From Bytes to Booth: Exploring Privacy Concerns in Voting Advice Applications

The digital world has an important role in today’s society, also when it comes to politics. People can participate in politics and access information in completely new ways. Political campaigns have also evolved due to digitalization, and voters can now reach candidates and parties on the web. Information about candidates is now available for voter through many different web services, which makes more informed decisions in elections possible. Voting advice applications and political party websites are examples of such resources.

Since voting advice applications (VAAs) were adopted in Europe in the early 2000s, the have become increasingly popular [14]. The idea of these applications is the ask users questions about important topics in politics and match them with candidates who have previously given similar answers. This makes it easier for a voter to decide on a suitable candidate and compare their own opinions to the candidate’s views. Therefore, the VAAs aim to expedite the objective analysis of political positions and deliberate decision-making.

VAAs have continuously become more popular in many European countries. In Finland, for instance, nearly half of voters reportedly use VAAs during election season [19]. Modern websites regularly use third-party services in order to track user’s behavior and improve user experience. While users benefit from this in many ways, it also often causes serious privacy concerns [16, 23, 24]. The challenge here is that personal data may be sent to third parties without website maintainers realizing, which is a threat to confidentiality and privacy. This means that for VAAs specifically, there is a risk of sharing sensitive personal data on users’ political opinions.

Privacy can be considered as an important condition for democracy [7]. Democracy needs citizens with critical thinking, willingness to consider diverse viewpoints, and courage to stand up for their beliefs. Privacy is required to build these qualities, because it supports the development of informed and empowered citizens who create a healthy democracy. It is also worth noting the GDPR prohibits the processing of sensitive personal data – including political opinions – without explicit consent, unless there is a legal basis for processing it.

The existing research on VAAs primarily focuses on their impact and algorithms. There is not much research on online privacy considerations, a gap this paper aims to fill. We present a network traffic analysis of 8 Finnish VAAs, first during the 2023 parliamentary election, and then during the 2024 presidential election. The goal is to study whether sensitive political opinions leak to third parties. Our findings reveal that VAAs had significant privacy leaks in 2023, but the situation has improved in 2024 after the maintainers of the VAAs were informed of our findings. The current study is a continuation to our earlier study on VAAs in 2023 [10]. It gives insights into the positive influence of public discourse and media coverage on the privacy of VAAs.

The subsequent sections of this paper detail the selection and analysis of the studied applications, present our findings on data leaks in VAAs, discuss implications from political and technical perspectives, and conclude the study.

On modern websites, it is commonplace that website users’ personal data is sent to these third parties integrated in the website, such as web analytics [1]. Time and time again, this has been demonstrated to be the case even in many web services and public sector websites that are essential in nature and handle sensitive data [17, 20]. Privacy of VAAs [10] is only one example of such critical topic areas.

Most of the studies published on VAAs seem to revolve around the impact, algorithms, and design of these applications [2, 8, 13, 15, 18, 22]. While this subject is important, it seems that the privacy concerns associated with VAAs are largely neglected from this field of research. In their study, Kaskina et al. [12] propose a privacy framework used to protect the information on users’ political affiliations from other users of VAAs. However, in their study a VAA is considered as a social platform where users can discuss political matters with each other.

Therefore, these studies are very different from our topic of analyzing and preventing leaks of sensitive political data to third parties such as web analytics providers. We specifically address the privacy challenges of VAAs from a software engineering point of view. The current study addresses the research gap concerning privacy issues caused by third-party analytics in VAAs and by using network traffic analysis, reveals leaks of sensitive data concerning political opinions in these applications.

The current study examines the privacy of 8 widely-used Finnish VAAs. In Finland, almost all VAAs are provided by media outlets. We have selected VAAs offered by major media outlets in Finland and those with high rankings in Google search results. Also, only VAAs available both in parliamentary election in 2023 and presidential election in 2024 are included in the current study. The providers of VAAs are anonymously outlined in Table 1. Our aim was not to encompass all Finnish VAAs. Rather, we want to highlight the privacy risks associated with third-party services with a smaller representative snapshot of popular VAAs.

In our experiment, we tested the selected VAAs manually. This involved selecting an electoral district or municipality, answering the application’s questionnaire, and finally viewing the recommended candidate’s page. In this experiment, all cookies were accepted. Network traffic was recorded using Google Chrome’s Developer Tools with caching disabled. We filtered network requests to only cover traffic to third parties. The recorded data was saved for further examination. In analyzing the collected data, we focused on third-party web requests’ payloads. We read the payloads carefully to see whether they contained potential political opinions, for example in leaked URLs.

We also examined the privacy policies of the websites hosting the studied VAAs. If an application had its own privacy policy, that document was analyzed. We identified any indications of sharing data concerning political opinions with third parties. We also looked into whether the privacy policies clearly specified the third parties who, based on our earlier analysis of network traffic, were shown to be recipients of potentially sensitive personal data from the website.

