A seven-month congressional investigation has revealed that some of the biggest names in U.S. digital tax preparation software including TaxSlayer, H&R Block, and TaxAct have been caught sharing sensitive user information with two of the biggest names in tech—Google and Meta via their tracking pixels, without the knowledge or consent of the customers. These companies have been leaking sensitive customer information for years and it’s looking likely that this preventable behavior could lead to their downfall.
Tracking Pixels
Meta, Google, and other companies offer these small snippets of code to businesses to use on their websites for free. Pixels gather information such as names, addresses, financial data, pages visited, social security numbers, and more to build up a picture of who their site visitors are. The pixel supplier, Google, Meta, and more, can then use it for a variety of purposes, including improving their ad targeting. Meta has admitted to doing this, as well as using the data to train its AI algorithms.
TaxAct began using Google’s tools back in 2014 and Meta’s in 2018, while TaxSlayer started in 2011 and 2018 respectively. Along with H&R Block, it appears that they stopped using Meta’s pixel after The Markup released a November 2022 report that may have triggered the senatorial investigation. But regardless, the report suggests that they have been surreptitiously harvesting taxpayers’ private data for years.
The Consequences
The fallout from this investigation could be huge if the tens of millions of taxpayers allegedly affected decide to bring legal action against these companies (which the tax code theoretically allows), not to mention the fact that the federal government could also sue them. They may face criminal penalties (and potentially jail time), and there is also the prospect of costly GDPR infringements if any American expats were living in Europe when they used their software to submit tax returns.
The tax prep companies, Google, and Meta all argued that any data shared between them was hashed, which they said would preserve taxpayers’ anonymity, but experts, including the FTC’s Edward Felton, disagreed, saying that “…hashing is vastly overrated as an ‘anonymization’ technique.” It’s well known that such anonymized data can easily be reverse-engineered.
Senator Elizabeth Warren, who helped to lead the investigation, said that even the webpage titles used in online tax software can reveal what tax forms were accessed by users, so even this obliquely identifying information shouldn’t have been shared. There is a possibility that they may not have known what they were sharing though. Warren’s office said that it wasn’t clear if Meta even knew it was improperly using taxpayer information at the time, and the report said that some tax-prep companies still don’t know if the data they shared is still held by any of the tech companies. Such revelations are not reassuring.
Given that tax software revenue in the US is forecasted to be worth almost $5 billion this year, it seems almost unthinkable that no one at any of the big companies had the foresight to invest in a solution like Reflectiz. It could have told them exactly where their users’ data was going, raised red flags, and saved them from inviting the extreme displeasure of the federal government and a blizzard of personal lawsuits and penalties.
Remember: Human errors are inevitable, and mistakes are unavoidable within dynamic web environments. However, organizations can proactively address these challenges by implementing a proactive website security solution like Reflectiz. Such solutions help prevent damages resulting from misconfigurations, redirections, and configuration drifts caused by human error, ensuring the mitigation of risks to their website(s).
An Industry Under Threat
The report’s findings add more weight to the serious existential threat that was already gathering momentum against the tax prep industry. Questions were being asked about why private businesses have been allowed to charge Americans $200-$300 per year to file their own tax documents when tax authorities in other countries have been providing free submission services for years.
Turbotax has been lobbying the government to ensure that Americans keep paying for their tax preparation software for the last 20 years, but handing over their personal data to tech giants without permission has seriously undermined their arguments. They would have been on firmer ground had they used a comprehensive monitoring solution that protects their users’ privacy.
Comprehensive Protection
Under current privacy protection regulations, businesses are liable for whatever third-party applications like tracking pixels do, so Reflectiz continuously monitors these and other digital assets, reporting on what personally identifiable information and sensitive financial data they may be accessing. In a sense, it tracks the trackers, identifying where the information is sent, and speedily issuing alerts when it detects any problematic behaviors.
If your online customers share their information with you, then due diligence should be your foremost concern. You can protect your customers’ sensitive personal data, and your company’s reputation, and avoid damaging financial penalties with Reflectiz. Get in touch with us today to find out more.
Essential tips to avoid data leaks:
1. Be proactive and create a comprehensive digital inventory by mapping all your existing web apps.
2. Continuously monitor your third- and fourth-party web components, including tracking pixels.
3. Conduct behavioral analysis on all web applications running on your website(s).
4. Distinguish between approved and unapproved third-party behaviors.
5. Utilize a remote website monitoring solution, such as embedded solutions, that cannot affect your website.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!