Attempting to research if tax prep companies had gained consent to disclose and use data from its users, Congress was blocked by the companies, who refused to "provide current and historical versions of disclosure agreements and privacy policies." Undeterred, Congress consulted Internet archives to access historical versions of company policies and pieced together that none of the companies appeared to have gained consent from their customers to share the sensitive data with Meta and Google.
"That data came to Meta through its Pixel code, which the tax firms installed on their websites to gather information on how to improve their own marketing campaigns. In exchange, Meta was able to access the data to write targeted algorithms for its own users."
Seems that they provided the data to get Meta to target customers for them.
While one could only hope the people behind this data leak see's some form of criminal justice, it will likely only be a fine and a sternly worded letter telling these companies to get approval next time. They'll write it into their TOS and the business practice will be continued.
We really, really need to punish this kind of behavior. Lying about the actions and the actions themselves are despicable. This should ruin the careers of the people who made these decisions.
It reflects poorly on the justice system that this is true, but it reflects extremely poorly on H&R Block's lawyers that they didn't slip something into the terms and conditions about how "we may from time to time share certain of this information with our commercial partners". Surely they would have lost less than one customer in a thousand.
Why would we send him to jail anyways? Google, Facebook, and thousands of other companies are doing the exact same thing right now. Jesse some guy tried to overthrow the US government and he isn't in jail. Once you get enough $ meaningful punishment is mostly out of the question here...
>Jesse some guy tried to overthrow the US government and he isn't in jail. Once you get enough $ meaningful punishment is mostly out of the question here...
If you're talking about Trump, he's possibly the worst example you could pick for your case, as his treatment has nothing to do with his wealth and everything to do with the fact that he is the previous President...
I respect your opinion. But personally feel that his wealth and varied enterprises are exactly how he became president in the first place. The inordinate amount of lies, and propaganda that composed his campaign were treated as valid points of view despite being objectively wrong because there is a culture of wealth worshipping in the US. "If I give the rich guy my vote he will make me prosperous too!" Or "he is wealthy because God has blessed him"(a surprisingly common well documented evangelical belief).
But if ya disagree with that, that's fine. Can take a quick Google search and find hundreds of instances were wealthy people committed serious crimes and received no substantial punishment for doing so compared to their less influential counterparts. I could list some, but I trust you can do that for yourself.
Yeah, that guy is currently sitting pretty in the white house. The machine he works for rigged the election, on multiple levels, and started a proxy war over what appears to a place of great interest of corrupt politicians. Got to protect The Big Guy's 10% cut.
Usually I can understand the basis or motivation behind political gripes even if I don't agree with them or the values that motivate the claim. But in the case of Biden starting a proxy war, you're totally fucking nuts. That war started in 2014, two presidencies before Biden. Not to mention Biden oversaw the War with Afghanistan actually end while the previous two presidents blew hot air about ending it but never actually had the balls to commit.
Bush the Younger: Started two wars, threatened at least two more, and ended none.
Obama: Ended one of those wars and continued the other. Had a third start under his watch.
Trump: Didn't start any wars, and didn't end any either.
Biden: Ended the other Bush war, and saw that third war continue.
Sure, it started under Obama. I'll agree to that. But a full scale invasion of Ukraine only started in 2022, and there was basically nothing going on while Trump was president.
And the Afghanistan pull out is one of the most embarrassing and sad things I have seen for my county. It was a travesty, and almost anyone with a brain could've handled it better.
It was probably also another item on the list of green lights to Putin that Biden couldn't stop or defend against a Russian invasion of Ukraine.
Who's the prison guard that opened the cell for him to get out?
Who's the prison guard whose watching from a sniper tower while the prisoner rampages?
Both of those are the American President. The war in Ukraine was fully preventable, and could probably even be stopped immediately, if the President wanted to do so.
But that would require a living person in the Office, and the military-industrial complex not desiring another 20 year proxy war.
Write in full sentences and paragraphs explaining your point, not some aloof metaphorical rhetorical questions leading into platitudes.
I don't understand what you are saying, there's no explanation of how the war was fully preventable, just a statement as if that was a shared fact between you and me (it isn't). No explanation of how to stop this war without Russia annexing a huge chunk of another sovereign country. No explanation on how a Russian invasion is actually a proxy war created by whatever you are saying.
