Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Facebook Privacy United States

Tax Filing Websites Have Been Sending Users' Financial Information To Facebook (theverge.com) 48

Posted by msmash from the closer-look dept.
Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned. From the report: The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users' income, filing status, refund amounts, and dependents' college scholarship amounts.

The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta. Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.
This discussion has been archived. No new comments can be posted.

Tax Filing Websites Have Been Sending Users' Financial Information To Facebook More

Tax Filing Websites Have Been Sending Users' Financial Information To Facebook

Comments Filter:
  • It is worth reading the article to see who is doing what. I never use the online tool (and tell my kids not to as well) because of just this potential problem. Apparently TurboTax (which Iâ(TM)ve used a lot) does a pretty good job. Read the terms and services carefully!

  • Surprised by the Scale (Score:5, Insightful)

    by coofercat ( 719737 ) on Tuesday November 22, 2022 @10:18AM (#63071054) Homepage Journal

    The FB/Google/Other "pixels" are of course nothing new. What I'm personally surprised about is just how much information they have hoovered up from the pages they're on. It feels like it's so much it ought to be illegal.

    If a pixel scoops up some details about my browser, to some extent that's sort of acceptable. It's uniquely identifying me around the Internet, which is its supposed main aim. However, if it's also reading all the web pages and forms I fill in, then that seems like an overreach. I don't think anyone would think of that as being "public" information, or even the sort of information that the Ts and Cs say they might send to third parties. As such, for me at least, it's outside my expectation of privacy.

    In one such case I was slightly involved with, a tracking pixel was collecting *all* of the cookies on a users browser and sending them to the mothership. This obviously opens the door to all sorts of confidentiality issues, opportunities for cookie-jacking and whatever else. By comparison though, this seems like a drop in the ocean compared to what this story is talking about.

    Either way, for me personally I have the anti-FB hosts file thing in place, so those pixels mostly don't work on me. I have umpteen noscript and ublocks running too, so a lot of the non-FB ones don't work very well either. Even still, plenty of those pixels do still work, and it seems are reading a lot more than I'd have given them credit for.

    • Re:Surprised by the Scale (Score:5, Interesting)

      by Scoth ( 879800 ) on Tuesday November 22, 2022 @10:47AM (#63071120)

      It shouldn't have been possible for a tracking pixel to collect all cookies unless there was a browser bug or exploit going on. There's been various levels of cross-site cookie protection going way back, and short of bug it can't pull All cookies. Embedded content can pull cookies for the parent site in various ways (CSRF, intentional design choices that were misused, etc) and if it was able to inject a script onto the parent site it might have been able to get more info from it, but it shouldn't have been possible to get all cookies.

      That's not to say there isn't tons of misuse going on and I do my best to block all kinds of tracking and advertising shit too, because of all the infection vectors involved. And there has been tons of random browser bugs that reveal that kind of info, so it's entirely believable that happened.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        It shouldn't have been possible for a tracking pixel to collect all cookies unless there was a browser bug or exploit going on.

        Don't worry, it isn't possible.

        But it's possible for javascript, running in the browser and having access to the DOM (and other things), to access that data and put it into a pixel's URL and then have the browser request that URL.

        Disabling javascript will very likely fix the problem. (But if the website's author decided to have it not work without javascript, then it fixes the probl

        • Re:Surprised by the Scale (Score:5, Informative)

          by _xeno_ ( 155264 ) on Tuesday November 22, 2022 @01:24PM (#63071552) Homepage Journal

          But it's possible for javascript, running in the browser and having access to the DOM (and other things), to access that data and put it into a pixel's URL and then have the browser request that URL.

          Which is what happens. I'm not sure why they're still being called "tracking pixels" when in reality they're full-fledged giant JavaScript libraries. I'm not even sure they bother with embedding a "pixel" into the page since they have full access to AJAX and a host of other methods to send data back.

