Nytimes.com, the website of The New York Times, uses an embedded third party to report the private IP address of each visitor, it has been discovered.
This is done through the use of web real-time communication (WebRTC), an online tools that supports browser-to-browser applications for voice calling, video chat and P2P file sharing.
Websites that support WebRTC can use a feature that allows them to read the private IP address of users without being stopped by ad blocking programs and privacy plugins.
— Mike O'Neill (@incloud) July 10, 2015
This is thought to be an attempt at tracking users more effectively to better serve advertising campaigns, and something many readers are likely to consider a breach of their privacy.
Measuring online readership through public IP addresses can present lower figures because users within a shared network, like at a university or company, may have the same one assigned to them.
In other words, multiple people may have viewed an article but the website’s analytics tool only records them as one user.
Private IP addresses, on the other hand, can identify individual devices within a private network – although this can also give a false impression of readership because someone may access the website through multiple devices.
These IP addresses are supposed to be kept hidden and private so that computers outside the network can’t communicate with the devices.
The use of this feature in WebRTC essentially represents a vulnerability for visitors to such websites, although there is no evidence that the New York Times is utilising the access maliciously.
However, acquiring private IP addresses without user consent is a breach of EU law, which states: “The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller."