What happens when a state institution that already harmed citizens through data misuse appears to collect, route, and retain behavioural data from those same citizens again?

· Source: Pascal’s Substack · Field: Government & Public Sector — Public Policy & Governance, Regulatory & Compliance, Artificial Intelligence & Machine Learning · Depth: Intermediate, long

Summary

A report by Hackedemia alleges that the Dutch Tax Administration's recovery website, "herstel.toeslagen.nl," for victims of the childcare benefits scandal, transmits sensitive user data to Adobe in the United States. This includes page visits, search queries, chatbot inputs, and feedback text, routed via CNAME cloaking to appear as first-party traffic. The report, verified through HAR captures, DNS checks, and JavaScript analysis, claims persistent Adobe Experience Cloud IDs are used for up to two years, enabling behavioral profiling. This practice is particularly concerning given the site's purpose to rebuild trust with financially vulnerable and traumatized citizens previously harmed by the state's data misuse, and contradicts a December 2023 statement by the Belastingdienst about disabling Adobe cookie functionality.

Key takeaway

For CTOs and public sector executives overseeing digital services, this report highlights the critical need for absolute transparency and data minimization on sensitive government platforms. You must rigorously audit all third-party tracking, especially for vulnerable populations, and ensure your public statements align with actual technical implementations. Prioritize rebuilding trust through verifiable data restraint, publishing comprehensive DPIAs, and providing clear, auditable data governance for all citizen-facing systems.

Key insights

Institutional data misuse can recur through opaque tracking, undermining trust in state recovery efforts.

Principles

Method

The report's verification method involved HAR captures, DNS checks, JavaScript analysis, and a scanner to distinguish hard evidence from circumstantial evidence and interpretation regarding tracking infrastructure.

In practice

Topics

Best for: CTO, Executive, VP of Engineering/Data, AI Ethicist, Policy Maker, Legal Professional

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Pascal’s Substack.