          The "Meta Pixel" mentioned in the summary isn't a single pixel <img>: it's a JavaScript library. "Meta Pixel" is the brand name, but it's not "a pixel" - it's JavaScript. I think these days they just have you embed a script tag that "bootstraps" everything but I haven't looked into it enough to see if they have an <img> "fallback" for people who do disable JavaScript. But in any case, the majority of the tracking is done via "modern" HTML5 technologies, and not just by hiding single pixel images.

          Also, apparently mentioning JavaScript too much triggers CloudFlare to ban your IP, which is hilarious.

    • Re:Surprised by the Scale (Score:5, Informative)

      by B'Trey ( 111263 ) on Tuesday November 22, 2022 @11:13AM (#63071202)

      uMatrix

      * facebook.com * block
      * fbcdn.net * block ...
      facebook.com facebook.com * allow
      facebook.com fbcdn.net * allow

      Facebook can see what I do on facebook.com. It's blocked everywhere else.

      • whack a mole. How do you know they don't have others? If I were facebook I'd use something like asd72fjcs9342.yolo

        • If I were blocking, I wouldn't use hostnames. I'd use their publicly registered IP address blocks to determine what to cut off.

    • Let's clear up some of this.

      "However, if it's also reading all the web pages and forms I fill in, then that seems like an overreach ... Even still, plenty of those pixels do still work, and it seems are reading a lot more than I'd have given them credit for."

      Cookies can't "read" web pages and the forms you fill in. They're bits of data that the browser transmits alongside a request from a client back to its server. Cookie values are sent by the web host and saved on your browser, not the reverse.

      "a tracking

  • You are the product (Score:5, Insightful)

    by prisoner-of-enigma ( 535770 ) on Tuesday November 22, 2022 @10:21AM (#63071064) Homepage

    I'm going to guess some (maybe all?) of this data is stuff these services gleaned from their "free" tax filing services. If that's the case, always remember this maxim: if what you're getting is free, you are the product. With the rise of the information economy, what people know about you is of immense value at the scale of tens or hundreds of millions of "consumers."

    • Re:You are the product (Score:5, Insightful)

      by bugs2squash ( 1132591 ) on Tuesday November 22, 2022 @10:29AM (#63071078)
      Who's to say they're not doing it when you go into their office and pay to have them do your taxes ?

      • Re: (Score:2)

        by Scoth ( 879800 )

        It'd be interesting to pull and compare any paperwork/terms/contracts/etc that brick and mortar tax prep places make you sign. I'd be surprised if there wasn't at least some kind of data sharing going on, but probably way less. In general you're paying them (sometimes a non-trivial amount of money) to handle it all and it's a much more "traditional" setup than shoving all your financial data into a bunch of online forms and giving who knows what websites access to it all. I'd bet there are still tax prep co

      • Or the download-for-$$ software might be doing something similar.

        The H&R Block software asks for permission to use your data for marketing. We tell them "hell NO", but given this revelation can they be trusted?

      • Re:You are the product (Score:5, Informative)

        by SomePoorSchmuck ( 183775 ) on Tuesday November 22, 2022 @02:08PM (#63071688) Homepage

        Who's to say they're not doing it when you go into their office and pay to have them do your taxes ?

        The IRS is to say.

        It is a violation of Federal law for any tax preparer to disclose information on your tax filing without your explicit consent. They are required by law to ask for your consent BEFORE collecting any information. And they cannot make your consent a mandatory condition of their services. If they do, the consent is void, by law.

        This revenue procedure applies to all tax return preparers, as defined in 301.7216-1(b)(2), who seek consent to disclose or use tax return information pursuant to 301.7216-3 and 301.7216-3T with respect to taxpayers who file a return in the Form 1040 series, e.g., Form 1040, Form 1040NR, Form 1040A, or Form 1040EZ.

        SECTION 4. FORM AND CONTENT OF A CONSENT TO DISCLOSE OR A CONSENT TO USE FORM 1040 TAX RETURN INFORMATION .01 Separate Written Document. Except as provided by 301.7216-3(c)(1) (special rule for multiple disclosures or uses within a single consent form), and described in section 4.05, below, a taxpayer’s consent to each separate disclosure or use of tax return information must be contained on a separate written document, which can be furnished on paper or electronically. For example, the separate written document may be provided as an attachment to an engagement letter furnished to the taxpayer.

