Update to Investigation About Venezuela Government's use of Google Analytics to Track Dissidents

European Data Protection Authority's technical review showing Venezuelan gov is using Google Analytics and Tag Manager to locate visitors to penitentiary website as severe.

Update: Chris Kubecka filed a formal complaint with a European Data Protection Authority in August 2024 after the original English and Spanish articles were taken down from Atlas News. Over the next year, the entity assembled a technical review team to assess the Google Analytics and Tag Manager code referenced in our investigation. Chris received a phone call to explain the results after the team completed their assessment. They told Chris that the complaint has been classified as severe, with the potential for the ongoing loss of life. The agency advised escalating the matter to the Irish Data Protection Commission, since Google’s EU headquarters is based in Dublin. Through the E.U.’s Cross Border Program, the agency indicated their willingness to intervene again if Ireland failed to act. There was a clear level of frustration with Google’s response, especially after one of the individuals who had assisted with the investigation disappeared following their arrest in August 2024.

Original Article (Published in August 2024)

After the recent Venezuelan elections, the Maduro administration conducted a crackdown on people protesting the various voter discrepancies that occurred on election day. The crackdown resulted in security forces arresting several thousand people and sending them to various prisons for detention. President Maduro announced on August 1^st, during a televised address, that the country would build two prisons that would function as reeducation camps where the prisoners would conduct forced labor. While detainees have the ability to list their family members as part of a detainee list, they rarely do so out of fears they too would be arrested. However, one option that family members and friends have to locate the detainees is the Venezuelan penitentiary website. This presents a significant threat because the Venezuelan government could monitor and target them using digital tools.

Investigation into Venezuelan Prison Administration Website

The Venezuelan government is likely leveraging Google Analytics for surveillance purposes, which presents “significant privacy and security concerns associated with the Venezuelan government's prison administration website.” There is “irrefutable evidence” that points to this, according to Chris Kubecka, a cybersecurity expert and freelance journalist. Her analysis uncovered “extensive data collection mechanisms on this site, including the automatic collection of Personally Identifiable Information (PII) such as names, emails, phone numbers, and addresses.” The mechanisms are aided through Google Tag Manager and Google Analytics, with the data potentially being sent to external servers, “increasing the risk of interception or misuse.” The evidence is that the website receives a code 200, meaning that information was sent from the website. The transmission can be verified through the use of third-party marketing tracking and tagging software. The specific Google Analytics ID is UA-115412505-1, and the below HTML code “confirms the active use of Google Analytics.”

Google Analytics’ scripts allow companies or individuals to use the company’s APIs to obtain information about their account and complete performance reports. While the use of scripts on Venezuelan websites is usually not a concern, the Google Analytics script on the prison administration website allows the website’s administrators to track individuals who visit the site. The tracking script accomplishes this by transmitting information about the individual, such as their location, duration of visit, type of device and browser, and user’s interactions with the website. The Google Tag Manager allows users to add or change the Google Analytics tracking scripts, Google Analytics Events scripts, and other codes to their websites. The manager allows users to test them to ensure they are activated when you load a specific page or click a specific button.

Analysis of the script by Kubecka indicated that geolocation data is collected, which can identify the physical location of visitors. The collection of geolocation data poses a significant risk to detainees' relatives, asylum seekers, and EU or US citizens who visit the site. The government could monitor the relatives of detainees, which could lead to their harassment or retaliation by Venezuelan security services. Asylum seekers could inadvertently expose their locations and jeopardize their safety; human rights observers or journalists could risk compromising their missions and personal safety. Because the Venezuelan government has a documented pattern of human rights abuses, visiting the website poses a significant risk to visitors, but especially those who are or could be perceived as dissidents or activists. This risk is compounded because of the significantly high risk for the government to conduct surveillance and reprisal actions against individuals.

The abuse is significant because Venezuelan detainees “often do not record their family members’ information out of credible fear that their relatives will be arrested or worse.” This fear is prevalent among Venezuelans, who've previously discussed how the threats “are real and persistent.” An analysis of data from an older detainee list corroborates the individuals' accounts that detainees rarely list family information due to safety concerns. The analysis of the old list “underscores the severity of the situation and the potential for human rights abuses facilitated by the use of Google Analytics on government websites.” This is more significant given that family members use the prison website as their own way to find information about their detained relatives. The Venezuelan government, however, would track their IP, location, and other data when they visit the website. Other cybersecurity researchers verified that the Venezuelan government gathered their data when they visited the website.

While the evidence of the Venezuelan government’s misuse of digital tools is evident, Google’s Analytics checker website “has been down for an unknown amount of time.” While the Google website would offer definitive verification, the researcher independently verified the scripts' validity and active use through other analytics sites. Furthermore, they pointed out that this was not the first time that Google allowed an entity to access user data despite sanctions. In 2022, it was revealed that Google allowed RuTarget, a Russian company that specializes in assisting agencies and brands to buy digital ads, “to access and store data about people browsing websites and apps in Ukraine and other parts of the world.” Adalytics, a digital ad analysis firm, identified approximately 700 instances of the company “receiving user data from Google after the company was added to a US Treasury list of sanctioned entities in February 2022. Google, however, stopped sharing the data with RuTarget in June after news outlet ProPublica contacted the company about the activity.

