Dutch suicide hotline 113 leaked visitor metadata to Google and Microsoft

Stichting 113, the Netherlands’ suicide prevention foundation, was caught piping sensitive visitor telemetry to Google and Microsoft without consent, according to research by ethical hacker Mick Beer of Hackedemia.nl. The leaked data included visitor location, device and browser fingerprints, referring URLs, and full session recordings of activity on 113.nl. Google received this data regardless of whether visitors accepted cookies; Microsoft received it when consent was given.

The mere act of opening the 113 page or clicking its chat or call buttons is itself sensitive medical information under GDPR, which mandates heightened protection for health-related data. Sharing it with ad-tech platforms that can fold it into broader user profiles almost certainly puts the foundation in breach of the regulation. No conversation content was shared, the foundation said — only metadata — but metadata tying an individual to a suicide hotline visit is exactly what the rules are designed to protect.

After being confronted with the findings, Stichting 113 disabled all measurement and analytics tooling on its site and opened an internal investigation into how the trackers ended up there and what the impact has been. It has not committed to keeping the trackers off permanently.