Meta Might End Up Becoming Your Most Dangerous Stalker of All Times
Beware of Meta watching over you at the most unprecedented of times
The big eye is following you everywhere you go. Meta trackers are embedded in millions of online websites all over the internet, collecting data about where you go and what you do and sending it back to Meta. A recent investigation shows that those trackers are on sites that even the most cynical among us might expect to be off-limits: those belonging to hospitals, including patient portals that are supposed to be protected by health privacy laws. This week, the Markup, a nonprofit news outlet that covers technology’s harms, has been publishing the latest findings of its investigation into Meta’s Pixels, which are pieces of code that developers can embed on online websites to track their visitors. So far, those stories reveal how websites owned by the government, pregnancy counseling centers, and hospitals are sending data to Meta through Pixels, much of which would be considered sensitive to the users who unwillingly provided it.
It’s easy and understandable to blame Meta for this, given the company’s much-deserved, less-than-stellar reputation on user privacy. In Pixel and other trackers, Meta has played an instrumental role in building the privacy-free, data-leaking online world we must navigate today. The company supplies a tracking system designed to suck up user data from millions of sites and spin it into advertising gold, and it knows very well that there are many cases where the tool was implemented poorly at best and abused at worst. But this may also be a rare case of a Meta-related privacy scandal that isn’t entirely Meta’s fault, partly because Meta has done its best to place that blame elsewhere.
Businesses choose to put Meta’s trackers on their websites and apps, and they choose again which data about their visitors to send up to the social media giant. There’s simply no good excuse, in this day and age, for developers that use Meta’s business tools, not understanding how they work or what user data is being sent through them. At the very least, developers shouldn’t put them on health appointment scheduling pages or inside patient portals, which users have every reason to expect not to be secretly sending their data to nosy third parties because they’re often explicitly told by those sites that they aren’t. Meta might have created a monster, but those websites are feeding it.
Meta makes Pixel available, free of charge, to businesses to embed in their sites. Pixel collects and sends site visitor data to Meta, and Meta can match this to a user’s profile on Facebook or Instagram, giving it that much more insight into that user. (There are also cases where Meta collects data about people who don’t even have Meta accounts.) Some data, like a visitor’s IP address, is collected by Meta automatically. But developers can also set Pixel up to track what it calls “events”: various actions users take on the site. That may include links they click on or responses in forms they fill out, and it helps businesses better understand users or focus on specific behaviors or actions.
All this data can then be used to target ads at those people, or to create what’s known as “lookalike audiences.” This involves a business asking Meta to send ads to people who Meta believes are similar to its existing customers. The more data Meta gets from businesses through those trackers, the better it should be able to target ads. Meta may also use that data to improve its own products and services. Businesses may use Pixel data for analytics to improve their products and services as well.
Businesses (or the third-party vendors they contract to build out their sites or run advertising campaigns) have a lot of control over what data about their customers Meta gets. The Markup discovered that, on some of the sites in its report, hospital website appointment pages were sending Meta the name of someone making an appointment, the date and time of the appointment, and which doctor the patient is seeing. If that’s happening, that’s because someone on the hospital’s end set Pixel up to do that. Either the hospital didn’t do its due diligence to protect that data or it didn’t consider it to be data worth protecting. Or perhaps it assumed that Meta’s tools would stop the company from collecting or using any sensitive data that was sent to it.
Meta also didn’t respond to questions from Recode asking what it does to ensure businesses are following its policies, or what it does with the sensitive information businesses aren’t supposed to send it. As it stands, it looks as though Meta is making and distributing a tracking tool that can materially benefit Meta. But if that tool is exploited or used incorrectly, someone else will be responsible. The only people who pay the price for that, it seems, are the site visitors whose privacy is unknowingly invaded.