I suspect you're right. But there's still that little part of me hoping that maybe some big fines mixed with lessened revenues if the IRS releases it's own tax-prep software[0] could actually put some of these clowns out of business.
What profits were derived from the "sharing" of "millions of taxpayers' data?"
I had to do a technical audit of this issue to find out if my company had also been placed at risk. What happened is this:
1. Facebook asks advertisers to place some javascript on their website to help with general measurements (i.e.: whether viewing an ad on a Facebook property ultimately led to a purchase)
2. This javascript may also gather user interactions on the website so an advertiser can see what users engage with, what might be relevant to ad performance measurement, etc
3. These stupid tax prep companies placed the script on pages where users might view, interact with, or submit very private information
4. When users clicked around, tracking data was sent to FB
5. A security/privacy journalist spotted this and said, "gotcha."
Ad Tech companies don't want your SSN, and they really don't know to know if you purchased Plan B. But when tax prep sites and online pharmacies place a tracking script on all their webpages, everyone ends up with egg on their face.
There were no profits here. The journalist's privacy investigation should be appreciated and celebrated, but Elizabeth Warren is just raising a boogeyman so she can keep sticking a knife into the hearts of these large, corporate entities. Election season is coming up, after all.
Where do you get that idea? All they doin the background is to deanonymize as much data as they can get. Why do you think they would not actually want this ultimate deanonymizer of US citizens?
I worked at a massive adtech company and we had our own unique ID for each "entity". All other data was gathered with cookies and some sort of compaction/merging algorithm.
What would we do with the social? Run a credit report on every single one then only show ads to those people? Re run it every so often for updates?
I wasn't a developer but we already had income estimate by looking at past purchases, location, sites that the person looked at, etc. It wasn't super accurate but enough to know whether someone should see a Fendi bag
I feel like SSN is a big liability with little benefit over a different primary key like your phone number. SSN would be important if you're signing a mortgage, but these people are tracking how often you buy dogfood and pregnancy tests.
> I feel like SSN is a big liability with little benefit
Your feelings on the matter are quite irrelevant -- they want every bit of data about your financial life as possible. Including your mortgage, income, etc. The SSN it the ultimate primary key. You can't even get a new one if your identity is stolen. The more often they can link that to an email address, phone number, etc, the stronger the signal they get from sources that only have those bits.
Phone numbers change all the time. Some people have more than 2 phones. Phone numbers tied too names become less trustworthy when names change.
The reason an SSN exists is the same reason why it is one of the the best identifiers of a person in the US.
Nation state and domestic hackers look for these as a highly prized commodity for this reason as well. They can be used to find other records containing people. You may recall the Chinese hackers who exfiltrated the SSNs of US military personnel not too long ago.
Considering that there are only 1 billion possible SSNs, that seems like it would be easily reversible simply by pre-computing a lookup table of all 1 billion hashes.
Because they don't like regulatory costs of storing/using sensitive data e.g. legal costs, compliance requirements etc ( if not now, requirements that come up in the future). One can get the exact same utility by generating a user identifier themselves instead - user logins, device info, ip, usage pattern etc should give all the info needed. More over these companies operate in multiple countries.
I know of a local company that collected personal data for marketing including SSNs and there is no care given to how the data is stored. Most if not all of it was stored in plain text. You might have more faith in regulatory systems than you should.
> You might have more faith in regulatory systems than you should.
I don't. What I do have faith in us companies to have a profit motive and work in favor of self preservation. And that comes with reducing risk for the company.
An example of a local company with bad security practices due to negligence or malice is no evidence of a publicly traded big tech company wanting to do the same.
A local company with bad security practices does not, at its core, make money by collecting user data. The collection of that data and the security or insecurity of its storage is pretty much orthogonal to the central business of every company in the world except for tech companies that sell consumer data.
Hence, the dictum "don't ascribe malice where incompetence would suffice" doesn't carry across these two different classes of organizations.
You may want to look into the histories of equifax, transunion et al. Not local businesses and definitely repeatedly guilty of this flavor of transgression.
This subthread is about, or at least started out when I initially responded as - adtech using ssn as an user identifier. I responded to that. I didn't intend to make any claims about anything else. Equifax is not adtech and is explicitly in the business of collecting ssn and related data.
