Technical Report
InterProlog Consulting, August 1, 2019

As one navigates the web, the use of cookies and some privacy breaching are expected, in the sense that browser cookies from Facebook and other parties make our navigation known for marketing purposes. As we navigate “anonymously” through several websites, cookies link us to our non anonymous selves – such as a Facebook or Google account and its extensive profile.

But after authenticating into a web site for a company (due to be) complying to banking, health or just vanilla GPDR regulations, and entering into an HTTPS (encrypted, private) session… one would expect privacy to be respected!

Alas… that is NOT the case in Portugal. Some banks and health service companies disregard the above principles, incurring into blatant ethical and (likely) legal violations, and let third parties with a vested interest (Facebook, and others) know all about our “private” navigation, in exchange for what…? We still don’t know, but read on:

MillenniumBCP – bank

UPDATE: as of October 2, 2019, and following a complaint to Bank of Portugal, the national regulator authority, MillenniumBCP no longer sends the HTTP requests to Facebook if the cookie consent form is responded to accordingly. But it still does… to Google.

As one arrives to its website, MillenniumBCP (one of the 3 largest Portuguese banks) presents a cookie consent form:

We filled it with default values, disallowing “re-marketing”; even so, plenty of HTTP requests to Facebook are made prior and after authentication, evidently notifying Facebook of all “private” page navigation within the customer banking interface:

For example, Facebook knows whether one navigates to “My portfolio” (“As minhas poupanças”) or “Make a transfer” pages, therefore getting very precise private behaviour information.

So Facebook knows that you have an account in MillenniumBCP, which seem to violate Portuguese and European secrecy laws.

The above evidence was collected simply with Firefox’s network monitoring tool; more here (HTTP Archive Format obtained with Charles HTTP proxy).

Santander – bank

Santander is another of the 3 largest Portuguese banks. In addition to Facebook, Santander’s “private” customer banking website emits extensive HTTP messages also to Google Analytics and byside.com:

So Facebook knows that you have an account in Santander, which seems to violate Portuguese and European secrecy laws.

Other banks

BPI and CGD, two of the other largest Portuguese banks, do NOT incur in such practices as far as we could detect.

MyCUF – health services

CUF (Melo Group) is one of the largest private Portuguese companies in the health sector. Its “private” customer website notifies Facebook of all navigation within it:

So Facebook knows that you have an account with CUF, and very likely are a patient; we have not investigated whether navigation to past appointments/exames/etc. are detectable by Facebook.

Conclusion

A superficial assessment suggests that

• Management of the above entities is not sensitive to privacy issues, and is squeezing customers’ value beyond what’s reasonable
• The underlying technical staff ignores the consequences of its actions

Major ethics deficit all around. To be continued…