You can’t see them, but Meta’s trackers are embedded in millions of websites across the internet, collecting data on where you’re going and what you’re doing, and sending them back to Meta. A recent investigation shows that these seekers are on sites that even the most cynical among us might expect to be banned: those belonging to hospitals, including patient portals that are it should be protected by health privacy laws.
This week, Markup, a non-profit information house covering technology damage, announces the latest findings from its investigations in Meta’s Pixels, which are pieces of code that developers can embed on websites to track their visitors. So far, these stories reveal how the website is owned government, pregnancy counselingi hospitals send data to Meta via pixels, most of which would be considered sensitive to users who have unknowingly provided it.
It is easy and understandable to blame Meta for this, given the company’s well-deserved, less than stellar reputation for user privacy. In Pixel and other trackers, Meta has played a key role in building an online world free of privacy and data leakage that we have to navigate today. The company delivers a tracking system designed to extract user data from millions of sites and turn it into gold for advertising, and he knows very well that there are many cases where the tool is poorly implemented at best and misused at worst. But this could also be a rare case of a Meta privacy scandal that is not entirely Meta’s fault, in part because Meta did his best to shift the blame.
Or, as security researcher Zach Edwards put it: “Facebook wants to have its own data cake, not eat offenses.”
Companies decide to put Meta trackers on their websites and apps, and yet choose which data about their visitors to send to the social media giant. There is simply no good excuse, nowadays, for developers using Meta business tools that they do not understand how they work or what user data is sent through them. At the very least, developers should not put them on health appointment pages or within patient portals, where users have every reason to expect not to secretly send their data to curious third parties because those sites often explicitly tell them they are not. Meta created the monster, but those websites feed him.
How Pixel makes tracking too easy
Meta makes Pixel available, for free, to businesses to embed in their websites. Pixel collects and sends information about visitors to the Meta site, and Meta can pair it with a user’s profile on Facebook or Instagram, giving him a much better insight into that user. (They are also cases where Meta collects data about people who do not even have Meta accounts.) Some data, such as visitor IP addresses, Meta collects automatically. But developers can also set up Pixel to track what it calls. “events”: Various actions that users take on the page. This can include clicks or responses in the forms they fill out, and helps businesses better understand users or focus on specific behaviors or actions.
All of this information can then be used to target ads to those people or to create what is known as “similar audience. ” This includes a job that requires Meta to send ads to people Meta believes are similar to its existing customers. The more data Meta receives from businesses through these tracking devices, the better they should be able to target ads. Meta can also use this data to improve its own products and services. Businesses can use Pixel analytics data to improve their products and services.
Companies (or third-party vendors with whom they contract to create their own websites or run advertising campaigns) have great control over the data about their customers that Meta receives. Markup found that on some of the sites in their report, the pages of hospital examination websites sent Meti the name of someone who had scheduled an appointment, the date and time of the scheduled appointment and which doctor the patient was going to. If that happens, it’s because someone on the hospital side set up Pixel to do it. Either the hospital did not take due care to protect that data or it did not consider it data worthy of protection. Or it may have assumed that Meta’s tools would prevent the company from collecting or using any sensitive data sent to it.
In his latest hospital investigation, Markup found that a third of the hospitals he reviewed from the list of the 100 best hospitals in the country have Pixel on their appointment pages, and seven health systems have Pixel on their patient portals. Several websites removed Pixel after Markup contacted them.
How can a hospital justify any of this? The only hospital that gave Marcup a detailed answer, the Houston Methodist, claimed it did not believe Mattie was sending protected health information. Markup revealed that the Meta Hospital website said when someone clicked on “make an appointment”, for which the doctor scheduled an examination, and even that the doctor was found by searching “abortion at home”. But the Houston Methodist said that scheduling an appointment does not mean that the appointment has ever been confirmed, nor that the person who scheduled the meeting is the person for whom the appointment was actually intended. The Houston Methodist might think that this does not violate patient privacy, but his patients may feel differently. But they would also have no way of knowing that this is happening without them using special tools or possession of a certain level of technical knowledge. The Houston Methodist has since removed Pixel.
Another health system that Markup looked at, Novant Health, it is stated in the announcement that Pixel set up a third-party vendor for the campaign to get as many people to sign up for the patient portal system, and it was only used to see how many people signed up. But Markup found far more data than was sent to Mattie, including the drugs the users listed and their sexual orientation. That third-party vendor seems to have made some mistakes, but it is Novant who has a duty to his patients to keep his data private on websites that promise to do it. Not a third party vendor, not Meta.
This is not to let Matt go. Again, he created the Pixel tracking system, and that while it is rules and tools that should prevent certain types of sensitive information – such as health conditions – from being sent to them, Markup’s reports are proof that these measures are not enough.
Meta told Recode in a statement that “our system is designed to filter out potentially sensitive data it detects.” But Markup has found that these filters are missing when it comes to data from at least one Crisis Pregnancy Center website. Meta did not answer Recode’s questions about what he does if he finds that the company is violating its rules.
Edwards, a security researcher, was even less charitable about how much Meta should get the blame here.
“In my opinion, Facebook is 100 percent guilty,” he said.
Meta also did not answer questions from Recode, asking what he is doing to ensure that companies comply with its policies, or what he is doing with sensitive information that companies should not send. As it stands now, it looks like Meta is making and distributing a tracking tool that can have a material benefit for Meta. But if that tool is used or used incorrectly, someone else is responsible. The only people who pay the price for that, it seems, are the visitors of the site whose privacy is unknowingly violated.
What you can do to avoid Pixel
Here are a few things you can do to help protect yourself. Browsers such as Safari, Firefox and Brave offer tracking blockers. Todd Feathers, one of the reporters about Markup’s hospital story, told Recode that they used Chrome browsers for their tests without extending privacy. Speaking of privacy extensions, you can get and those. VPNs and Apple paid private relay service may obscure your IP address from the sites you visit.
Finally, Meta has controls which restricts ad tracking and targeting outside of its platforms. The company claims that excluding “data about your activity from a partner” or “activities outside of Facebook”Will prevent the use of data collected by Pixel to target ads to you. That means you have to have some confidence in Matt that her privacy tools do what she claims to do.
And there is always, of course, asking your legislature to advocate for privacy laws that would make some of these practices explicitly illegal, or forcing companies to inform and obtain user consent before collecting and sending their information to anyone else. Several new federal privacy accounts or draft law they were introduced only this week. There is interest among some members of Congress, but there are not enough of them to get even closer to anything.