Equifax is absolutely adtech. Their data is sold used by advertisers all the time. You can make changes to elements of your credit report using techniques widely available on YouTube and watch the spam and junk mail you receive change.
"local company" being the problem. Local/small companies do not care at all about this kind of thing. Google's perniciousness is being about to follow the letter of the law while still getting what they want, not flagrantly ignoring it.
Literally no adtech company would accept or attempt to target based on SSN.
Maybe your local company was collecting it out of ignorance, but if they uploaded it to google adsense, alarm bells would go off, the data would be purged, and you'd seriously risk having your account shut down.
Bro, you're commenting on a story where SSNs were uploaded to Google Adsense, alarm bells didn't go off, data wasn't purged, and a journalist came in and discovered the problem later.
> But while tax-filing websites were quick to stop collecting data, nobody's sure how much information was collected. One unnamed company told Congress that "every single taxpayer who used their websites could have had at least some of their data shared."
There is literally no evidence what you said is true. There are no details what information was shared. Can you avoid making stuff up?
SSNs can’t really be anonymized by hashing since they’re essentially sequential numbers. I think the law is at least broad enough to consider a hashed SSN that can be easily reversed to be to equivalent to a real SSN.
I agree with others that adtech companies want to proactively avoid SSNs. Too much liability and not at all necessary.
To clarify, this is one of the must common and dangerous misconception regarding hashing: a SSN is a 9-digit number. Regardless of the strength of your hash, you can hash them all, and compute a lookup table, in a matter of minutes.
You don’t have to hash it so it’s not reversible only such that you don’t appear liable in the event of an incident. Technically compliant is good enough
My point is that hashing a 9 digit number is almost certainly not even technically compliant. I believe storing hashed SSNs would incur all the legal liability of storing raw SSNs. The laws are robust enough to at least handle such a trivially reversible hash. No way any expert witness could claim otherwise. Hashed emails on the other hand seem like more of a gray zone (some are reversible, but there's enough variety that not all are).
for a fun "challenge", here's my md5 hashed SSN: 46fdccf9acc38d13321b0c13cf541ec9 (spoiler: not my real SSN, but since they're sequential it could be someone's. And, hint, I'd be jealous of them.)
Given the authentication services they provide, I suspect this is already a bar they reach. The point about future compliance makes me think about the floundering “You shouldn’t have made an account with us!” while they made their services compliant with GDPR.
I would expect they’d be eager to have this information and would not consider it to be a liability in the slightest.
Ha well a nice strong fine then to discourage this stupid behavior of adding tracking scripts from 3rd party fines. I’d still like to see the executive that approved this spend 1 night in jail to prove a point that stupid has personal consequences
I'm not sure jailing the low level employee that pasted some javascript into a footer template, or the low level employee that sent them the link with an email saying "this is the script we need to add to our signup flow" is going to achieve very much.
This stuff happens because there isn't an exec approval process...
Then make an example and disband the company and all shareholders lose all equity. Have people realize they will lose money if they don't pay attention to details.
Alternatively, maybe this could be the excuse for the IRS to walk away from that horrible deal they made with the tax prep companies. That's why they don't just automate the forms, fill them out for me, and send me the damn draft to approve or dispute. Like in other countries.
It's not like I have secret income the IRS isn't aware of. And for people who do have secret income, they'll either voluntarily report it or won't.
So what is the line, then? Inadvertently sucking up people's tax return info and sending to who knows where because they get a few incentives for it is fine? What about a VoIP company sending call metadata? Or a burglar alarm company sending when you are home or not? At what point can we say 'make your money decently and don't sell customer data for a few pennies or you get made an example of'?
It's far too little. The executives should be given the death penalty for this. They and the rest of the surveillance capitalists have waged war against society and deserve guillotines for it. We need to put a firm stop to this madness before the surveillance industry locks us all into a global panopticon. The stakes couldn't be higher.
> Then make an example and disband the company and all shareholders lose all equity. Have people realize they will lose money if they don't pay attention to details.
do you not make mistakes, or do you not work with anything that matters?
the US criminal justice system, which isn't very popular, seems to be more tolerant to human error than you.
At some point we have to acknowledge that data is important and that it is easy to collect and hard to secure. Do it right or don't collect it. The 'we have been hacked' or 'we messed up' and now all your data is somewhere else is not OK. If we made their existence dependent on securing this data, don't you think they would start to take it seriously?
