Meta, the owner of Facebook, has its hands in applications where it does not belong. Meta released a public service late last year titled Meta Pixel. Meta Pixel is a data sharing service for large corporations, and it appears that this service has been embedded into several online tax filing service software packages. Each year the Internal Revenue Service processes about 150 million electronically filed individual tax returns, and a majority of these services utilize Meta Pixel services as part of the software stack.
The Markup, an online newsletter (https://themarkup.org), reported that Facebook was gathering personal information from popular tax return filing software services, like TaxAct through Pixel components installed on TaxAct’s website. When you file a return through online services, though the sites appear secure, they are in fact sharing information with Facebook via the Pixel service. The Markup found that the Pixel service was gathering information including the filing status, adjusted gross income, the amount of the tax refund, and names of dependents in a reversible obfuscated format.
TaxAct claims to have about three million consumer and professional users and also employs Google analytics tools on its website. Google analytics was gathering the same financial information as Facebook, but ignoring the names. The catch is that Google already has name associations to users through cookies and other trackers on the user’s computer, so though they are not gathering the names directly, they can already make an educated guess associating names to the financial records.
It is bad enough that TaxAct is voluntarily sending this personal and private information to a third party, but it gets much worse. Other online tax software giants are doing the same. H&R Block, TaxSlayer, and Ramsey Solutions are also utilizing Google analytics and Meta Pixel on their sites. Enough information is shared with Facebook to link the information to a Facebook Profile, and all the above sites are sharing financial and status information with Meta.
All the mentioned companies originally installed Pixel and Google Analytics to take advantage of the user sign-on services provided by Google and Facebook. So be aware that any website you visit that offers to let you sign in with Google or Facebook may be sharing more than just your user name and password with Google and Facebook.
Even Intuit, the dominant online filing company, employed Pixel to power their login services, but Intuit has taken the threat to personal information more seriously than the other major players and has prevented Pixel from interacting with their sites beyond the initial sign-on page.
The tax filing companies responded to questions by The Markup with mostly shock and disappointment that personal information beyond the initial sign-in was being shared through the interface and all are working to resolve the issues.
“We take the privacy of our customers’ data very seriously,” Nicole Coburn, a spokesperson for TaxAct, said in an email. “TaxAct, at all times, endeavors to comply with all IRS regulations.”
Angela Davied, a spokesperson for H&R Block, said the company “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”
Megan McConnell, a spokesperson for Ramsey Solutions, said in an email that the company “implemented the Meta Pixel to deliver a more personalized customer experience.”
“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” the statement said. “As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.”
Rick Heineman, a spokesperson for Intuit, said the company’s Pixel “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” although Intuit “may share some non-tax-return information, such as username, with marketing partners to deliver a better customer experience,” like not showing Intuit ads on Facebook to people who have accounts already. The company said it’s in compliance with regulations but has modified the Pixel to no longer send usernames.
I personally believe we are living in a dangerous time when big technology companies like Google and Facebook/Meta are openly violating privacy laws to benefit their profit margins and it seems there is nothing we can do to stop them.
Until next week, stay safe and learn something new.
Scott Hamilton is an Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to email@example.com or through his website at https://www.techshepherd.org.