The United Nations runs Google's ad-tech on its own website, without consent, while telling the rest of us to account for AI's footprint
I have spent the better part of my life fighting for privacy - for the right of a person to control what is known about them, by whom, and to what end. It is a right the United Nations itself gave the world, in Article 12 of the Universal Declaration of Human Rights in 1948, and restated in binding terms in Article 17 of the International Covenant on Civil and Political Rights. I am a supporter of the UN, and of the architecture of rights it built across the last seventy-five years. I want to be very clear about that before I say anything else, because what follows is written out of respect for what the organisation is supposed to stand for, not out of any wish to see it diminished.
On AI accountability, the UN is right
The Secretary-General has been right to raise the environmental cost of artificial intelligence - the electricity these systems burn, the water their data centres consume, the carbon they put into an atmosphere we all share. I agree with the position completely. If anything I would like the UN to go further, to treat the whole of corporate environmental, social and governance accountability with the seriousness it deserves, and to hold the companies building these systems to a standard that matches their scale and their power. On the substance of what the UN is asking of industry, I do not disagree with a single word.
The problem is the hypocrisy
My problem is not the message. My problem is that the organisation delivering it does the very thing it condemns - on its own website, at enormous scale, using the very vendors it is demanding the rest of the world hold to account - and it does not so much as acknowledge that the harm exists.
I ran a forensic capture of the United Nations English-language homepage, https://www.un.org/en/, from an EU vantage point. The capture is cryptographically signed and RFC 3161 timestamped, so every figure below can be independently verified rather than taken on my word. What it shows is that the page loads Google Tag Manager, Google DoubleClick advertising infrastructure, YouTube tracking, and Google-hosted fonts and APIs - third-party services that profile the people who visit - and it does so with no consent banner of any kind. There is no consent mechanism on the page at all. Nothing is asked. Nothing is offered. The tracking simply runs, on every visitor, the moment the page loads.
Not bound by the law is not the same as free to ignore it
The UN is an international organisation. That is a specific thing in law - a body created by treaty between states, with its own legal personality, and with immunities from national jurisdiction set out in the Charter itself (Article 105) and in the 1946 Convention on the Privileges and Immunities of the United Nations. In practice that means a national data protection authority cannot serve the UN with an enforcement notice or a fine. The General Data Protection Regulation and the ePrivacy Directive, as instruments of national and EU enforcement, do not reach the UN in the way they reach other data controllers.
That immunity is a reason to hold a higher standard, not a licence to hold a lower one. An organisation that exists to create, maintain and champion human rights, and that lectures industry on responsibility, should be setting the bar for everyone else - not quietly availing itself of the very surveillance technologies that erode the rights it was built to defend. These technologies should not be on the UN's estate at all. They do real and documented harm to fundamental rights, and, as the figures below show, real and avoidable harm to the environment. By ignoring its own conduct while demanding accountability from others, the UN brings its entire moral authority into disrepute - and it does so at the expense of the rights it created and, given the context of the Secretary-General's own remarks, at a measurable cost to the climate.
The environmental impact
The method here is the same one my WebSentinel platform applies to any site, and the same one I have already set out in a formal environmental complaint filed in another matter. I measure the bytes actually transferred to load the page, separate the first-party content from the third-party tracking, and convert that tracking to electrical energy and carbon. By "the tracking" I mean the third-party services that, for any data controller the law actually binds, would require the visitor's freely given consent before they were allowed to load - consent the UN, as an international organisation, is not obliged to obtain, and here did not seek. The energy intensity of network transfer is taken as 0.06 kWh per gigabyte, the mid-band of Parssinen et al. (2018); the grid factor is 0.25 kg CO2e per kWh, the EEA / IEA EU-27 composite for 2024. I use a thirty-day month, and I extrapolate across the English-language site's traffic, which public estimators place in the region of 20 to 25 million visits per month.
Per single visit the page transfers about 6.29 MB, of which about 2.06 MB is third-party tracking of the kind that would otherwise require consent.
The avoidable footprint - that would-otherwise-require-consent portion alone:
| English-site visits / month | Energy (annual) | Carbon (annual) |
|---|---|---|
| 20 million | 29,599 kWh | 7.40 tonnes CO2e |
| 25 million | 36,999 kWh | 9.25 tonnes CO2e |
For reference, the full page weight across the same traffic runs to roughly 22.6 to 28.3 tonnes CO2e a year. The numbers above are deliberately conservative: they count only the third-party portion, they exclude end-user device energy, and they use the mid-point of the published range. The true figure is higher, and that is before a single one of the UN's many other pages, languages and subdomains is counted.
