As readers of this newsletter know, I am a bit obsessed with Facebook’s position in the tech landscape as the rare company that knows the name of the people it tracks across the internet.
Most online tracking companies know which websites you’ve been to—based on “cookies” they use to track your activity—but don’t know your actual name. But because most people have Facebook accounts, that platform’s tracking across the internet often contains far more identifiable information.
Two years ago, Markup senior data engineer Surya Mattu built a real-time web privacy inspector, Blacklight, that could identify which websites contained the Meta Pixel (formerly the Facebook Pixel)—the computer code that Facebook offers to websites to allow them to track visitors.
Using Blacklight, Surya found that the pixel was present on 30 percent of the top 100,000 websites. But what he didn’t know was exactly what types of data those pixels were sending to Facebook.
So earlier this year, Surya and I began collaborating with Mozilla Rally to see if we could find out more about the pixel. Mozilla, which makes the Firefox web browser, had set up an innovative project called Rally that let users contribute their data toward public interest research projects. We were inspired by studies that Princeton professor Jonathan Mayer’s research team was conducting using Rally about the quality of search engine results and what type of COVID-19 and political news users encountered.
In January, we launched the first large-scale crowdsourced study of the presence of the pixel and the data it collects in real-world scenarios. The project was called Facebook Pixel Hunt.
Thousands of users of Mozilla’s Firefox web browser volunteered to download software that logged their interactions with Facebook’s pixel.
The results of the Pixel Hunt study were shocking. In April, Surya and Markup reporter Colin Lecher revealed that the U.S. Department of Education’s online application form for federal financial aid was sharing personal data with Facebook, without the knowledge of the students or their parents.
The agency turned off the Facebook data sharing after being contacted by The Markup. And a Facebook spokesperson said that it would work with the agency “to ensure proper implementation of our tools.”
In June, reporters Grace Oldham and Dhruv Mehrotra at Reveal from the Center for Investigative Reporting used Blacklight to identify the Meta Pixel on the websites of hundreds of anti-abortion clinics.
Also in June, a Markup team—Todd Feathers, Simon Fondrie-Teitler, Angie Waller (now at NYU’s Center for Social Media and Politics), and Surya Mattu—found that one-third of the top 100 U.S. hospitals were sending sensitive patient data to Facebook through the pixel. They also found seven hospital systems sending Facebook data such as patients’ medical condition and prescriptions from the hospitals’ patient-facing electronic health record systems.
The sharing of personal health data with third parties could violate the Health Insurance Portability and Accountability Act, or HIPAA, the federal law that protects the privacy of personal health information held by medical providers.
“It is quite likely a HIPAA violation,” David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, told The Markup.
Facebook once again placed the blame on websites that transmit data that they shouldn’t. A Meta spokesperson told The Markup that the company uses a filtering system to attempt to “detect that a business is sending potentially sensitive health data” and then removes that data before it is stored.
This week, North Carolina hospital network Novant Health sent 1.3 million data breach notifications to patients whose data might have been inadvertently shared with Facebook as a result of the pixel.
The wild thing is that no one would have known this data was being shared if we hadn’t set up this partnership with Mozilla Rally and if thousands of users hadn’t volunteered to send over their web browsing data.
Thanks to those of you who participated in the study. The Pixel Hunt study data collection is completed, and the genius tools architect Surya Mattu has left The Markup. But I believe that data donations will continue to be one of the best ways to hold tech platforms accountable.
As always, thanks for reading.
P.S. After last week’s newsletter about companies selling vehicle data such as “heart rate” and “race” was sent out, High Mobility CEO Risto Vahtra reached out to clarify that the company’s “race” data category refers to data related to the car’s acceleration and other data related to “racing.” He added that the “heart rate” category is not currently being used commercially.
P.P.S. The Markup is closed until Sept. 6, so there will be no newsletters until Sept. 10.