You can’t see them, but Meta’s trackers are built into millions of websites across the Internet, collect data on where you’re going and what you’re doing, and send it back to Meta. or recent investigation shows that these trackers are on sites that even the most cynical of us can expect to be banned: those belonging to hospitals, including patient portals that are must be protected by health privacy laws.
This week, Markup, a non-profit news agency that covers the harms of technology, released the latest findings from investigation in Meta pixels, which are pieces of code that developers can embed in websites to track their visitors. So far, these stories reveal how websites owned by government, pregnancy counseling centersand hospitals send data to Meta via Pixels, much of which will be considered sensitive to users who have unknowingly provided it.
It’s easy and understandable to blame Meta for this, given the company’s well-deserved, less than stellar reputation for user privacy. In Pixel and other trackers, Meta has played an important role in building an online world without privacy and data leakage that we need to navigate today. The company provides a tracking system designed to extract user data from millions of sites and turn it into advertising gold, and it knows very well that there are many cases where the tool has been misapplied at best and abused at worst. But it could also be a rare case of a Meta privacy scandal that’s not entirely Meta’s fault, in part because Meta did everything it could to put that fault elsewhere.
Or, as security researcher Zack Edwards put it: “Facebook wants to have its own data cake and not eat the breaches either.”
Companies choose to place Meta trackers on their websites and apps, and again choose which data for their visitors to send to the social media giant. Nowadays, there is simply no good excuse for developers who use Meta business tools not understand how they work or what user data is sent through them. At the very least, developers should not put them on healthcare planning pages or patient portals that users have every reason to expect not to secretly send their data to curious third parties, because they are often explicitly told by these sites. that they are not. Meta created a monster, but these websites feed him.
How Pixel makes tracking too easy
Meta makes Pixel available for free for companies to embed on their sites. Pixel collects and sends data about site visitors to Meta, and Meta can match it to a Facebook or Instagram profile, giving it a much better idea of that user. (There is also cases where Meta collects data about people who don’t even have Meta accounts.) Some data, such as the visitor’s IP address, is collected by Meta automatically. But developers can also set up Pixel to track what it calls “events”: Various actions taken by users of the site. This can include clicks on links or answers in forms they fill out, and helps businesses better understand consumers or focus on specific behaviors or actions.
All of this data can then be used to target ads to these people or to create what is known as “equal audiences. ” This includes a business that wants Meta to send ads to people Meta thinks are similar to its existing customers. The more data Meta receives from businesses through these trackers, the better it should be able to target ads. Meta may also use this data to improve its own products and services. Companies can use Pixel data analytics to improve their products and services.
Businesses (or third-party providers with whom they contract to build their websites or run advertising campaigns) have a lot of control over what data Meta receives about their customers. Markup found that on some of the sites in its report, hospital appointment pages send Meta the name of someone who recorded the time, date and time of the appointment and which doctor visited the patient. If this happens, it’s because someone at the end of the hospital set up Pixel to do it. Either the hospital did not take due care to protect this data, or it did not consider it data worth protecting. Or maybe he assumed that Meta’s tools would prevent the company from collecting or using any sensitive data sent to it.
In its latest hospital investigation, Markup found that one-third of the hospitals it surveyed from the list of the 100 best hospitals in the country have Pixel on their appointment pages, and seven health systems have Pixels on their portals. for patients. Several of the websites removed Pixel after contacting Markup.
How can a hospital justify all this? The only hospital that gave Markup a detailed answer, the Houston Methodist, said it did not believe it was sending protected health information to Meta. Markup found that the hospital’s website told Meta when someone clicked “schedule an appointment,” which doctor scheduled the appointment, and even that the doctor was found by searching for a “home abortion.” But the Houston Methodist said scheduling a meeting did not mean the meeting had ever been confirmed, nor that the person who scheduled the meeting was the person the meeting actually was. The Houston Methodist may not think it violates patient privacy, but his patients may feel differently. But they also had no way of knowing that this was happening in the first place without using special tools or having a certain level of technical knowledge. The Houston Methodist has since removed Pixel.
Another health system that Markup considered, Novant Health, said in a statement that Pixel was launched by a third party provider for a campaign to get more people to sign up for its patient portal system and was only used to see how many people signed up. But Markup found much more data than was sent to Meta, including drugs the users listed and their sexual orientation. This third-party provider appears to have made some mistakes here, but Novant is the one who has an obligation to its patients to keep their information confidential on websites that promise to do it. Not the third party provider and not Meta.
This is not to not miss Meta. He re-created the Pixel tracking system, and while there rules and tools to prevent the transmission of certain types of sensitive information – such as health conditions – Markup reports are proof that these measures are not enough.
Meta told Recode in a statement that “our system is designed to filter out potentially sensitive data it detects.” But Markup found that these filters were missing when it came to data from at least one Crisis Pregnancy Center website. Meta did not answer Recode’s questions about what it does if it finds that a business is violating its rules.
Edwards, the security researcher, was even less charitable about how much guilt Meta must have here.
“I think it’s 100 percent Facebook’s fault,” he said.
Meta also did not answer questions from Recode, asking what it does to ensure that businesses follow its policies, or what it does with sensitive information that businesses should not send. At the moment, it looks like Meta is creating and distributing a tracking tool that could be useful for Meta. But if this tool is used or used incorrectly, someone else is responsible. The only people who pay the price for this, it seems, are the visitors of the site, whose privacy has invaded unknowingly.
What you can do to avoid Pixel
There are a few things you can do to protect yourself here. Browsers such as Safari, Firefox and Brave offer tracking blockers. Todd Feders, one of the reporters for Markup’s hospital history, told Recode that they used Chrome browsers without privacy extensions for their tests. Speaking of privacy extensions, you can received these too. VPN and Apple paid private relay service may hide your IP address from the sites you visit.
Finally, Meta there are controls which restrict the tracking and targeting of ads outside their platforms. The company claims that the exclusion of “data about your business from partners” or “activity outside of Facebook“It will stop using the data collected by Pixel to target ads to you. This means trusting Meta that its privacy tools do what they claim to do.
And there is always, of course, asking your legislator to insist on privacy laws that would make some of these practices explicitly illegal, or to force companies to inform and obtain consumer consent before collecting and sending their data to someone else. Several new federal privacy accounts or bills were introduced recently this week. There is interest among some members of Congress, but not in enough of them to get closer to passing something still.