Website Evidence Collection

https://tpomap.com

Evidence Collection Organisation

Target Web Service https://tpomap.com

Automated Evidence Collection Start Time 1/31/2023, 6:01:19 PM

Automated Evidence Collection End Time 1/31/2023, 6:01:28 PM

Software Version 2.0.0

Software Host Borces-MBP.fritz.box

Automated Evidence Collection

The automated evidence collection is carried out using the tool website evidence collector (also on Github) in version 2.0.0
on the platform Darwin in version 22.2.0. The tool employs the browser Chromium in version HeadlessChrome/93.0.4577.0
for browsing the website.

During the browsing, the tool gathers evidence and runs a number of checks. It takes screenshots from the browser to
identify potential cookie banners. It tests the use of HTTPS/SSL to check whether the website enforces a HTTPS
connection. Then, the evidence collection tool scans the first web page for links to common social media and collaboration
platforms for statistics on the overall use of potentially privacy-intrusive third-party web services.

The analysis of the recorded traffic between the browser and both the target web service as well as involved third-party
web services, and the browser’s persistent storage follows in a subsequent section.

Webpage Visit

On 1/31/2023, 6:01:19 PM, the evidence collection tool navigated the browser to https://tpomap.com. The final location
after potential redirects was https://tpomap.com/. The evidence collection tool took two screenshots to cover the top of
the webpage and the bottom.

Webpage Top Screenshot

Webpage Bottom Screenshot

Use of HTTPS/SSL

The evidence collection tool assessed the redirecting behaviour of tpomap.com with respect to the use of HTTPS.

allows connection with HTTPS true

HTTP redirect to HTTPS true

https://tpomap.com/
HTTP redirect location

Use of Social Media and Collaboration Platforms

No corresponding links were found.

Common social media and collaboration platforms linked from https://tpomap.com/ have been considered.

Traffic and Persistent Data Analysis

The evidence collection tool simulates a browsing session of the web service to analyse hereafter the recorded traffic
between the browser and the Internet as well as the persistent data stored in the browser. First, the browser visited
https://tpomap.com/. The evidence collection took no other web page(s) into account. Generally, predefined pages and a
random subset of all first-party link targets (URLs) from the initial web page https://tpomap.com/ are considered. The
exhaustive list of browsed web pages is given in the Annex.

The web page(s) were browsed consecutively between 1/31/2023, 6:01:19 PM and 1/31/2023, 6:01:28 PM.

During the browsing, the HTTP Header Do Not Track was not set.

For the subsequent analysis, the following hosts (with their path) were defined as first-party:

1. tpomap.com

Traffic Analysis
In the case of a visit of a very simple web page with a given URL, the browser sends a request to the web server configured
for the domain specified in the URL. The web server, also called host, sends then a response in the form of e.g. an HTML
file that the browser downloads and displays. Most web pages nowadays are more complex and require the browser to
send further requests to the same host (first-party) or even different hosts (potentially third-party) to download e.g.
images, videos and fonts and to embed e.g. maps, tweets and comments. Please find more information about hosts and
the distinction between first-party and third-party in the glossary in the Annex.

The evidence collection tool extracted lists of distinct first-party, respectively third-party, hosts from the browser requests
recorded as part of the traffic. Note that if a specific path is configured to be first-party, than requests to other paths may
lead to the first-party host being also listed amongst the third-party hosts.

A number of techniques allow hosts to track the browsing behaviour. The first-party host may instruct the browser to send
requests for the (sole) purpose of providing information embedded in the request (e.g. cookies) to a given first-party or
third-party host. Often, those requests are then responded with an empty file or with an image of size 1x1 pixel. Such files
requested for the purpose of tracking are commonly called web beacons.

The evidence collection tool compares all requests to signature lists compiled to detect potential web beacons or
otherwise problematic content. The positive matches with the lists EasyPrivacy ( easyprivacy.txt ) and Fanboy's
Annoyance ( fanboy-annoyance.txt ) from https://easylist.to are presented in the Annex. The list of web beacon hosts
contains hosts of those requests that match the signature list EasyPrivacy. Note that the result may include false positives
and may be incomplete due to inaccurate, outdated or incomplete signature lists.

Eventually, the evidence collection tool logged all identified web forms that potentially transmit web form data using an
unencrypted connection.

First-Party Hosts

1. tpomap.com

Requests have been made to 1 distinct first-party hosts.

Third-Party Hosts

1. app.usercentrics.eu
2. cdnjs.cloudflare.com
3. unpkg.com
4. api.usercentrics.eu
5. graphql.usercentrics.eu
6. consent-api.service.consent.usercentrics.eu
7. uct.service.usercentrics.eu

Requests have been made to 7 distinct third-party hosts.

First-Party Web Beacon Hosts

1. tpomap.com

Potential first-party web beacons were sent to 1 distinct hosts. Corresponding HTTP requests for first- and third-parties
are listed in the Annex.

Third-Party Web Beacon Hosts

1. app.usercentrics.eu

Potential third-party web beacons were sent to 1 distinct hosts. Corresponding HTTP requests for first- and third-parties
are listed in the Annex.