All employees should lose their jobs because an incompetent engineer made a mistake? What’s with some people and irrational mob justice? Does it make them feel good or what…
An orderly revocation of a corporate charter isn't mob justice.
People calling for companies to be dissolved are pretty likely to be calling for an orderly process (if they weren't interested in an orderly process they'd likely be talking about using violence on the executives or shareholders or whatever).
Here’s my take which happens to agree with the parent commenter: the incompetent executive is responsible for the actions of this engineer and (in this hypothetical) the incompetent executive allowed their business to be destroyed by something which was easily avoidable.
I don’t think anyone lower than an executive should go to jail for this. Ultimately they get rewarded when things go right so they would be punished even thing go wrong. That they didn’t make the direct implementation should not matter, it was their responsibility and they were the captain when the accident happened.
* The Tax Prep companies? That would be fair: they are obligated to handle private user data in a responsible manner
* The ad tech companies? That would not be fair: they didn't want the data, didn't know it was being sent, and almost assuredly didn't use it for any kind of ad serving, measurement, or optimization.
If I send you a video camera and tell you to put it in your retail store and stream me the video and you put in your changing room and send me the data and I don't tell you to stop, am I free from liability?
Alternate analogy: an IoT thermometer vendor sells you a device to track temperature in your room, but you decide to stick it up someone's butt. Will the IoT vendor know the temperature reading is personal and rectal? Should they be held liable for not proactively attempting to scrub-out numbers which may represent gluteal climate?
It seemed flawed on first reading but I think this analogy holds if one assumes (for the sake of argument) that it’s Definitely Illegal to be accepting these readings. It would be pretty hard to be sure about filtering out arbitrary strings of numbers (ie SSN) when one is also intending to accept such strings.
I certainly hope I'm free from liability from you sending me illegal videos of naked people unless I've explicitly requested illegal videos of naked people.
More to the point, if companies are required to forensically analyse the hashes sent to their API endpoints to check they haven't received anything sensitive, the internet in its modern form would essentially cease to exist.
If you were doing that to millions of people and automatically analysing the video streams you get back for general trends then you wouldn’t really have a way to know that’s happening
Thanks! It will be interesting to see how this plays out. In the case of software the user is the one preparing the return and not the software itself. Although people using software on behalf of someone else would be guilty.
I am almost certain Meta has some basic filtering in place to make sure they aren't storing, say, obvious credit card numbers, SSNs, etc. So I would say they're open to at least a little liability if they failed to match on financial info.
1. This isn't just a gotcha. If you're storing private data, be a fucking responsible human being and do the work to store it securely. Stop downplaying this.
2. Ad tech companies don't want your SSN or to know if you purchased Plan B? Ad tech companies want to know everything about you, especially things that are private because other people don't know that stuff and that's where the competitive advantage lies.
> There were no profits here.
There were cut costs, which amount to the same thing.
> Elizabeth Warren is just raising a boogeyman so she can keep sticking a knife into the hearts of these large, corporate entities
I’d say what you described at least comes close to being negligent. I’d hardly call that a “boogeyman”. It’s a serious issue that shouldn’t have occurred and there should be some repercussions for that.
I had to spend most of my day doing a technical audit on this as well.
I can certainly see how they could have profited from data contained in certain forms that customers submitted on non-facebook websites, potentially confidential data which would be used to flesh out hidden user profiles and thus increase the prices for highly targeted ads.
Donate some money to some Congress member's reelection fund, promise them a cushy job afterward, it all gets swept under the rug. Bonus if the intelligence agencies can then double dip and reuse that same data for national security. To protect the children from terrorists, of course.
I’m no constitutional lawyer but wouldn’t that be a violation of the 4th amendment whereas (and I don’t exactly know why either) it’s been deemed constitutional for the government to buy data collected by third parties?
Yup. As to the "why" part, the whole thing operates under the legal assumption that if you already shared your data with somebody else (e.g. your bank) you have no reasonable expectation of privacy.
Essentially, the "secure in their persons, houses, papers, and effects" part of 4A is interpreted literally. Since that third party has your data, you're still secure in your papers and effects, but the bank doesn't have 4A protection.
