a robust dossier of individuals for tracking and monitoring. Likewise, the government's recent ban of the social media apps X and WhatsApp could increase its ability to track individuals by forcing most Venezuelans to use less secure alternatives..The other implication is that Google is potentially violating sanctions by allowing the Venezuelan government to use the scripts on their prison administration website. The Ministry of Penitentiary Services is associated with officials under EU and US sanctions due to various human rights violations. Google does not view the Venezuelan government's continued use of the tracking script as potentially violating sanctions alongside human rights concerns. This is not the first time that Google has allowed a sanctioned company to use their Google Analytics scripts for anything other than their intended purpose.