Web Forms with non-encrypted Transmission

No web forms submitting data without SSL encryption were detected.

Persistent Data Analysis

The evidence collection tool analysed persistent cookies after the browsing session. Web pages can also use the
persistent HTML5 local storage. The subsequent section lists its content after the browsing.

Cookies linked to First-Party Hosts

No 0 first-party cookies were found.

Cookies linked to Third-Party Hosts

No 0 third-party cookies were found.

Local Storage

# Host Key Value

{
"controllerId": "92d687b2ddaf681fcac399861ccbe73fee8e7c136556
"id": "ag6T7OgIc",
"language": "en",
"services": [
{
"history": [
{
"action": "onInitialPageLoad",
"language": "en",
"status": true,
"timestamp": 1675184482191,
"type": "implicit",
1 tpomap.com uc_settings "versions": {
"application": "SDK-4.20.1",
"service": "40.17.39",
"settings": "24.4.42"
}
}
],
"id": "H1Vl5NidjWX",
"processorId": "08656abfe360e91c1a3e11b0a6c7a5cab0465bb27
"status": true
}
],
"version": "24.4.42"
}

2 tpomap.com uc_ui_version "3.16.0"

Annex

Browsing History

For the collection of evidence, the browser navigated consecutively to the following 1 webpage(s):

1. https://tpomap.com/

All Beacons

The data transmitted by beacons using HTTP GET parameters are decoded for improved readability and displayed beneath
the beacon URL.

fanboy-annoyance.txt

# Sample URL Freq.

1 https://app.usercentrics.eu/browser-ui/3.16.0/DefaultTabs-8f344cba.js 1

2 https://app.usercentrics.eu/browser-ui/3.16.0/VirtualServiceItem-c301e271.js 1

3 https://app.usercentrics.eu/browser-ui/3.16.0/SaveButton-131a2968.js 1

4 https://app.usercentrics.eu/browser-ui/3.16.0/index-439671c1.js 1

5 https://uct.service.usercentrics.eu/uct?v=1&sid=ag6T7OgIc&t=1&abv=&r=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Ftpomap.… 1

"abv": "",
"cb": 1675184482220,
"r": "https://tpomap.com/",
"sid": "ag6T7OgIc",
"t": 1,
"v": 1

6 https://app.usercentrics.eu/browser-ui/3.16.0/index-9bf85356.js 1

7 https://app.usercentrics.eu/browser-ui/3.16.0/PrivacyButton-3bba7330.js 1

8 https://consent-api.service.consent.usercentrics.eu/consent/uw/1 1

9 https://graphql.usercentrics.eu/graphql 1

10 https://app.usercentrics.eu/browser-ui/3.16.0/Taglogger-11fc0938-b844956d.js 1

11 https://app.usercentrics.eu/browser-ui/3.16.0/SecondLayerUI-56be3c40-41d6e05f.js 1

12 https://app.usercentrics.eu/browser-ui/3.16.0/ButtonsCustomization-d032f0b1-469d439b.js 1

13 https://app.usercentrics.eu/browser-ui/3.16.0/FirstLayerCustomization-9f2ad3bf-05bf0bc5.js 1

14 https://app.usercentrics.eu/browser-ui/3.16.0/DefaultUI-dc03f385-1407283b.js 1

15 https://api.usercentrics.eu/translations/translations-en.json 1

16 https://app.usercentrics.eu/browser-ui/3.16.0/DefaultData-c8cc3b59-94d0fc63.js 1

17 https://app.usercentrics.eu/session/1px.png?settingsId=ag6T7OgIc 2

"settingsId": "ag6T7OgIc"

18 https://api.usercentrics.eu/settings/ag6T7OgIc/latest/en.json 1

19 https://api.usercentrics.eu/settings/ag6T7OgIc/latest/languages.json 1

20 https://tpomap.com/wp-content/plugins/matomo/app/matomo.php?action_name=TPOmap%20%7C… 1

"_id": "",
"_idn": 1,
"_refts": 0,
"action_name": "TPOmap | #1 Responsible Data management Software",
"cookie": 1,
"h": 18,
"idsite": 1,
"m": 1,
"pf_dm1": 294,
"pf_net": 397,
"pf_srv": 37,
"pf_tfr": 3,
"pv_id": "j5GGPp",
"r": 653322,
"rec": 1,
"res": "1440x900",
"s": 21,
"send_image": 0,
"uadata": {
"brands": [],
"mobile": false,
"model": "",
"platform": "",
"platformVersion": "",
"uaFullVersion": ""
},
"url": "https://tpomap.com/"

21 https://tpomap.com/wp-content/uploads/matomo/matomo.js 1

22 https://app.usercentrics.eu/browser-ui/3.16.0/index.module.js 1

23 https://app.usercentrics.eu/browser-ui/latest/loader.js 1

easyprivacy.txt

# Sample URL Freq.

1 https://app.usercentrics.eu/browser-ui/3.16.0/DefaultTabs-8f344cba.js 1

2 https://app.usercentrics.eu/browser-ui/3.16.0/VirtualServiceItem-c301e271.js 1

3 https://app.usercentrics.eu/browser-ui/3.16.0/SaveButton-131a2968.js 1

4 https://app.usercentrics.eu/browser-ui/3.16.0/index-439671c1.js 1

5 https://uct.service.usercentrics.eu/uct?v=1&sid=ag6T7OgIc&t=1&abv=&r=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Ftpomap.… 1

