The UWV's illegal data collection practices went further than we were initially led to believe. The benefits agency placed cookies that tracked job seekers on their devices for up to six months, even when they were not logged in. The House of Representatives and privacy experts are reacting with shock at the new revelations. So writes NOS, which further investigated the original investigation.
Uitvoeringsinstituut Werknemersverzekeringen (UWV) came under fire earlier this month for illegally collecting data on benefit recipients for years. Among other things, the agency collected IP addresses. This data tells where someone is located, and thus whether someone is in the Netherlands or abroad. In principle, job seekers receiving benefits are not allowed to go abroad during their job hunt unless they have permission from the UWV.
In addition, the benefit agency secretly placed cookies on the devices of benefit recipients to track them online. This data was then linked to their IP addresses. In this way, the UWV knew exactly when someone was where and what they were doing on the Internet. This happened both to job seekers who were logged in and to benefit recipients who were not logged in to uwv.nl and werk.nl.
In a response, the UWV acknowledged that mistakes had been made. "UWV is a public service provider and we set high standards for our role. In the case of our enforcement task, this means that careful handling is very important. We find it extremely annoying that we failed to do so in this case. During this process, all signals have always been green. With the knowledge of today, however, it appears that we still made a mistake."
The UWV went even further than expected in its monitoring duties, according to NIS investigation. The benefits agency suggested that it only placed "session cookies" to monitor job seekers. These are cookies that track a person's behavior during a session. Once someone logs out, information is no longer collected.
Now it turns out that one of the cookies used lasted for six months. This made it possible to track people over an extended period of time, even if they were not logged into one of the UWV's websites. Once logged in, data that was six months old could be linked.
Whether the UWV kept the data it collected with this for longer, the agency would not say. "There are cookies with a short lifespan and others have a long lifespan. That depends entirely on the purpose of the cookie," the UWV informs.
MP Hind Dekker-Abdulaziz (D66) says she is shocked by this picture. "This seems completely disproportionate and goes completely against privacy laws," she told NOS. Together with Stephan van Baarle (DENK) and Sjoerd Warmerdam (D66), Dekker asked written questions about the events on Tuesday. Among other things, the MPs wonder why they were not informed the discontinuation of the system.
Nadia Benaissa, policy advisor at advocacy organization Bits of Freedom, says the UWV's modus operandi reminds her of the Wild West. "That they unabashedly deploy these cookies for such a long period of time indicates, as far as we are concerned, that the UWV cared little about privacy laws."
Lawyer Anton Ekker tells NOS that the UWV is guilty of "covert surveillance. "The longer you keep an eye on someone, the more serious the breach, so this is even worse than thought."
The UWV quietly turned off the tracking system early this year after criticism from the state attorney general.
The Autoriteit Persoonsgegevens previously called the UWV's methods "worrisome. It said there was no legal basis for secretly tracking all job seekers. In doing so, the risk model violated the privacy of job seekers. The Autoriteit Persoonsgegevens therefore wants clarification from the benefits agency on how the algorithm of the fraud detection model works.
A spokesman confirmed to NIS that a date has now been set for this conversation.