Email Notifications to Google of Issue August 3^rd to 5^th

Kubecka previously communicated with Google’s internal threat teams to notify them about the Venezuelan government’s use of Google Analytics and Google Tag Manager. She spoke with Google’s Vice President of Security Engineering, Heather Adkins, via email last week to notify her of the issue so it could be handled through backchannels. Adkins did reply to the researcher to say she received the email, notified the internal threats team, and asked if she could connect them with other Google employees who would help in the situation on August 3rd. Kubecka sent Adkins an email on August 4th for an update regarding the issue due to “the urgency and potential legal implications involving both EU and US sanctions, as well as data protection laws.”

The individual stressed that they want to work with Google to resolve the issue because of the compliance and human rights concern it raises. The individual then pointed out that “the use of Google Analytics puts individuals, including EU residents and potentially asylum seekers, at significant risk.” The researcher contacted the Netherlands’ National Cyber Security Center (NCSC) about the issue but received an email on August 5th. The respondent thanked the person for the information they provided. The person, however, said that while the potential personal information leakage is “a serious problem,” they should contact the Cybersecurity and Infrastructure Security Agency (CISA) because it is better equipped with contacts in Latin America. The person asked the researcher to email the center if they believed this not to be the case.

Email chain showing replies from Heather Adkins to Chris from August 3rd to 5th.

Heather replied to the individual’s email and included Erica Walsh, the Communications Manager for Google Ads, so she could share “some helpful points” on Google Analytics and the company’s terms of service. Erica then followed up with an email to the researcher, who provided the individual with three points. The first point is that Google “is committed to compliance with applicable sanctions and trade compliance laws and enforces related policies under our Terms and Service.” She said that if Google discovers an account that violates our Terms of Service, then they will take appropriate action. Erica then explained how Google Analytics “helps businesses understand how users engage with their websites and apps through aggregate reports that provide insights into patterns of behavior of their traffic and the performance of their online properties all without identifying individual users.” The last point Erica mentioned is that Google Analytics “does not store or log IP addresses and is not able to use IP addresses or location data to identify individuals.”

August 5th, 2024 email reply from Erica Walsh about the Google Analytics tags being used on Venezuela’s Penitentiary website

Patria and Ven App Have Similar Issues

The Venezuelan government also has other methods to electronically track citizens. The Patria and Ven App (VenApp) are the most notable examples of the methods that the Venezuelan government uses to track its citizens. The government designed the apps to simplify citizens' lives by streamlining how they interact on social media, file complaints, and access government and general services. Furthermore, the government marketed the app as an educational, mapping, organizational, and social network tool to make life easier for Venezuelan residents. Authorities released a similar app called Patria for older phones or citizens with less income use. Around 70 percent of citizens use the app, while the remaining 30 percent use the Ven app. The Ven app is for citizens who have more income, newer phones, or iPhones.

Images of the November 2021 version of the VenApp to the version in August 2024.

While the apps make life easier for the citizens, they also allow the Venezuelan government to track, record, and monitor individuals. The app will ask for permissions to access various functionalities when users initially install it on their phones. For example, the app will ask you to access the phone's microphones, its GPS locations, read, add, or modify its calendars and USB storage, run while it is turned on, and prevent the device from falling asleep. The government could easily track people who attended the recent anti-government protests and listen in on their conversations.

Screenshot of VenApp persmissions requests that users would agree to when they download the app on to their cell phones.

The VenApp is notable because of its alleged connections to the United Socialist Party of Venezuela (PSUV) and some Panamanian government officials. The app’s connection to the PSUV is evident when comparing the app’s version 2.16.8 that was released in November 2021 to its current version. The 2021 version has a completely different layout and design than its current version, specifically the incorporation of the logo 1x10 into its design. The use of 1x10 is significant because the PSUV developed the political strategy to increase voting among its supporters. The 1x10 strategy consists of one Chavista (party member) registering 10 voters to guarantee their attendance at PSUV events and voting in elections.

Image showing add urging app users to register using the PSUV’s 1x10 voter strategy.

The 2021 version of the app allowed the government to actively automatically add PSUV events to people’s phone calendars so they would know when they occurred. The evidence is a message that a PSUV Government Party Commission member sent to a Local Supply and Production Committees (CLAP) WhatsApp group in February 2022. The individual asks the members to download the VenApp after receiving guidance during a meeting in the capital city of Caracas. He also told the group that Maduro would officially launch the app and that all the organization's service reports would appear there “in the coming months.” Maduro likely launched the app in March 2022 at a ceremony that commemorated CLAP’s sixth anniversary.

Hondura's’ Liberty and Refoundation Party website. The website shares similarities at he hosting and tracking tag levels that allows both governments to track visitors.