        The consent language itself is mandated by law:

        (1) The following statements must be included in a consent under the circumstances described below, except that a tax return preparer may substitute the preparer’s name where “we” or “our” is used.

        (b) Consent to disclose tax return information in tax preparation or auxiliary services context. If a tax return preparer is otherwise required to obtain a taxpayer’s consent to disclose the taxpayer’s tax return information to another tax return preparer for the purpose of performing services that assist in the preparation of, or provide auxiliary services (as defined in 301.7216-1(b)(2)(ii)) in connection with the preparation of, the tax return of the taxpayer, any consent to disclose tax return information must contain the following statements in the following sequence:

        Federal law requires this consent form be provided to you. Unless authorized by law, we cannot disclose, without your consent, your tax return information to third parties for purposes other than the preparation and filing of your tax return and, in certain limited circumstances, for purposes involving tax return preparation. If you consent to the disclosure of your tax return information, Federal law may not protect your tax return information from further use or distribution.

        You are not required to complete this form. Because our ability to disclose your tax return information to another tax return preparer affects the service that we provide to you and its cost, we may decline to provide you with service or change the terms of service that we provide to you if you do not sign this form. If you agree to the disclosure of your tax return information, your consent is valid for the amount of time that you specify. If you do not specify the duration of your consent, your consent is valid for one year.

        • I dunno man, it says right there

          we may decline to provide you with service or change the terms of service that we provide to you if you do not sign this form

          • I dunno man, it says right there

            we may decline to provide you with service or change the terms of service that we provide to you if you do not sign this form

            Right. The consent must be explicitly requested and received in those terms before you begin. I should have included both Paragraph (a) and (b).

            Paragraph (b) [quoted in my GP comment] is for situations where a tax preparer wants to disclose your information to another tax preparer for the purposes of preparing your return. For example, your accountant may need to consult with an expert in Inheritance regulations to prepare your return. If you refuse to grant consent for that disclosure, your accountant can,

    • Then why do people have to pay to use H&R Block, etc?

    • I'm going to guess some (maybe all?) of this data is stuff these services gleaned from their "free" tax filing services. If that's the case, always remember this maxim: if what you're getting is free, you are the product. With the rise of the information economy, what people know about you is of immense value at the scale of tens or hundreds of millions of "consumers."

      You're right, but perhaps not for the reason you think.

      The "Free File Alliance" agreement between the IRS and tax-prep companies says the tax-prep folks must provide free filing services to certain ranges of taxpayers (sorted by AGI), BUT it also makes it pretty clear that tax-prep companies can use their free services as experimental R&D, to test services and features which make their entire product line better, including their higher tier of paid services.

      So yes, free users are the product - in this c

  • And the race is on (Score:5, Insightful)

    by laughingskeptic ( 1004414 ) on Tuesday November 22, 2022 @10:35AM (#63071090)
    by attorneys to court houses to file class action lawsuits that make them millions and get the plaintiffs a coupon.

  • Pixels CAN'T send data (Score:2, Interesting)

    by Anonymous Coward

    I understand the intent, but the presentation is inaccurate enough to be misleading. This is not pedantry; it matters because it has huge implications for how you go about fixing the problem. If you accept the inaccuracy, then your efforts to address the problem are guaranteed to fail, so keep an eye on everyone who erroneously says what TFM says:

    A pixel on TaxAct’s website then sent some of that data to Facebook

    No, it doesn't. Go look at a pixel some time. Notice: no I/O capabilities. No processing.

    • <img src="https://facebook.com/tracking_pixel.jpg?income=11billiondollars&married_status=yes">

      How is that anything other than a image that sends data?

      • Re: (Score:1)

        by 0xG ( 712423 )
        The hypertext you provided comes from a server, which does not yet know the figures as suggested.
        • The browser includes a referer header when fetching the pixel. If ever the pixel is on the landing page of a form, and if the form uses the GET method (unlikely nowadays, fortunately), then the pixel will see the form content.

