What happens when a state institution that already harmed citizens through data misuse appears to collect, route, and retain behavioural data from those same citizens again?
Summary
A report by Hackedemia alleges that the Dutch Tax Administration's recovery website, "herstel.toeslagen.nl," for victims of the childcare benefits scandal, transmits sensitive user data to Adobe in the United States. This includes page visits, search queries, chatbot inputs, and feedback text, routed via CNAME cloaking to appear as first-party traffic. The report, verified through HAR captures, DNS checks, and JavaScript analysis, claims persistent Adobe Experience Cloud IDs are used for up to two years, enabling behavioral profiling. This practice is particularly concerning given the site's purpose to rebuild trust with financially vulnerable and traumatized citizens previously harmed by the state's data misuse, and contradicts a December 2023 statement by the Belastingdienst about disabling Adobe cookie functionality.
Key takeaway
For CTOs and public sector executives overseeing digital services, this report highlights the critical need for absolute transparency and data minimization on sensitive government platforms. You must rigorously audit all third-party tracking, especially for vulnerable populations, and ensure your public statements align with actual technical implementations. Prioritize rebuilding trust through verifiable data restraint, publishing comprehensive DPIAs, and providing clear, auditable data governance for all citizen-facing systems.
Key insights
Institutional data misuse can recur through opaque tracking, undermining trust in state recovery efforts.
Principles
- Trust repair demands data restraint and transparency.
- Public-sector data ethics requires necessity and proportionality.
- Challenge the full data supply chain, not just AI outputs.
Method
The report's verification method involved HAR captures, DNS checks, JavaScript analysis, and a scanner to distinguish hard evidence from circumstantial evidence and interpretation regarding tracking infrastructure.
In practice
- Preserve interaction evidence when challenging automated systems.
- Request your data, including scores and logs, from automated systems.
- Escalate collective harm to regulators or civil-society groups.
Topics
- Dutch Tax Administration
- Childcare Benefits Scandal
- Behavioral Data Tracking
- Adobe Experience Cloud
- CNAME Cloaking
Best for: CTO, Executive, VP of Engineering/Data, AI Ethicist, Policy Maker, Legal Professional
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Pascal’s Substack.