Another connection that VenApp has with the PSUV is its historical sharing of IP addresses with the Honduras’ Liberty and Refoundation (L&R) political party and its leader and current Honduran President Xiomara Castro’s website. Both Castro and her husband, Manuel Zelaya, has close ties to the PSUV and its founder Hugo Chavez and current leader Nicolas Maduro. Before the Honduran military removed Zelaya in a 2009 coup, he had deep relations with the Chavez, Maduro, and the PSUV. Zelaya met with both Chavez and Maduro in 2010 after he was ousted as president of Honduras. The app is related to the L&R party at the hosting and tracking tag levels to enable the government to track visitors at all hours of the day.

Image showing that venapp[.]com and partido[.]com websites share the same host.

The Panamanian government connection to VepApp

During an investigation into any ties that the Venezuelan government would have with VenApp, one researcher discovered that the sole legal representative listed in the Panamanian business registry is Judith Elisa Caicedo Sanjur. However, the researcher also discovered that Sanjur is a Panamanian government employee by finding her CV on the Panamanian employee website.

Judith Elisa Caicedo Sanjur’s CV found due to misconfiguration that left a server unsecured.

The individual discovered a misconfiguration that left the server unsecured and allowed them to view the CV. The vulnerability allowed the researcher to view all the CVs of all employees who worked for the Panamanian government going back several years. The researcher emailed the NCSC to inform them of the vulnerability and the potential leak of employees' PII. In the email, they pointed out that they attempted to disclose the issue to the Computer Incident Response Team for Panama, but their website was down due to a misconfigured DNS system.

Email sent to NCSC team disclosing the vulnerability found in Panamanian government server.

Implications of Venezuelan Government’s Continued Use of Scripts and Manager with Prison Administration Website and Apps

There are implications that Google is allowing the Venezuelan government to continue to use Google Analytics on its various websites and apps. Google, however, has a recent history of allowing sanctioned countries or entities to use Google Analytics and its scripts for purposes other than what they were originally intended for. The most significant implication is the potential for Google to assist in potential human rights violations by allowing the Venezuelan government to use the scripts to track and monitor individuals.

Venezuelan authorities could use the information transmitted from the website to track and monitor the friends and relatives of detainees who do not know the risk of visiting the website. Authorities could cross reference the information gathered from the website with information obtained from the Patria and VenApp apps or other government websites that also have the tracking scripts. The security services would have the ability to use the information to verify individuals' details and build profiles on them for monitoring purposes. The information would also allow security forces to verify the information contained in complaints people submitted about them via Patria or the VenApp app. The verification would consist of confirming people's details gathered from both the website and the apps. Specifically, the security forces would confirm the phone model, the locations, and the websites the individuals visited using the apps. This would allow for authorities to narrow down their focus to certain individuals or areas that are associated with the recent anti-government protests. The Venezuelan security services could combine the information from the apps and websites with other datasets, including intelligence, to build a robust dossier of individuals for tracking and monitoring.

The government’s recent ban of the social media apps X and WhatsApp will increase their ability to track individuals. Most Venezuelans would be forced to use less secure alternatives such as Telegram and WeChat, which pose a severe risk to operational security. The security services could easily intercept the data that is transmitted, which they could use for different purposes. They could use the information to build an entirely new dataset that would allow them to have access to individuals’ phone numbers and chat logs whenever possible. The information could be used to conduct link analysis to determine if the targeted individuals have any links or their level of involvement with the anti-government protests. Furthermore, the services could use the information to build dossiers on these individuals to enhance their abilities to locate other individuals of interest. The government can use the information in conjunction with others, such as the Google Analytics script and Tag Manager dataset, to refine individuals' profiles.

The other implication is that Google is potentially violating sanctions by allowing the Venezuelan government to use the scripts on their prison administration website. The Ministry of Penitentiary Services is associated with officials under EU and US sanctions due to various human rights violations. Google does not view the Venezuelan government's continued use of the tracking script as potentially violating sanctions alongside human rights concerns. This is not the first time that Google has allowed a sanctioned company to use their Google Analytics scripts for anything other than their intended purpose. In 2022, Google allowed the Russian ad buying company, RuTarget, also known as Segmento, to share and store data from people who visited apps and websites in Ukraine and other countries. This continued despite the US Department of Treasury listing the company alongside its parent company, Sberbank, on the Specially Designated Nationals list in April 2022 as part of the United States’ response to the Russian Invasion of Ukraine. Google, however, only stopped after news outlets contacted the company about RuTarget’s activity.

Recommendations

It is highly recommended for people not to visit the prison administration website due to the potential for the Venezuelan government to track them by collecting their data. Another recommendation is for Venezuelan citizens to uninstall government-backed apps such as Patria and VenApp from their phones and mobile devices due to the government's ability to track and monitor people using the programs. It is also recommended that individuals use encrypted messaging apps such as Signal or Threema to mitigate the risk of the Venezuelan security services monitoring their communications. Cybersecurity agencies such as CISA, Columbia's, or Spain’s Emergency Security Response Team should be alerted and issue public advisory warnings about the potential risks posed by visiting the prison administration website.