Skip to content

the-markup/investigation-covered-california-linkedin-tracker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

How we found Covered California sending sensitive data to LinkedIn

This repo contains data for our story "How California sent residents’ personal health data to LinkedIn".

Methodology

The Markup and CalMatters used The Markup's Blacklight tool to scan more than 200 California state and county government websites that offer services for immigrants lacking permanent legal status. We were looking for sites that shared personally identifying information through ad trackers and third-party cookies. The scan revealed that Covered California, the state's health insurance marketplace, had 20 times the average number of ad trackers on the sites we scanned, and 50 times the average number of third-party cookies.

We took a closer look, navigating the site as we watched activity in the browser's network panel. As we filled forms on the site, we noticed that every click on a form element initiated a network request to https://px.ads.linkedin.com/wa/, an address associated with LinkedIn's Insight Tag. Included in the request was a domAttributes parameter, which contained information about the element on the page that we'd clicked, including its full text. This information was sent to LinkedIn each time a form element was clicked, before the form was submitted.

Data

Below is a catalog of the data gathered while investigating this story.

Blacklight scan results

These Blacklight scans demonstrate the state of tracking on the Covered California website when we started investigating it, and how it changed in the weeks afterwards.

  • February 25, 2025 - A Blacklight scan showing 63 ad trackers, 121 third-party cookies, and the Meta Pixel.
  • April 4, 2025 - A Blacklight scan showing 6 ad trackers, 4 third-party cookies, and the Meta Pixel.
  • April 21, 2025 - A Blacklight scan showing 3 ad trackers.

HAR files

As we investigated the site, we saved HAR files, which document network activity. HAR files can be read in many modern browsers and with the HAR Analyzer tool.

The network traffic captured in these HAR files was generated as a Markup reporter investigated the site, entering made-up data about people that don't exist. Personally identifying information has been redacted from the HAR files. Any unredacted information that appears to be personally identifying (e.g. names, birth dates, marital status, ethnicity, race, gender) is not real.

Each HAR file is accompanied by a directory of screenshots highlighting significant events, many are linked below. Screenshots are listed in the order they occurred for that particular browsing session; bold text indicates types or values of information appearing for the first time.

Shows the following information being sent to LinkedIn:

Shows the following information being sent to LinkedIn:

Shows the following information being sent to LinkedIn:

Shows the following information being sent to LinkedIn:

Shows the following information being sent to LinkedIn:

Shows the following information being sent to LinkedIn:

Screenshots

Screenshots of the coveredca.com pages showing form elements that generated the network traffic captured in the HAR files. These screenshots were not taken at the same time that the network logs were captured.

About

Data for The Markup and CalMatters story "How California sent residents’ personal health data to LinkedIn"

Resources

License

Stars

2 stars

Watchers

4 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages