Major tax filing services, including H&R Block, TaxAct and TaxSlayer, have been covertly sending Facebook sensitive financial information when Americans file their taxes online, according to The Markup.
The data includes names, email addresses, income, filing status, refund amounts and college scholarship information – which is sent to Facebook regardless of whether a person even has a Facebook account – or with other platforms owned by Meta. The company can then be used to fine tune advertising algorithms.
It is sent through widely used code called the Meta Pixel.
Of note, Intuit-owned TurboTax does use Meta Pixel, however the company did not send financial information – just usernames and the last time a device signed in. Beyond that, they have kept Pixel entirely off pages beyond sign in.
Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.
When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refund to the nearest hundred. The pixel also sent the names of dependents in an obfuscated, but generally reversible, format. -The Markup
TaxAct, which services around three million “consumer and professional users,” also sends data to Google via the company’s analytics tool, however names are not included in the information.
“We take the privacy of our customers’ data very seriously,” said TaxAct spokeswoman Nicole Coburn. “TaxAct, at all times, endeavors to comply with all IRS regulations.”
H&R Block embedded a pixel on its site that included information on filers’ health savings account usage, dependents’ college tuition grants and expenses. The company similarly claimed in a very boilerplate statement that they “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”
While TaxSlayer – which says it completed 10 million federal and state returns last year – provided Facebook information on filers as part of the social media giant’s “advanced matching” system which attempts to link information from people browsing the web to Facebook accounts. The information sent includes phone numbers and the name of the user filling out the form, as well as the names of any dependents added to the return. Specific demographic information was also obscured, but Facebook was still able to link them to existing profiles.
Another tax filing service, Ramsey Solutions, told The Markup that the company “implemented the Meta Pixel to deliver a more personalized customer experience,” but that they “did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel.”
“As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.”
Harvard Law School lecturer and tax law specialist Mandi Matlock said the findings showed that taxpayers have been “providing some of the most sensitive information that they own, and it’s being exploited.”
“This is appalling,” she added. “It truly is.”
On Monday, after TaxAct was contacted by The Markup for comment, the company’s site no longer sent financial details like income and refund amount to Meta but continued to send the names of dependents. The site also continued to send financial information to Google Analytics. Also as of Monday, TaxSlayer and Ramsey Solutions had removed the pixel from their tax filing sites and TurboTax had stopped sending usernames through the pixel at sign in. H&R Block’s site was continuing to send information on health savings accounts and college tuition grants.
As of Wednesday, after this story was published, TaxAct had removed the pixel from its tax filing web application, but was still sending financial information to Google Analytics, and H&R Block told The Markup it removed the pixel from its tax filing website “to stop any client tax information from being collected.” The Markup verified that it had been removed.
How the Meta Pixel Tracks Users
Meta makes the pixel code freely available to anyone who wants it, allowing businesses to embed the code on their sites as they wish.
Using the code helps both Facebook and the businesses. When a customer comes to a business’s website, the pixel might record what items the customer browsed, say, a T-shirt, for example. The business can then target its ads on Facebook to people who looked at that shirt, allowing the business to find an audience that may already be interested in its products.
Meta wins financially too. The company says it can use the data it gleans from tools like the pixel to power its algorithms, providing it insight into the habits of users across the internet.
The strategy has been successful for Facebook. In 2018, the company told Congress that there were more than two million pixels across the web—a massive data-harvesting operation most internet users never see.
“The practice is ubiquitous,” said Jon Callas, director of public interest technology at the Electronic Frontier Foundation, who said he was left in “shock but not surprise” at The Markup’s findings.
Some of the sensitive data collection analyzed by The Markup appears linked to default behaviors of the Meta Pixel, while some appears to arise from customizations made by the tax filing services, someone acting on their behalf, or other software installed on the site.