That made some sense when information meant either you had a piece of paper, or you had given it to somebody else. But ever since information is cheaply copied and distributed, it really doesn't work so well.
(This is why I believe any literalist interpretation of the constitution is bullshit. It just doesn't translate well over a 200 year distance)
It's currently a somewhat debated legal concept - Sotomayor had an opinion that amounted to "maybe we should rethink that" a while ago, and there have been a few cases saying "nope". But nothing's reached SCOTUS so far.
(If you want to find out more, "third party doctrine" is the keyword. Or buy a constitutional lawyer a beer, it's fun :)
The bank still has this right and uses it to its advantage. In this case, it seems the bank deemed the value of cooperating with government more than customers’ privacy.
>Lawmakers said that the evidence appears to show that "Meta and Google failed to implement adequate safeguards to prevent the transfer of taxpayers' sensitive personal and financial information, despite their contentions that they did so."
The description of the data that was shared is quite vague in the article.
But If this is the result of tax prepping companies putting Meta pixels in pages containing personal data so they can show ads (shouldn’t these be only accessible by the user anyway so they can’t be scraped by Meta?), or manually adding personal data to analytics parameters (so they could check time on app by income etc), then I think the fault lies with those companies rather than Meta and Google
Tax prep is absolutely the scariest thing I do online (rivaled only by proving that I am qualified for a mortgage, but luckily that only happens infrequently). The amount of sensitive data you share with a company with minimal tech expertise...
I have used encrypted PDFs in the past, sending the password out of band. I'm sure it annoyed them at the bank, but their tech didn't inspire confidence.
So there will be millions of man years of jail time directed at the executives ‘responsible’ for giving the go ahead to these deals?
Or will they never miss a chef prepared meal in their glass castles, with no chance of ever being held responsible for the great ‘responsibility’ of being in charge?
This is why the IRS should be providing tax prep software directly. They should already have w2s, 1099s etc and should be able to process them directly into the forms. The only reason we have to pay third parties is they bought the politicians.
Actually, most people in the US shouldn't have to do any tax prep at all. The IRS already has all that information, after all. The only reason the average US worker has to do anything more than a check a "this is correct" box is because a significant number of politicians intentionally want taxes to be annoying and time-consuming in order to bias people against the idea of being taxed at all.
And just to quantify that. Slightly more than 10% of the workforce are self-employed. For that 10%, the IRS has almost none of the relevant information. So "most people" in this context means 90%. I think most of us (even those in the 10%, like I am) would agree that 90% does indeed mean "most".
Cynically, I think they don't because even they don't understand all their rules. They couldn't write the software even if they wanted to.
But yeah, I'd love it if this was the kick in the pants that is needed to get people to see how ridiculous it is that taxpayers need to pay a third party just to submit their information to the IRS.
They obviously can write the software. We know this because they already written it.
We know this because when you e-file if your tax return is one of the ones for which they don't actually need any information you provide and you made a mistake they tell you right then what your mistake is and reject the filing.
This sort of thing should be the civil equivalent of a capital crime. If the companies are found guilty, their entire assets should be seized and they should cease to function. It should also be easier to pierce the corporate veil.
I assume this idea would never be considered as a possibility by most people here (yeah, trillions is hyperbole), but it’s ready the case that firms in the Financial Services industry screen all incoming data over all channels for anything that looks like PII. The only stuff that makes it through with the recipient being unmolested must be approved by compliance and infosec folks. Anyway, this is just to say that refusing to accept unsolicited personal financial information is very much already a thing in industries outside Big Tech.
Fines on corporations should be large enough to burn and have their eyes water, not to tickle and leave them giggling. Additionally, executive pay and bonus should be cut/confiscated proportianately--this ought to be subtantial enough to make a dent in their net take-home pay. A compentent authority should verify this from their tax return of the following year.
Ultimately, it's the decision makers that must pay, not the janitors and cleaners.
I know it doesn't amount to anything, but attempting to spank a company this way is the only time I really get happy about what the government did today, so I hope this time it actually changes something. But I don't think the tax prep firms should be the only ones punished here. What about the tech companies who took the data?
while we're rounding up the suspects here, and deciding what laws to reform, let's remember that meta and google are the madams of this whorehouse, and advertisers are the johns, how about we make sure they are also disincented?
Internet archives to the rescue