While the VAAs were not found to leak the user’s answers to the political questions, VAAs often leaked the candidates the user displayed after getting the list of best fitting candidates at the end of the questionnaire. When the user clicks on a candidate on this list, a new web page inside the VAA is usually opened, and this page’s URL address leaks to third parties through analytics services. In many cases, these kinds of URL leaks may reveal the top candidates the VAA is recommending to the user. Consequently, information on the user’s political opinions can be leaked.

Figure 1 illustrates this situation. After answering questions in VAA, the user gets the best fitting candidates as results. From here, candidate pages can be opened, but at the same time, a third-party analytics script on the page leaks the data on the candidate and the user’s identity (e.g. IP address) to the third party. After this, there is a possibility that the sensitive personal data is given or sold to some fourth party, or disclosed in a data breach.

Table 2 shows the URL leaks found in the studied VAAs in spring 2023 and spring 2024. We can see that in spring 2023, 6 out of 8 studied VAAs leaked the URLs of opened candidate pages. What is more, the 6 VAAs each had at least two third-party services that collected candidate URLs. VAA7 leaked this information to 6 different third-party services.

Not surprisingly, Google Analytics was the most common third-party service with 4 instances in our experiments in spring 2023. This means that half of the studied websites had Google receiving information about accessed candidate pages. UserReport (a user feedback tool) and Giosg (a live chat service) had 3 instances. While these are not necessarily data-gathering analytics services per se, they are still third parties receiving potentially sensitive data. Meta Pixel (a tracking pixel used for advertising and analytics) and ChartBeat (an analytics tool to improve audience engagement) both had 2 instances.

Other miscellaneous third-party services only appeared once, all in VAA7. These services included Rubiconproject (an advertising exchange platform), AppNexus (an advertising technology company) Adform (a digital advertising platform), Smartadserver (an ad serving platform), and OneTag (a tag management and analytics platform).

The situation is noticeably better in 2024. The number of total data leaks in the 8 VAAs has gone down from 19 to 5, when we count a leaking candidate page URL once for each receiving third party (for example, Google often receives the same URL in several HTTP requests). This means that between spring 2023 and spring 2024, there was a decrease in the average number of URL leaks per VAA, dropping from 2.38 to 0.63.

Most media outlets providing the studied VAAs have either completely removed all third parties (VAA2, VAA3, VAA4) or the number of third-parties has been toned down (VAA5, VAA6, VAA7). VAA1 is a peculiar exception to this rule, as the maintainers have added two third-parties since spring 2023. VAA8, on the other hand, is the only studied VAA that had no leaks in either of our analyses. Curiously, VAA7 does not contain any of the 6 third parties it had before, but has now added one completely new third-party service (New Relic, an application performance monitoring platform).

What is very noteworthy is that Google and Meta are absent in 2024 with the exception of VAA5, where Google Analytics still persists as the only third party. The exclusion of Google and Meta’s services from VAAs is important, considering the capability of these technology giants to link identifiable personal data (e.g. IP addresses) to the names of individual users. This omission can be seen as a positive step towards protecting user privacy in VAAs. When a user uses the same device to log into services run by Google or Meta, as well as to use a VAA, for example, their real name can often be discerned based on their account name, potentially linking them to sensitive political data.

In general, the privacy improvements of VAAs also illustrate the positive impact and constructive influence that public attention and media coverage can have on data protection of online services. Our initial findings on several data leaks in Finnish VAAs received media attention in Suomen Kuvalehti¹, a weekly Finnish news magazine, in summer 2023. The data leaks were also reported by several other new outlets, and a Member of Parliament of Finland demanded an improvement to the data protection in VAAs, noting that "information regarding democratic participation must be protected in all circumstances."²

Lastly, we also inspected the privacy policy documents of the studied VAAs to see how they justify the use of third-party tools that collect information on visited URLs. The privacy policies mentioned reasons such as measuring performance and website functionality, tracking browser sessions and site navigation, and gathering data and insights about the behavior. Although these may be valid reasons for data collection on many websites, it is hard to see why this should also be done inside a VAA. If this really is necessary, at least the collected URLs should be anonymized so that they cannot be connected to candidates, or analytics tools storing data locally should be employed. It is clear that even if data collection needs to be carried out, data that links a certain candidate or political party to a specific user should never be sent to external data collectors. None of the studied privacy policies directly mentioned that data on the displayed candidates leaks to third parties. The users were not adequately informed of the data collection taking place.