For example, Meta Pixel collected health savings account and college expense information from H&R Block’s site because the information appeared in webpage titles and the standard configuration of the Meta Pixel automatically collects the title of a page the user is viewing, along with the web address of the page and other data. It was able to collect income information from Ramsey Solutions because the information appeared in a summary that expanded when clicked. The summary was detected by the pixel as a button, and in its default configuration the pixel collects text from inside a clicked button.
The pixels embedded by TaxSlayer and TaxAct used a feature called “automatic advanced matching.” That feature scans forms looking for fields it thinks contain personally identifiable information like a phone number, first name, last name, or email address, then sends detected information to Meta. On TaxSlayer’s site this feature collected phone numbers and the names of filers and their dependents. On TaxAct it collected the names of dependents.
The data collected by the matching feature is sent in an obfuscated form known as a hash, which Meta states is used in order to “help protect user privacy.” But the company can generally determine the pre-obfuscated version of the data—in fact Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles.
This pixel feature was turned off by default when The Markup set up a test pixel attached to a business account but could be turned on by clicking a toggle during setup.
When TaxAct sent dollar amounts like adjusted gross income to Meta, they were transmitted as parameters to a “custom event,” which are sent only if the pixel is configured beyond the default by a website operator or another application the website operator adds to their site. TaxAct did not respond to questions about whether and why it configured the pixel in this manner.
There are limits to the types of data Meta says it will collect through the pixel. The company says it doesn’t want sensitive information sent to it, including financial data, and that it uses automated filtering to block potentially sensitive data. Its help center states that it prohibits sending information including bank account or credit card numbers or “information about an individual’s financial account or status.”
Still, one specific type of prohibited data, income, was exactly what two tax sites sent to Facebook, The Markup found. Data sent to Facebook by TaxAct suggests it was also previously sending a parameter labeled “student_loan_interest,” which is now being filtered by the pixel before being sent.
From January to July of this year, The Markup tracked websites’ use of the pixel as part of the Pixel Hunt, a partnership with Mozilla Rally. For the project, participating users installed a browser extension that provided The Markup with a copy of all data shared with Meta via the pixel.
The Markup initially discovered sensitive information was shared by the tax preparers through data shared by Pixel Hunt participants. The Markup then signed up for accounts on the companies’ web applications and used the “Network” section of Chrome DevTools, a tool built into Google’s Chrome browser, to replicate and confirm the data.
Earlier this year, with the help of Pixel Hunt participants, The Markup found sensitive data sent to Facebook on the Education Department’s federal student aid application website, crisis pregnancy websites, and the websites of prominent hospitals.
Meta collects so much data even the company itself sometimes may be unaware of where it ends up. Earlier this year Vice reported on a leaked Facebook document written by Facebook privacy engineers who said the company did not “have an adequate level of control and explainability over how our systems use data,” making it difficult to promise it wouldn’t use certain data for certain purposes.
At the time, a company spokesperson told Vice that Facebook has “extensive processes and controls to manage data and comply with privacy regulations.”
In response to The Markup’s questions about the tax websites’ use of the pixel, Dale Hogan, a spokesperson for Meta, pointed to the company’s rules on sensitive financial information.
“Advertisers should not send sensitive information about people through our Business Tools,” Hogan wrote in an emailed statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Google spokesperson Jackie Berté said in an email that the company “has strict policies against advertising to people based on sensitive information” and that Google Analytics data “is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user.”
The IRS Closely Regulates Tax Data
Nina Olson, the executive director of the nonprofit Center for Taxpayer Rights, was the national taxpayer advocate at the Internal Revenue Service between 2001 and 2019, a position in the agency meant to represent the interests of taxpayers.
As part of her role at the IRS, she said, she contributed to the development of regulations that govern disclosures of tax information. Olson said the IRS regulations controlling the way private tax filing services can use data are intentionally “very strong.”
Under the regulations she helped develop, tax preparers—including e-filing companies—can use the information they receive from taxpayers only for limited purposes; for anything beyond immediately facilitating filing, the preparer has to get signed consent from the user that explains the recipient and the precise information being disclosed.
