‘This is Appalling’ — Tax-Prep Sites Leak PII to Facebook
Some incredibly personal details are being sent to Facebook, without your consent. H&R Block, TaxAct, and TaxSlayer are accused of selling your data to Meta.
These tax firms are using the “Meta Pixel”—a curiously named chunk of embedded JavaScript supplied by Meta to websites, usually in return for money. (The more of your personal data Meta is able to slurp up, the more money, it would seem.)
You are the product—except these services aren’t even free! In today’s SB Blogwatch, we’re as mad as hell and we’re not going to take it anymore.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: If Mastodon existed in the 1980s.
Taxing Times for Meta
What’s the craic? Simon Fondrie-Teitler, Angie Waller and Colin Lecher report—“Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook”:
“This is appalling”
Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook [including] names … email addresses … data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts. … The pixel also sent the names of dependents in an obfuscated, but generally reversible, format.
…
TaxAct … also uses Google’s analytics tool on its website, and [we] found similar financial data, but not names, being sent to Google. … H&R Block, which also offers an online filing option that attracts millions of customers per year, embedded a pixel on its site that gathered information on filers’ health savings account usage and dependents’ college tuition grants and expenses. … The pixel on TaxSlayer’s site included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return.
…
Mandi Matlock, a Harvard Law School lecturer focused on tax law, said [it] showed taxpayers “providing some of the most sensitive information that they own, and it’s being exploited. … This is appalling,” she said. “It truly is.”
It is, isn’t it? Jon Fingas reminds us of some context—“Meta’s Pixel is once again harvesting private data without users’ knowledge”:
“Regardless of what users selected”
Meta is already in legal trouble over the Pixel. Two proposed class action lawsuits filed earlier this year accused the social media giant and hospitals of violating privacy laws by scooping up patient data without consent. The plaintiffs also claimed Meta failed to enforce its own policies. In that sense, the tax site revelation just adds to the company’s problems.
…
The companies involved are altering or reevaluating their uses of the Meta Pixel. TaxAct has stopped sending financial data through the tracker, although it’s still transmitting similar content to Google as of this writing. TaxSlayer has pulled the Pixel to rethink its usage. H&R Block hasn’t changed its approach, but [said it] will “review the information.”
…
It’s not clear if any of the tax filing sites were misusing the data. Whether or not they were, they could still face penalties for gathering details without permission. Internal Revenue Service regulations require that tax prep firms obtain signed consent for using info for any reason beyond the filing. None of the websites in the report mentioned Meta or Facebook by name, and in some cases had only generic disclosure agreements. The sites gave users the option to decline sharing tax data, but Facebook received it regardless of what users selected.
It’s outrageous! AmanoJyaku is incensed:
If anything should trigger a bipartisan congressional hearing, this is it. It’ll never happen, but I want to see people put in prison for this.
What can we do to protect ourselves? nerdjon has bad news:
I hate this situation so much. I can block a lot with my browser but then often websites stop working, so while that is a solution since I have the technical knowledge to handle it there is no way in hell I am going to tell my parents to install something that will block this stuff.
Throw in the tracking in apps and potential server side tracking that there is nothing I can do about. We need some serious laws to be implemented.
Wait. Pause. How is it possible for a mere remote-loaded image to collect all this data? This Anonymous Coward explains:
It isn’t possible. But it’s possible for JavaScript, running in the browser and having access to the DOM (and other things), to access that data and put it into a pixel’s URL and then have the browser request that URL.
Disabling JavaScript will very likely fix the problem. (But if the website’s author decided to have it not work without JavaScript, then it fixes the problem by getting you to leave that website.)
Ah, so “pixel” is a cuddly euphemism? Martin Blank has more:
A few years ago, I was pen testing a client’s main website. In just loading [it] from a clean browser, I observed more than 400 outbound HTTP calls to more than 130 other domains. A tiny handful … were owned by the client and a few more … were CDNs, but the rest were various analytics firms, and as best as I could figure, there were about 60 of them. More tracking was going on as the mouse was moved around the page, and the mouse movements were going to at least three separate firms. One firm ended up collecting payment data later in the process.
None of this was planned or even known by executives. It was all Sales and Marketing making increasing demands of developers … to wring out more data. I provided a map of all of this and a discussion of the risks posed by trusting data with so many companies, and how there was no way to fully understand what data was going to which companies.
…
I won’t say it caused a panic at the client, but it certainly started a serious discussion at upper levels. That may be what’s happening here. … That doesn’t speak well of process control, and I’m not calling the executives angels, but it’s really hard to know what everyone is doing all the time.
Who is more to blame? Meta or the tax-prep firms? moolcool knows which side to come down on:
I am so incredibly fed up. … Meta is one of the most deplorable companies in existence, and if you work there, I think you should really evaluate and reflect on what your company actually does. It’s shameful and embarrassing that we put up with them.
But SomePoorSchmuck blames the tax-prep industry:
All online filing websites are defined by law as “Tax Preparers.” … They must adhere to IRS standards for data privacy. An excerpt from these standards:
…
“Any consent to disclose tax return information must contain the following statements in the following sequence: … Federal law requires this consent form be provided to you. Unless authorized by law, we cannot disclose, without your consent, your tax return information to third parties for purposes other than the preparation and filing of your tax return. … You are not required to complete this form.”
…
It looks like any company that did not explicitly obtain your consent to share any of your return with anyone else … then that company is in violation of US Federal Law and subject to prosecution/penalty
Meanwhile, dwrd parrots a trope:
Of course, once they’ve been busted with their hand in the cookie jar, the perpetrators would like to remind us, with a straight face, that they take their users’ privacy seriously.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Kelly Sikkema (via Unsplash; leveled and cropped)