          But in the present case it's more likely (as others have pointed out) that the "pixel" was actually a snippet of javascript downloaded from the malicious server. The javascript has access to the DOM of the calling page, and could conceivably read the form content that way,

    • Re-reading your comment it seems like you understand what its talking about. I really fail to see how your blame of the web browser makes any difference. That's how HTTP works. Its not the browser's fault that its complying with the standard I guess you'd argue that browsers should only ever pull data from a single origin, maybe? That just forces the problem underground, and causes companies to just proxy requests. Also reduces the use of things like cdns, just makes things more expensive without any impr

  • IRS should start accepting tax returns (Score:5, Insightful)

    by Sloppy ( 14984 ) on Tuesday November 22, 2022 @12:17PM (#63071386) Homepage Journal

    Out government goes out of its way to cause this problem. There is no legitimate reason the IRS should require a middleman for online tax return filing.

    Maybe we should stop giving these companies these government-created do-nothing jobs.

    I know, I know, the companies paid the congresscritters during their campaigns so now they're entitled to have the law serve their interests at the expense of our interests. But can't we just give them cash instead? Just increase everyone's taxes by a few thousand dollars per person, send that money to whoever funds our politicians' campaigns (every time you give a money to a campaign, if your guys wins, then your contribution becomes a share). And then once that payment is made, it should allow for the law to be for us, instead of for them. They get free money for their campaign investment and we get sensible policy. Everybody wins.

    (I realize the above paragraph is silly, but it would nevertheless be an upgrade from the status quo, wouldn't it?)

    • Re:IRS should start accepting tax returns (Score:4, Insightful)

      by Pascoea ( 968200 ) on Tuesday November 22, 2022 @12:40PM (#63071440)
      ^This. For your average citizen there is absolutely no (valid) reason why any 3rd party should be involved in preparing and submitting a tax return. I've used several (Turbotax, TaxSlayer, Tax Act, probably one or two more) over the years. They are all functionally identical with a different "pretty" wrapper around it, none of them have any "killer" functionality, the only difference is the color scheme and price. I don't trust the gov't with a lot of things, but this one is brain-dead-level-simple.

      • ^This. For your average citizen there is absolutely no (valid) reason why any 3rd party should be involved in preparing and submitting a tax return. I've used several (Turbotax, TaxSlayer, Tax Act, probably one or two more) over the years. They are all functionally identical with a different "pretty" wrapper around it, none of them have any "killer" functionality, the only difference is the color scheme and price. I don't trust the gov't with a lot of things, but this one is brain-dead-level-simple.

        ^This.

        • ^This. For your average citizen there is absolutely no (valid) reason why any 3rd party should be involved in preparing and submitting a tax return. I've used several (Turbotax, TaxSlayer, Tax Act, probably one or two more) over the years. They are all functionally identical with a different "pretty" wrapper around it, none of them have any "killer" functionality, the only difference is the color scheme and price. I don't trust the gov't with a lot of things, but this one is brain-dead-level-simple.

          ^This. This....

          :)

          But seriously, you got it right.

          The IRS could and should set up a secure website, and could start with this VERY easy section that would cover most people in the US, the straight 1099 using only std deductions, etc.

          That's low hanging fruit that would help the majority of folks in the US...and then, just build from there.

          You can read the Memorandum Of Understanding between the IRS and the big tax-prep companies for the detailed answer.

          But the summary is:
          The Free-File service allows the government to publicly grandstand like it forced companies to provide Free! services to taxpayers, but in reality it is the companies extracting a promise that the government WON'T set up exactly the scenario you describe, for exactly the reason you describe

          There are millions upon millions of people whose financials are so basic that they can

    • Freefilefillableforms.com is technically a middleman, but they let you file your tax return for free, and the IRS recommends them.