The privacy impact
The capture is unambiguous about what the page does to the people who load it, and it does all of it with no consent and no means to refuse.
The page reaches out to thirteen distinct third-party hosts, and loads executable third-party script from five of them - 160 third-party script requests in a single page load. The third parties are, almost without exception, Google: Google Tag Manager, Google Analytics (region1.google-analytics.com), Google's DoubleClick advertising infrastructure across three separate endpoints (googleads.g.doubleclick.net, static.doubleclick.net, ad.doubleclick.net), YouTube, Google Fonts and Google APIs - alongside Libsyn, a podcast and advertising platform, and a UN media CDN. This is an advertising and analytics stack, running on the website of the body that wrote the right to privacy into international law.
While that code runs, it interrogates the visitor's device. The capture records 342 fingerprinting events across roughly twenty distinct surfaces. Among them: the device's graphics hardware (WebGL), its battery status - an API browsers have been removing precisely because it was abused for tracking - its network connection information, its media devices, that is the cameras and microphones attached to the machine, its timezone, keyboard layout, client hints, permissions state, and the full navigator and screen profile. These are the building blocks of a device fingerprint - a way to recognise the same person again even when they have taken deliberate steps to stay anonymous.
The page also writes and reads storage relentlessly: 437 storage operations, including 44 cookies set and 228 cookies sent, plus localStorage, sessionStorage, IndexedDB, the Cache Storage API, and even window.name, a long-standing cross-context tracking trick. The third parties doing most of this are YouTube, with 140 storage operations, and Google Tag Manager with 23 - third-party code, writing and reading identifiers on the device of every UN visitor, who was never asked.
I want to address one surface specifically, because of who visits this site. WebRTC is a browser technology that can be made to reveal a visitor's true network endpoints even when they are behind a VPN. For an ordinary website that is a privacy problem. For a site visited by human rights defenders, journalists, and people reporting from hostile territory, it could be a matter of physical safety - the unmasking of a VPN could place a real person in real danger, and if the script doing it is a third party, the UN has no control over where that data goes. I checked for it specifically. On this page I found no WebRTC endpoint probing, and no service worker quietly running in the background after the visitor has left, and I am glad to be able to say so. But the deeper problem does not go away: the UN does not control any of the thirteen third parties on this page. It cannot read their code, it cannot vet their updates, and it cannot guarantee that none of them adds exactly that capability tomorrow. When you hand your visitors to third-party scripts, you hand over the people behind the screens - and not all of the UN's visitors are ordinary people, many are in a vulnerable class of one form or another.
What I am asking the Secretary-General to do
I call on the Secretary-General to pledge that, within 180 days, the United Nations will remove all third-party tracking, analytics, testing and advertising scripts, and all tracking beacons, from its websites - the entire online estate, not a single flagship page. At the scale the UN operates, this is not a cosmetic change. It is the difference between an organisation that practises the rights it preaches and one that erodes them, continuously, across millions of visitors a month, at significant and entirely avoidable cost to the environment the Secretary-General has rightly asked us all to protect.
Because the Charter demands it
I am not singling out the United Nations, and I have the record to prove it. In 2018, on the very day the European Data Protection Board's website went live, I filed a formal complaint against the Board, because its own site did not comply with the ePrivacy Directive or the GDPR - while openly acknowledging that the Board was not itself bound by the GDPR, but owed a duty of responsibility precisely because it is the body telling every company in the EU how important it is to protect personal data. It took several weeks, and the Board's first plenary meeting, before the matter was resolved and the Board accepted that it had to lead by example. On 1 October 2019, within two minutes of the Court of Justice handing down its judgment in Planet49 (Case C-673/17), I filed a complaint, because the Court's own website did not comply with the judgment the Court had just issued. I hold the institutions I admire to the standard they set for everyone else, and I always have.
Just because the rules might not apply does not mean the rules should not be applied. The United Nations Charter, in Article 1(3), sets as a founding purpose of the organisation "promoting and encouraging respect for human rights and for fundamental freedoms for all", and its preamble reaffirms "faith in fundamental human rights, in the dignity and worth of the human person". Privacy is one of those rights - the UN said so itself in 1948, and again in the Covenant. Convenience is no excuse for a corporate entity that loads these technologies without consent, and it is no excuse for an international organisation either - least of all one whose own founding document demands that it respect the very rights its technical choices are quietly undermining.
