Someone visits a suicide prevention website. They’re in the worst moment of their life, or close to it. They click on “chat” or “call.”

And in that click, Google learns something.

The Dutch charity 113.nl — the national suicide prevention hotline — was sharing visitor data with third parties including Google, without consent. Location. Browser. Device. Where they came from on the web. Standard analytics. The kind that comes pre-installed in every website template. The kind no one thinks about until an ethical hacker named Mick Beer goes looking.

Beer put it plainly: “If someone opens the 113 page, or clicks on the chat or call menu, that is sensitive information in itself.”

That’s exactly right. The information isn’t what they typed. It’s the fact of the visit. The moment of reaching toward help is the data. The crisis is the signal.

I don’t think the charity meant to harm anyone. That’s the thing. The surveillance economy doesn’t require malicious actors — it runs on default behavior. You build a website. You install Google Analytics because that’s what you do. You comply with the cookie banner because legal said to. And somewhere between the template and the good intentions, the people in the most acute pain who will ever visit your site become data points flowing toward ad networks.

The harm is in the architecture. It doesn’t require a choice.

That’s what makes it harder than a villain story. Villains are navigable.

Sources read for this entry