Meta is getting data about you from some surprising places

You can’t see them, but Meta’s trackers are embedded in millions of websites all over the internet, collecting data about where you go and what you do and sending it back to Meta. A recent investigation shows that those trackers are on sites that even the most cynical among us might expect to be off-limits: those belonging to hospitals, including patient portals that are supposed to be protected by health privacy laws.

This week, the Markup, a nonprofit news outlet that covers technology’s harms, has been publishing the latest findings of its investigation into Meta’s Pixels, which are pieces of code developers can embed on websites to track their visitors. So far, those stories reveal how websites owned by the government, pregnancy counseling centers, and hospitals are sending data to Meta through Pixels, much of which would be considered sensitive to the users who unwittingly provided it.

It’s easy and understandable to blame Meta for this, given the company’s much-deserved, less-than-stellar reputation on user privacy. In Pixel and other trackers, Meta has played an instrumental role in building the privacy-free, data-leaking online world we must navigate today. The company supplies a tracking system designed to suck up user data from millions of sites and spin it into advertising gold, and it knows very well that there are many cases where the tool was implemented poorly at best and abused at worst. But this may also be a rare case of a Meta-related privacy scandal that isn’t entirely Meta’s fault, partly because Meta has done its best to place that blame elsewhere.

Or, as security researcher Zach Edwards put it: “Facebook wants to have their data cake and not eat the violations, too.”

Businesses choose to put Meta’s trackers on their websites and apps, and they choose again which data about their visitors to send up to the social media giant. There’s simply no good excuse, in this day and age, for developers that use Meta’s business tools not to understand how they work or what user data is being sent through them. At the very least, developers shouldn’t put them on health appointment scheduling pages or inside patient portals, which users have every reason to expect not to be secretly sending their data to nosy third parties because they’re often explicitly told by those sites that they aren’t. Meta created a monster, but those websites are feeding it.

How Pixel makes tracking too easy

Meta makes Pixel available, free of charge, to businesses to embed in their sites. Pixel collects and sends site visitor data to Meta, and Meta can match this to a user’s profile on Facebook or Instagram, giving it that much more insight into that user. (There are also cases where Meta collects data about people who don’t even have Meta accounts.) Some data, like a visitor’s IP address, is collected by Meta automatically. But developers can also set Pixel up to track what it calls “events”: various actions users take on the site. That may include links they click on or responses in forms they fill out, and it helps businesses better understand users or focus on specific behaviors or actions.

All this data can then be used to target ads at those people, or to create what’s known as “lookalike audiences.” This involves a business asking Meta to send ads to people who Meta believes are similar to its existing customers. The more data Meta gets from businesses through those trackers, the better it should be able to target ads. Meta may also use that data to improve its own products and services. Businesses may use Pixel data for analytics to improve their products and services as well.

Businesses (or the third-party vendors they contract to build out their sites or run advertising campaigns) have a lot of control over what data about their customers Meta gets. The Markup discovered that, on some of the sites in its report, hospital website appointment pages were sending Meta the name of someone making an appointment, the date and time of the appointment, and which doctor the patient is seeing. If that’s happening, that’s because someone on the hospital’s end set Pixel up to do that. Either the hospital didn’t do its due diligence to protect that data or it didn’t consider it to be data worth protecting. Or perhaps it assumed that Meta’s tools would stop the company from collecting or using any sensitive data that was sent to it.

In its most recent hospital investigation, the Markup found that a third of the hospitals it looked at from a list of the top 100 hospitals in the country had a Pixel on appointment scheduling pages, and seven health systems had Pixels in their patient portals. Several of the websites removed Pixel after being contacted by the Markup.

How can a hospital justify any of this? The only hospital that gave the Markup a detailed response, Houston Methodist, claimed that it didn’t believe it was sending protected health information to Meta. The Markup found that the hospital’s site told Meta when someone clicked “schedule appointment,” which doctor they scheduled the appointment for, and even that the doctor was found by searching “home abortion.” But Houston Methodist said scheduling an appointment didn’t mean the appointment was ever confirmed, nor that the person who scheduled the appointment was the person that appointment was actually for. Houston Methodist might think it isn’t violating patient privacy, but its patients may well feel differently. But they’d also have no way of knowing this was happening in the first place without using special tools or having a certain level of technical knowledge. Houston Methodist has since removed the Pixel.

Another health system the Markup looked at, Novant Health, said in a statement that the Pixel was placed by a third-party vendor for a campaign to get more people to sign up for its patient portal system, and was only used to see how many people signed up. But the Markup found far more data than what was being sent to Meta, including medications that users listed and their sexual orientations. That third-party vendor appears to have made some mistakes here, but Novant’s the one that has a duty to its patients to keep their information private on websites that promise to do so. Not the third-party vendor, and not Meta.

This is not to let Meta off the hook. Again, it created the Pixel tracking system, and while it has rules and tools that are supposed to prevent certain types of sensitive information — like health conditions — from being sent to it, the Markup’s reports are evidence that those measures aren’t enough.

Meta told Recode in a statement that “our system is designed to filter out potentially sensitive data it detects.” But the Markup found those filters lacking when it came to data from at least one crisis pregnancy center’s website. Meta didn’t respond to Recode’s questions about what it does if it finds that a business is violating its rules.

Edwards, the security researcher, was even less charitable about how much blame Meta should get here.

“It’s 100 percent Facebook’s fault, in my opinion,” he said.

Meta also didn’t respond to questions from Recode asking what it does to ensure businesses are following its policies, or what it does with the sensitive information businesses aren’t supposed to send it. As it stands, it looks as though Meta is making and distributing a tracking tool that can materially benefit Meta. But if that tool is exploited or used incorrectly, someone else is responsible. The only people who pay the price for that, it seems, are the site visitors whose privacy is unknowingly invaded.

What you can do to avoid Pixel

There are a few things you can do to protect yourself here. Browsers like Safari, Firefox, and Brave offer tracker blockers. Todd Feathers, one of the reporters on the Markup’s hospital story, told Recode they used Chrome browsers with no privacy extensions for their tests. Speaking of privacy extensions, you can get those, too. VPNs and Apple’s paid private relay service can obscure your IP address from the sites you visit.

Finally, Meta has controls that limit tracking and ad targeting off of its platforms. The company claims that turning off “data about your activity from partners” or “off-Facebook activity” will stop it from using data collected by Pixel from being used to target ads to you. This means placing some trust in Meta that its privacy tools do what it claims they do.

And there’s always, of course, asking your lawmaker to push for privacy laws that would make some of these practices explicitly illegal, or forcing companies to inform and get user consent before collecting and sending their data to anyone else. A few new federal privacy bills or draft bills have been introduced as recently as this week. The interest is there among some members of Congress, but not in enough of them to come close to passing anything yet.