Meta’s pixel code helps businesses reach online customers, but shares sensitive data about them
Most websites have code running in the background to help the site run better and, of course, to target advertising. A recent investigation from The Markup found many tax-filing sites were sharing users’ financial data with Facebook using a code called Meta Pixel (pixels are invisible tracking tools).
Marketplace’s Kimberly Adams spoke to Simon Fondrie-Teitler, an infrastructure engineer at The Markup and co-author of this investigation. She asked him how common Meta Pixel is. The following is an edited transcript of their conversation.
Simon Fondrie-Teitler: We built a tool called the Blacklight that we had visit a whole bunch of sites, like the top million or so sites, and look at what trackers were on the sites. And this along with Google Analytics was by far the most common one that we saw. I think Facebook said that there were 2 million sites using this pixel. It is presumably quite a bit higher now, though I’m not sure that we have the sort of the exact numbers currently.
Kimberly Adams: In your reporting, you found that some sites were using this code and sharing users’ tax information. What was going on there?
Fondrie-Teitler: This pixel code was active, not just on the sort of main website where you go and visit and it would tell you some information about the central services of this company, but also, once you logged in, and were filling out your taxes, the pixel remained active there and appeared to be specifically sending the adjusted gross income filing status, some more specific numbers there.
Adams: Is that legal?
Fondrie-Teitler: There are IRS prohibitions on using this type of data beyond the tax preparers actually preparing your taxes. So they want to use it for something other than figuring out how much you owe and sending it to the IRS, they have to ask you specifically for permission. So this is something that there are sort of civil and potentially criminal liability.
Adams: Specifically, which companies did you find were sharing this data? And how have those companies responded?
Fondrie-Teitler: Sure. So we found H&R Block, TaxAct, TaxSlayer, and then Ramsey SmartTax. They all have responded to us and said that they removed the pixel from inside the tax filing application. We’ve gone in and verified that sort of at least for now, it’s gone. I don’t think we’ve gotten more specific answers to sort of why this was there and plans going into the future for the others.
Adams: You reached out to Meta about the data that’s being shared through the pixel. What was the company’s response?
Fondrie-Teitler: So Meta told us that they have specific rules around sending sensitive information to Facebook through this pixel. Specifically, they have rules against financial information and call out things like income as a thing that’s not supposed to be sent. They say it’s against their policies. And they say their system is designed to filter out potentially sensitive data that it is able to detect. They didn’t answer questions on sort of what percentage of sensitive information it’s detecting, or whether in this case it was detecting this information as sensitive and blocking it.
Adams: So even though you were able to tell that these companies were sending sensitive information to Facebook, there’s no way to tell if Facebook was actually using that to show people ads.
Fondrie-Teitler: Yeah, that’s correct. We could see that it was going and was being received by Facebook servers. But we don’t have visibility into what happens after that. It’s a black box.
Adams: This story is part of a monthlong investigation you and your colleagues at The Markup have been doing. What else have you discovered about how this pixel code works online?
Fondrie-Teitler: So we’ve we previously had published two stories on this topic. The first one, we found the [Free Application for Federal Student Aid], which is the Department of Education’s form for requesting student aid for college tuition. We found that sending details about who was applying to Facebook, like the names of the applicants to Facebook as they were going through this process. The second article was similar to that in the tech story where we looked at hospitals that had this pixel, and we found the pixel was active in the seven health systems inside the patient portals and was sending information like medication and appointments, communications with your doctor, really quite a bit of very sensitive information, to Facebook.
Adams: So if people don’t want their sensitive data shared this way, what options do we have?
Fondrie-Teitler: Well, so there are browser extensions that you can install that will block this sort of information from being sent. These are available for Firefox, Chrome, I think, generally the major browsers. There are also specific browsers like brave, the purpose of which is sort of this built-in feature to block these sort of trackers. I mean, it just takes a little bit of technical expertise to even just install a browser extension that someone might not already know. Other than that, and sort of encouraging more regulation or better enforcement of existing regulation, I don’t know that it’s super easy for individuals to avoid. And I don’t like that as an answer. I feel like I should be able to offer something that’s like, just press this button and you’ll be opted out of all of it. But I don’t know that that necessarily exists right now.
Related links: More insight from Kimberly Adams
After The Markup’s investigation came out, and shortly after I talked to Simon, we got news of a proposed class-action lawsuit against Meta, but not the tax preparation companies, for violating users’ trust and expectations of privacy as well as federal law.
And here are The Markup’s investigations into Meta Pixel. The FAFSA story was from earlier this year.
That article notes that information shared with Facebook was, at minimum, online applicants’ full name, phone number, email address and ZIP codes. After that investigation, two lawmakers sent a letter to the U.S. secretary of education, questioning the department’s knowledge of the pixel code being used by its college financial aid website. The lawmakers insist in their letter that “to gain back the trust from students and parents, the Department must be transparent as possible.”
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.
Support “Marketplace Tech” in any amount today and become a partner in our mission.