  • Free-File site makes a legal claim to privacy (Score:5, Informative)

    by SomePoorSchmuck ( 183775 ) on Tuesday November 22, 2022 @01:59PM (#63071652) Homepage

    Let's start with the Free-File Alliance -- a 20 year old gov-corp agreement whereby tax preparation companies agreed to provide certain groups of taxpayers with free filing services, and in return the US Government agreed to stay out of the "market" and not set up its own competing e-file service.

    There is extensive documentation on how the agreement works. [irs.gov]

    Free-File participants cannot follow their own standards of data privacy, confidentiality, and retention. They are legally obligated to follow standards set by the IRS.
    The Free-File Alliance makes what is potentially a legally-actionable claim on their website: [freefilealliance.org]

    May a Free File Alliance company share my data with anyone besides the IRS?
    No. As part of the agreement, the Free File Alliance companies must adhere to the strict privacy standards of the IRS. Only with your permission and in accordance with Treasury regulations may the company disclose your tax return information.

    So what are these IRS/Treasury regulations?

    ALL online filing websites are defined by law [irs.gov] as "Tax Preparers".

    Tax return preparers are persons that participate in the preparation of tax returns for taxpayers, including but not limited to:

    Return preparers that are in business or hold themselves out as preparers*
    Casual preparers that are compensated
    Electronic return originators**
    Electronic return transmitters**
    Intermediate Service Providers**
    Software Developers**
    Reporting Agents**
    The definition also extends to those that assist others in preparing returns or performing auxiliary services in connection with preparing returns, or are employed by preparers and perform auxiliary services in connection with the preparation of tax returns.

    In addition, tax preparers are on the hook for ANY other services they contract with to provide their services.

    As such, they must adhere to IRS standards for data privacy [irs.gov]

    An excerpt from these standards:

    (1) Mandatory statements in the consent. The following statements must be included in a consent under the circumstances described below, except that a tax return preparer may substitute the preparer’s name where “we” or “our” is used.

    (a) Consent to disclose tax return information in context other than tax preparation or auxiliary services. Unless a tax return preparer is obtaining a taxpayer’s consent to disclose the taxpayer’s tax return information to another tax return preparer for the purpose of performing services that assist in the preparation of, or provide auxiliary services (as defined in 301.7216-1(b)(2)(ii)) in connection with the preparation of, the tax return of the taxpayer, any consent to disclose tax return information must contain the followingstatements in the following sequence:

    Federal law requires this consent form be provided to you. Unless authorized by law, we cannot disclose, without your consent, your tax return information to third parties for purposes other than the preparation and filing of your tax return. If you consent to the disclosure of your tax return information, Federal law may not protect your tax return information from further use or distribution.

    You are not required to complete this form. If we obtain your signature on this form by conditioning our services on your consent, your consent will not be valid. If you agree to the disclosure of your tax return information, your consent is valid for the amount of time that you specify. If you do not specify the duration of your consent, your consent is valid for one year.

    It looks like any company that did not explici

  • and while the tracking pixels were in use, there was also, EVERY SEASON, and sometimes more than once, auditing from a variety of external sources, including the IRS.

    So while this in no way negates the responsibility of the companies to police their compliance, it does surprise me that none of the external audits missed this.
  • Consumer protection is no excuse for replacing private tax filing with a public IRS application. Maybe I want Facebook to know my H&R Block tax return? Now that my yearly return is 50% lower it's the perfect amount for splurging on stuff I don't need; And that extra $50 each month is the perfect size for buying name brand rather than generic at the store.

  • I don't see a Facebook tracking pixel on FreeTaxUSA. That doesn't mean they don't have one lurking around in the forms, but the homepage seems free of the Facebook/Meta pixel.

    Regardless, Ghostery seems like an obvious solution to the privacy tracking problems with filing online.

  • And by "Sending data to Facebook" they actually mean "Have user tracking by Facebook which maliciously steals any data it can from the website it's implemented on".

    This is bad acting by Facebook, not the tax companies. Their implementation of FB analytic tracking is misguided, and some of them might not care about the over-collection of data, but it's not intentional and they're not 'sending the data' to Facebook.

    Instead of just counting unique users and tracking which pages they go to for the tax com

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close