from the we-take-our-customer's-privacy-very-seriously dept.
Here to add another layer of dread ahead of the upcoming tax season, The Markup reported that some of the biggest online e-filing services—unbeknownst to millions of users—have been sharing sensitive user financial information with Meta. Some services linked user names and email addresses with detailed information like income, refund amounts, filing status, and even the amount of dependents' college scholarships.
These services include H&R Block, TaxAct, and TaxSlayer, which transmit data via a tool that Meta provides for businesses called the Meta Pixel. The Markup published the data sent to Meta by these companies, which it confirmed was sometimes generated and shared "regardless of whether the person using the tax filing service has an account on Facebook" or other Meta service.
Meta provides the Meta Pixel as a code that businesses can customize and embed on their websites to gather information to help businesses improve targeted marketing campaigns on Meta platforms. In return for this service, Meta gets to use the shared data to drive its own algorithms in its mission to know just about everything that can be known about its own users.
The Markup asked the Internal Revenue Service to verify whether tax preparers sharing sensitive financial information with Meta violated IRS regulations, but the IRS declined to comment.
H&R Block spokesperson Angela Davied told The Markup that the company would be reviewing the information revealed by The Markup. She told Ars that the company has since decided to change how it uses the Meta Pixel.
"At H&R Block, we take protecting our clients' privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels," Davied told Ars.
A TaxSlayer spokesperson, Molly Richardson, told The Markup that TaxSlayer, like H&R Block, was evaluating its use of the pixel. "Our customers' privacy is of utmost importance, and we take concerns about our customers' information very seriously," Richardson said, confirming that the pixel would be removed until TaxSlayer finished its review.
[...] According to Meta, it prohibits businesses from sharing "information about an individual's financial account or status." This rule didn't stop two businesses from sharing income information, The Markup reported.
[...] While The Markup's report focused on the Meta Pixel, their investigation also revealed that TaxAct was sharing financial information with Google through its use of Google Analytics. In those cases, names weren't shared, but information like income and refund amounts were.
Google spokesperson Jackie Berté told The Markup that Google Analytics data "is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user." Berté said that this reflects Google's "strict policies against advertising to people based on sensitive information."
When The Markup reviewed data as recently as this Monday, reporters confirmed that TaxAct "continued to send financial information to Google Analytics."
Well, at least my personal health information is protected from Meta Pixel, right?
« Texas Just Had Its Biggest Earthquake in Decades, and Fracking Is a Prime Suspect | NASA's New Rocket Blows the Doors Off its Mobile Launch Tower »
Meta is facing mounting questions about its access to sensitive medical data following a Markup investigation that found the company's pixel tracking tool collecting details about patients' doctor's appointments, prescriptions, and health conditions on hospital websites.
During a Senate Homeland Security and Governmental Affairs Committee hearing on Wednesday, Sen. Jon Ossoff (D-GA) requested that Meta—the parent company of Facebook and Instagram—provide a "comprehensive and precise" accounting of the medical information it keeps on users.
[...] In response to Ossoff's question about whether Meta has medical or health care data about its users, Meta chief product officer Chris Cox responded, "Not to my knowledge." Cox also promised to follow up with a written response to the committee.
[...] "Advertisers should not send sensitive information about people through our Business Tools," Meta spokesperson Dale Hogan wrote to The Markup in an emailed statement. "Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect."
Meanwhile, developments in another legal case suggest Meta may have a hard time providing the Senate committee with a complete account of the sensitive health data it holds on users.