Many of the studied VAAs were found to leak their results, i.e. the information on candidates that the user had been displayed by the application based on their answers, to third parties. Consequently, this can be argued to compromise the privacy of users’ political opinions. The definition of "political opinion" in the GDPR is unfortunately vague. It is not clear if it refers to a political ideology (e.g. liberal, conservative), partisanship, or even more specific stances on various policies (such as economical or environmental matters) [3]. However, it is still quite clear that leaking the candidates a user has displayed in a VAA to third parties cannot be a good idea.

Privacy and secrecy of political opinions and affiliations is a fundamental principle in the currently prevailing representative democracies, and is often enforced by the letter of law. Reasons for this are based on historical examples of what could happen when the privacy of political opinions is breached. For instance, if the supporters of political opposition can be identified and based on data leaks, they may be persecuted by those in power [4]. While such oppressive actions may feel distant in the modern day, it should be remembered that they were quite common even in the western world just one human lifetime ago, and are still happening in less democratic parts of the world. If voters feel that their political opinions are no longer private, they may be pressured to not express their beliefs in elections either. This can distort the election outcome and have grave and adverse effects on democracy.

If the scenarios considered above seem unlikely dystopian, as they hopefully should, one should remember that the potential for political oppression is hardly the only concern when evaluating the consequences of these leakages. Different types of political data leaked by the VAAs, including ideology and party affiliation, can be used in politically profiling the user. In the past decade, an analytics company named Cambridge Analytica harvested psychological profiles and personal data from millions of Facebook users without their consent and used the collected information for targeted political advertising in the USA presidential campaigns of 2016. [6, 11, 21] In the light of this scandal, and research that has shown how this kind of political profiling in general is increasing [3, 5], indicating the privacy of VAAs is important in order to mitigate this kind of political microtargeting online. The leaking of political opinions by these applications can lead to political profiling, and subsequently to voter manipulation, which has the potential to jeopardize the fairness and freedom of elections.

Based on our findings, it appears that many actors among the media corporations make no distinction to treat VAAs separately from their main websites, which reflects on the use of web analytics as well. While the case for the necessity of the web analytics can be argued for on some parts of media websites, the sensitivity of data concerning political opinions should not be overlooked by including these third-party analytics services in the subpages of VAAs as well. This lack of attention to the specific political context of the VAAs can be seen as one of the contributing factors to the unintentional leaks of sensitive data.

To help protect against these kinds of breaches of the user privacy, we strongly recommend the web application developers and the maintainers of these services to adopt certain practices which should mitigate this phenomenon. First, all third-party web analytics tools should be reviewed and their use should be justified. Moreover, a thorough network traffic analysis should be conducted in order to study whether they leak the user data to third parties, similar to what we have done in this research. Since this kind of traffic analysis requires neither special expertise nor large temporal investment, there are hardly any good reasons to not undertake it. Secondly, analytics services that are found to leak data should be removed, and if it is decreed absolutely necessary to use analytics tools in the first place, solutions that are possible to deploy locally should be favored, as this mitigates the risk of the data falling into wrong hands [9]. Ultimately, serious consideration should be given to the reasons for deploying any kinds of web analytics tools in the first place within VAAs because of the sensitive nature of these applications.

Our study also discovered deficiencies in the privacy policies presented by the VAA providers – specifically when it came to the clarity and transparency of these documents. As noted previously, the need for privacy is much more stringent in the case of VAAs than in the media websites in general. This is also why the website maintainers and data protection officers should consider composing separate privacy policies for these applications. These documents should be transparent and comprehensible enough to adequately inform the users of any data collections activity taking place. Due to the political nature of these applications, there is a greater need to provide justifications and disclosure of this kind of data processing.

On the brighter side, our results highlight the positive impact public discourse and media attention has had on the overall privacy situation of the studied VAAs. On a less positive note, it is discouraging to witness the continued use of certain leaky web analytics tools still in some of the VAAs, such as Google Analytics and New Relic even after all of the public attention and discourse. At this point all of the VAAs’ providers must be cognizant of the potential threats to the user privacy these analytics services pose, and thus their continued usage can not be justified by claiming ignorance of this issue. Therefore, all the remaining VAA providers with leaks in their applications should carefully fix the privacy issues.

We have presented an overview of data leaks in Finnish VAAs, and explored how their privacy improved after the initial leaks were made public. While the dataset does not cover all Finnish VAAs, the finding that several studied applications leaked sensitive political and some even continued to do so after the leaks were made public is concerning. Our findings serve as a reminder to service providers and software developers for keeping the users’ personal data safe and informing users appropriately of the data processing practices and the third parties receiving data. In web applications that deal with sensitive political data, it is challenging to find legitimate reasons for using third-party web analytics at all. In future, a further comparison between VAAs in Finland and other countries should also be conducted in order to get a better understanding of how privacy situation varies in different regions.

This research has been funded by Academy of Finland project 327397, IDA – Intimacy in Data-Driven Culture.