The government goes so far as to prescribe even the font size of requests for disclosure, saying it must be “the same size as, or larger than, the normal or standard body text used by the website or software package.”
The penalties for disclosing data without consent are potentially steep: Fines and even jail time are possible, although Olson said she wasn’t aware of any criminal cases that have been pursued.
The Markup reviewed the tax preparation websites for disclosures that specifically mentioned Meta or Facebook but did not find them. Instead, some companies included relatively broad disclosure agreements.
TaxAct, for example, requested users approve sending their tax information to its sister company, TaxSmart Research LLC, so it could “develop, offer, and provide products and services” for users. It also stated “TaxSmart Research LLC may use service providers and business partners to accomplish these tasks.” H&R Block, meanwhile, included nearly the same disclosure request so “H&R Block Personalized Services, LLC” could provide products of its own. Those sites provided the user with the option to decline to share tax information, although data was shared with Facebook regardless of what option users chose, according to The Markup’s tests.
Any disclosure from a tax preparer must provide the exact purpose and recipient to be in compliance, Olson said. “Do they have a list saying they’re going to disclose the refund amounts, and your children, and your whatever to Facebook?” she said. If not, she said, they may be in violation of regulations.
The IRS declined to comment or answer questions about whether any of the sites sharing tax information were in violation of tax law.
No Way Out for Taxpayers
American taxpayers have few options but to turn to private companies to file their returns.
Unlike other countries, the United States has a heavily privatized system for filing taxes, one that often requires the use of third-party tax preparers. While in those other countries the government handles the calculations, and taxpayers simply approve the numbers, after a successful lobbying push from private companies, tax preparers in the U.S. effectively act as middlemen between taxpayers and the government.
Tax preparation is now big business: Market researchers have estimated that it’s a more than $11 billion industry in the United States.
A free preparation and filing option exists, but it’s limited to people making $73,000 or less and can be difficult to use. Companies offer their tax software at no charge through an agreement with the IRS but have been criticized for not making the option easily available.
The IRS even effectively directs taxpayers attempting to file for free to some of the companies The Markup found using the pixel. A handful of tax preparation services are part of the agreement, known as the Free File Alliance—including TaxAct and TaxSlayer. TurboTax and H&R Block have been part of the program in the past.
Harvard’s Matlock said The Markup’s findings showed the almost inevitable consequences of relying on for-profit companies to handle a government requirement. It’s a process that provides users little choice but to hand over their data to Facebook if they want to comply with the law, she said.
“It’s frustrating because taxpayers have been pushed into the arms of these private, for-profit companies simply to comply with their tax filing obligations,” she said. “We have no choice, really, in the matter.”
By Simon Fondrie-Teitler, Angie Waller, and Colin Leche
Join: 👉 https://t.me/acnewspatriots
The opinions expressed by contributors and/or content partners are their own and do not necessarily reflect the views of AC.NEWS
Disclaimer: This article may contain statements that reflect the opinion of the author. The contents of this article are of sole responsibility of the author(s). AC.News will not be responsible for any inaccurate or incorrect statement in this article www.ac.news websites contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to our readers under the provisions of “fair use” in an effort to advance a better understanding of political, health, economic and social issues. The material on this site is distributed without profit to those who have expressed a prior interest in receiving it for research and educational purposes. If you wish to use copyrighted material for purposes other than “fair use” you must request permission from the copyright owner. Reprinting this article: Non-commercial use OK. If you wish to use copyrighted material for purposes other than “fair use” you must request permission from the copyright owner.
Disclaimer: The information and opinions shared are for informational purposes only including, but not limited to, text, graphics, images and other material are not intended as medical advice or instruction. Nothing mentioned is intended to be a substitute for professional medical advice, diagnosis or treatment.
Discussion about this post