"abv": "",
"cb": 1675184482220,
"r": "https://tpomap.com/",
"sid": "ag6T7OgIc",
"t": 1,
"v": 1

6 https://app.usercentrics.eu/browser-ui/3.16.0/index-9bf85356.js 1

7 https://app.usercentrics.eu/browser-ui/3.16.0/PrivacyButton-3bba7330.js 1

8 https://consent-api.service.consent.usercentrics.eu/consent/uw/1 1

9 https://graphql.usercentrics.eu/graphql 1

10 https://app.usercentrics.eu/browser-ui/3.16.0/Taglogger-11fc0938-b844956d.js 1

11 https://app.usercentrics.eu/browser-ui/3.16.0/SecondLayerUI-56be3c40-41d6e05f.js 1

12 https://app.usercentrics.eu/browser-ui/3.16.0/ButtonsCustomization-d032f0b1-469d439b.js 1

13 https://app.usercentrics.eu/browser-ui/3.16.0/FirstLayerCustomization-9f2ad3bf-05bf0bc5.js 1

14 https://app.usercentrics.eu/browser-ui/3.16.0/DefaultUI-dc03f385-1407283b.js 1

15 https://api.usercentrics.eu/translations/translations-en.json 1

16 https://app.usercentrics.eu/browser-ui/3.16.0/DefaultData-c8cc3b59-94d0fc63.js 1

17 https://app.usercentrics.eu/session/1px.png?settingsId=ag6T7OgIc 2

"settingsId": "ag6T7OgIc"

18 https://api.usercentrics.eu/settings/ag6T7OgIc/latest/en.json 1

19 https://api.usercentrics.eu/settings/ag6T7OgIc/latest/languages.json 1

20 https://tpomap.com/wp-content/plugins/matomo/app/matomo.php?action_name=TPOmap%20%7C… 1

"_id": "",
"_idn": 1,
"_refts": 0,
"action_name": "TPOmap | #1 Responsible Data management Software",
"cookie": 1,
"h": 18,
"idsite": 1,
"m": 1,
"pf_dm1": 294,
"pf_net": 397,
"pf_srv": 37,
"pf_tfr": 3,
"pv_id": "j5GGPp",
"r": 653322,
"rec": 1,
"res": "1440x900",
"s": 21,
"send_image": 0,
"uadata": {
"brands": [],
"mobile": false,
"model": "",
"platform": "",
"platformVersion": "",
"uaFullVersion": ""
},
"url": "https://tpomap.com/"

21 https://tpomap.com/wp-content/uploads/matomo/matomo.js 1

22 https://app.usercentrics.eu/browser-ui/3.16.0/index.module.js 1

23 https://app.usercentrics.eu/browser-ui/latest/loader.js 1

Glossary

Filter Lists
Browser extensions commonly referred by Adblocker have been developed to block the loading of advertisements
based on filter lists. Later on, filter lists have been extended to block also the loading of web page elements connected
to the tracking of web page visitors. For this evidence collection, publicly available tracking filter lists are re-purposed
to identify web page elements that may track the web page visitors.

Do Not Track (DNT for short, HTTP)

The Do Not Track header is the proposed HTTP header field DNT that requests that a web service does not track its
individual visitors. Note that this request cannot be enforced by technical means on the visitors’ side. It is upon the
web service to take the DNT header field into account. For this evidence collection, the Do Not Track header is not
employed.

First-Party
In this document, first-party is a classification of the resources links, web beacons, and cookies. To be first party, the
resource domain must match the domain of the inspected web service or other configured first-party domains. Note
that the resource path must also be within the path of the web service to be considered first-party.

Host (HTTP)
The HTTP host is the computer receiving and answering browser requests for web pages.

Redirect (HTTP)
A request for a web page may be answered with a new location (URL) to be requested instead. These HTTP redirects
can be used to enforce the use of HTTPS. Visitors requested an HTTP web page are redirected to the corresponding
HTTPS web page.

Request (HTTP)
To download and display a web page identified by an URL, browsers send HTTP requests with the URL to the host
computer specified as part of the URL.

Local Storage (HTML5)

Modern web browsers allow web pages to store data locally in the browser profile. This local storage is web site-
specific and persistent through browser shutdowns. As embedded third-party resources may also have access to the
first-party local storage, it is classified both as first- and third-party.

Third-Party
Links, web beacons and cookies that are not first-party (see above) are classified as third-party.

Web Beacon
A web beacon is one of various techniques used on web pages to unobtrusively (usually invisibly) allow tracking of
web page visitors. A web beacon can be implemented for instance as a 1x1 pixel image, a transparent image, or an
empty file that is requested together with other resources when a web page is loaded.

Web Beacon Host

The host in the URL of a request of a Web Beacon is called Web Beacon host.