Tax Filing Software Sent Sensitive User Information to Facebook: Report

Tax Filing Software Sent Sensitive User Information to Facebook: Report
A car passes Facebook's new Meta logo on a sign at the company headquarters in Menlo Park, Calif., on Oct. 28, 2021. (Tony Avelar/AP Photo)
Bryan Jung

Popular tax filing software, such as TaxAct, TaxSlayer, and H&R Block, reportedly violated financial privacy by sending sensitive personal information to Meta’s Facebook.

Meta’s Pixels, Facebook’s widely used code that tracks user activity on the internet, allowed the social media giant to secretly receive personal financial information through online tax filing services, according to a joint investigative report by The Markup and The Verge on Nov. 22.
The unauthorized data collection was discovered earlier this year by The Markup, in a project with Mozilla Rally called “Pixel Hunt,” in which participants installed a browser extension that sent the investigators a copy of all data shared with Meta through the pixel.

The Internal Revenue Service says that it processes about 150 million electronic individual tax returns a year.

Unlike other countries, the United States has a privatized tax filing system that utilizes third parties to prepare individual filings, leaving American taxpayers at the mercy of private companies to file their returns.

Tax preparation has become a massive $11 billion industry in the United States, according to research data.

Meta Using Pixels to Track and Gather Info

The Pixel trackers embedded in the tax preparation software forwarded information like names, email addresses, income information, and refund and college scholarship amounts to Meta, in violation of its official policies.

Facebook allegedly took the sensitive tax data to boost its advertising algorithms, even if an individual using the tax filing services did not have an account on platforms owned by its parent, Meta, said the report.

This is not the first time Facebook’s code has been exposed for tracking people online without their consent, and Meta has long been known for exploiting its technology that publishers and businesses embed on their websites.

Facebook admitted to Congress in 2018 that there were more than 2 million Pixels across the web, as part of its massive data harvesting operation that most internet users were not aware of.

The trackers were willingly installed by companies to allow them to target ads toward potential customers based on sites that they previously visited and would later send a message back to Facebook recording each visit.

The logo of Google during the Viva Tech start-up and technology summit in Paris on May 25, 2018. (Charles Platiau/Reuters)
The logo of Google during the Viva Tech start-up and technology summit in Paris on May 25, 2018. (Charles Platiau/Reuters)

Forced to Confront Data Breach

Meanwhile, The Markup also discovered that TaxAct had transmitted similar financial information to Alphabet through its Google Analytics tool, but did not share individual names.

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” Megan McConnell, a spokesperson for Ramsey Solutions, a financial advisory firm that uses TaxSlayer, told The Markup.

McConnell said that Ramsey told TaxSlayer to remove Pixel tracking from its SmartTax software, which suggested that many clients were unaware of the security breach.

She explained an email that the company only “implemented the Meta Pixel to deliver a more personalized customer experience.”

Intuit’s TurboTax, the most used online filing software in the United States, also utilized the Pixel, but they denied sending financial information to Meta, but only forwarded usernames along with the last time a customer signed in.

The tax service company told The Markup that the Pixel is not used on its website past the sign-in page.

Intuit’s use of Pixels “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” Rick Heineman, a company spokesperson told The Markup.

An H&R Block spokesperson told CNBC that the company took “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.”

“The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations,” a TaxAct spokesperson told CNBC, regarding The Markup report.

“Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

The Facebook app is shown on a smartphone in Surfside, Fla., on April 23, 2021. (Wilfredo Lee, File/AP Photo)
The Facebook app is shown on a smartphone in Surfside, Fla., on April 23, 2021. (Wilfredo Lee, File/AP Photo)

Tax Preparation Firms Restrict Use of Pixel

Since news of the report broke, TaxAct said that it will no longer send financial details like income and refund amount to Meta, but would continue to send the names of dependents and would still send financial information to Google Analytics, The Markup reported.

TaxSlayer told The Markup in an email that the company had removed the Pixel from its software and would reevaluate its use.

“Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” said TaxSlayer spokesperson, Molly Richardson, who added that Ramsey Solutions had also “decided to remove the pixel.”

TaxSlayer and Ramsey Solutions have since removed the Pixel from their tax filing sites, while TurboTax has stopped sending usernames through the Pixel at sign-in, The Markup reported.

H&R Block will now only send Pixel information on health savings accounts and college tuition grants.

Google and Meta Defend Data Tracking

However, spokespersons for Google and Meta defended their software and blamed the tax preparation companies for improperly sending private data to them.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” Google spokesperson Jackie Berté told The Markup.

“Additionally, Google has strict policies against advertising to people based on sensitive information.”

“Advertisers should not send sensitive information about people through our Business Tools,” Dale Hogan, a Meta spokesperson, told The Markup in a statement.

“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Hogan pointed to Meta’s rules regarding the use of potentially sensitive information to include information about income, loan amounts, and debt status.
Bryan S. Jung is a native and resident of New York City with a background in politics and the legal industry. He graduated from Binghamton University.
Related Topics