Technology is great, except when it isn't.
And technology can be potentially dangerous, especially when taxes are involved.
We all know that our tax data is a prime target for crooks. They can use the information on our 1040s to file fake returns and too often, despite improved Internal Revenue Service security measures, collect fraudulent refunds.
They also can use the info on our tax paperwork — earnings, investments, Social Security numbers for us and our family members — to steal our identities and ruin us financially.
And now we've learned that major tax software and e-filing companies have been sharing our tax and financial data with Facebook.
Social media, and data collection, giant: Yes, that Facebook. The social media darling (to some) Facebook. Mark Zuckerberg's creation that's now a subsidiary of the restructured corporate entity Meta, which also has other platforms that might find use for our dollar data.
The Markup, a nonprofit newsroom that investigates technology issues, today co-published via the online tech news website The Verge, its investigation into how H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when the software clients file their taxes online.
The taxpayer data is sent through widely used code called the Meta Pixel. The report says the shared info includes not only taxpayer names and email addresses, but often more details, including data on users' income, filing status, refund amounts, and dependents' college scholarship amounts.
We're probably safe assuming that Facebook isn't a major ID theft ring. But, notes the report, the social media site can use the tax information to power its advertising algorithms, regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by Meta.
In addition to the three tax software companies, The Markup also found the Pixel code on a tax preparation site operated by a financial advice and software company called Ramsey Solutions. Ramsay reportedly uses a version of TaxSlayer. In these filing cases, filing data was sent to Facebook only when visitors clicked drop-down headings to see more details of their report.
What about the tax software leader, Intuit's TurboTax? The report says that TurboTax did employ Meta Pixel, but only to record usernames and the last time a device signed in. It did not send any tax software users' financial information to Meta.
Companies got some explaining to do: Obviously, the tax software companies are in clean-up mode today. The Verge reports that —
"On Monday, after TaxAct was contacted by The Markup for comment, the company's site no longer sent financial details like income and refund amount to Meta but continued to send the names of dependents. The site also continued to send financial information to Google Analytics. Also as of Monday, TaxSlayer and Ramsey Solutions had removed the pixel from their tax filing sites and TurboTax had stopped sending usernames through the pixel at sign-in. H&R Block's site was continuing to send information on health savings accounts and college tuition grants."
You can find additional company responses in The Verge story, as well as in follow-up articles by CNBC, Popular Science, Engadget, and Gizmodo. The Verge and The Markup report also provides details on how Pixel tracking works.
Not the first Pixel privacy problem: Meta also is in crisis management mode. And it's not the first time the company has had to deal with Pixel privacy violation charges.
Two lawsuits seeking class action status were filed this summer in the Northern District of California.
The legal actions each accuse Meta and hospitals of violating Health Insurance Portability and Accountability Act (HIPAA) protections, as well as the California Invasion of Privacy Act and other laws, by collecting patient data without consent.
Tightening privacy protections: There's still a lot to shake out in this situation.
The good news is that there doesn't appear to be any breach of the taxpayer data. Still, if you used any of the affected tax software, it wouldn't hurt to implement general identity theft precautions, like checking your credit reports for any suspicious activity.
You are entitled to a free credit report every 12 months from each of the three major consumer reporting companies, Equifax, Experian and TransUnion. The easiest way to do so is by visiting AnnualCreditReport.com.
There's also some time before the 2023 filing season starts for tax software companies (and Meta) to restore, and enhance, privacy protections.
But the damage has been done, to the reputations of Meta and tax software companies, as well as potentially to taxpayers' financial and personal lives.
Plus, we've lost our collective peace of mind when it comes to electronic tax filing, which more than 151 million of us taxpayers did this year.
Mandi Matlock, a Harvard Law School lecturer focused on tax law, speaks (via The Verge) for all of us federal e-filers, regardless of whether or what type of tax software we used: "This is appalling. It truly is."
You also might find these items of interest:
- IRS employee misconduct cited in accessing taxpayer accounts
- New IRS document provides written tax data security plan guidance
- Anyone now can get special IRS-issued PIN to thwart tax identity theft