Tax prep firms 'recklessly shared' your data with Google and Meta – senators

Lawmakers, yet to pass a national privacy law, demand action on money

Incredible as it may seem, US tax preparation companies using Google and Meta tracking technology have been sending sensitive information back to the megacorps, not to mention other tech firms, it is claimed.

Seven US lawmakers on Wednesday released a 54-page report [PDF] detailing the "outrageous, extensive, and potentially illegal sharing of taxpayers' sensitive personal and financial information with Meta by online tax preparation companies."

Google and Meta say it's not their fault their data-gathering tools have been misconfigured to gather data, however.

The report, titled "Attacks on Tax Privacy: How the Tax Prep Industry Enabled Meta to Harvest Millions of Taxpayers’ Sensitive Data," comes after a seven month investigation. It finds that TaxAct, TaxSlayer, and H&R Block shared sensitive personal and financial taxpayer data through their use of Meta Pixel and Google's ad tools.

The lawmakers involved – US Senators Elizabeth Warren (D-MA), Ron Wyden (D-OR), Richard Blumenthal (D-CT), Tammy Duckworth (D-IL), Bernie Sanders (I-VT), and Sheldon Whitehouse (D-RI), along with Representative Katie Porter (D-CA) – want (dramatic pause) further investigation.

“The findings of this report reveal a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms that appeared to violate taxpayers’ rights and may have violated taxpayer privacy law," the lawmakers wrote in a letter [PDF] at a time when the US still does not have a national data protection law.

"Relevant enforcement entities – including the IRS, the Treasury Inspector General for Tax Administration (TIGTA), the Federal Trade Commission (FTC), and the Department of Justice (DOJ) should fully investigate this matter and prosecute any company or individuals who violated the law."

According to the letter, the tax prep firms may have broken the law. One firm, TaxAct, is said to have shared, via Meta Pixel, not just taxpayer filing status, adjusted gross income, and names of dependents, but also details like federal tax owed, buttons clicked, and text-entry forms. Also transmitted were hashed values computed from shared full names, email, country, state, city, and zip codes, phone numbers, and the person's gender.

"Meta also confirmed that it used the data to target ads to taxpayers, including for companies other than the tax prep companies themselves, and to train Meta’s own AI algorithms," said lawmakers in their letter.

Google operates a huge online ad business and its data practices have raised a few privacy concerns over the years.

Meta also dabbles in digital advertising and it too has come under scrutiny, on occasion, for gathering and sharing sensitive data.

Both companies offer pixels for tracking and analytics – through, among other services, Google Analytics and Meta Pixel, which was known as Facebook Pixel until the company rebranded itself for some reason that may have something to do. with privacy

Companies add a bit of tracking code to their web pages and these pixels then capture all sorts of information when these web pages get loaded.

This has been going on for almost as long as the World Wide Web has existed. Back in the late 1990s, Richard Smith, then CTO of the Privacy Foundation, first raised the alarm about what he called "web bugs" – single pixel images designed to monitor web pages and HTML email messages.

Since then, nothing has changed. Well, that's not entirely true. Advertisers didn't like the term "bug" – it implied surveillance, as did "spy pixel." So they started using euphemisms like "web beacon," "tag," and "pixel."

Extension makers began developing countermeasures and eventually browser developers offered defenses as well. And regulators in various countries began passing laws that disallow some of this data grabbing, in some cases, depending on how you define things.

For all that, there are still reports about the persistent ubiquity of spy pixels, with Meta Pixel showing up on the US government's student financial aid website, and assorted other Google data privacy concerns.

Google Analytics debuted in 2005 and has gone through various revisions since then. Meta Pixel was born as Facebook Pixel in 2015. It followed Facebook Beacon, launched in 2007 and shut down in 2009, per a contrite blog post from CEO Mark Zuckerberg, to settle a privacy lawsuit.

In an email to The Register, a Meta spokesperson put the blame on those implementing Meta Pixel.

"We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools," Meta's spokesperson said. "Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect."

The lawmakers' letter observes that while Google and Meta claim to have mechanisms to prevent the collection of taxpayer data, "these filtering systems appeared to be ineffective."

Google, which last year prepared a blog post to allay concerns among EU officials about Google Analytics, offered a response similar to Meta's.

"We have strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual," a spokesperson said in an emailed statement.

"Site owners – not Google – are in control of what information they collect and must inform their users of how it will be used. Additionally, Google has strict policies against advertising to people based on sensitive information."

Or as Apple co-founder Steve Jobs once suggested, you're holding it wrong. ®

More about


Send us news

Other stories you might like