Meta under the microscope for the student aid website pixel • The Register

Meta’s Facebook subsidiary has collected hashed personal data from students applying for US government financial aid, even from those who don’t have a Facebook account and those who aren’t logged into the student aid website, according to a study published this week.

News nonprofit The Markup, working with Mozilla through its Rally data monitoring extension, found that the Metapixel code collected digital fingerprints representing the first name, last name, phone number, zip code, and email address of students completing the free application for federal student aid, or FAFSAon the US Department of Education’s website.

This data is hashed – meaning it is one-way encrypted, using the SHA-256 algorithm – before being sent to Meta, so Facebook does not get the actual content of the information. , such as someone’s name or email address. Information is scrambled into long numbers that act as fingerprints for each person’s form submissions. Although Facebook cannot see exactly what was entered, it could potentially use these hashes for tracking purposes or to link submissions to people’s Facebook profiles; if the hashes are useless for business, one wonders why they are collected.

“Federal Student Aid works hard to protect the privacy and security of customer data for those who visit our website,” said Federal Student Aid Chief Operating Officer Richard Cordray. The register. “In this case, we have determined that we need to go back and investigate this issue further. We will do so and provide more information as it becomes available.”

The metapixel consists of JavaScript code that publishers add to their web pages to track ad conversions, usage analytics, and other data collection. In 2020, according to The Markup, it could be found on 30% of the top 100,000 websites.

Meta tracker can tell Facebook who visited a page – based on existing cookies – and other information – HTTP headers including IP address, pixel ID, Facebook cookie, buttons clicked and their labels, developer and marketer defined data, and web form field name (e.g. “Email Address”). As mentioned, the contents of form fields are hashed.

Used in conjunction with a feature called Advanced Matching, the metapixel allows Facebook to capture the values ​​entered into form fields (e.g. your email address) – even if the user has chosen to block Facebook cookies. This allows Meta to determine whether third-party site visitors have a Facebook account and to target ads based on previous visits to the site.

The Department for Education reportedly denied the tracking had taken place when first asked about it, then told The Markup that a change in settings related to a March 22 ad campaign resulted in inadvertently tracking certain information about users, such as first name and last name. However, The Markup reports that personal data such as the user’s first and last name, country, phone number and email address were sent to Facebook as early as January.

The website privacy policy states, “The information you provide on or the myStudentAid app will only be used for the purpose for which you provided it.” Allowing Facebook to collect personal data appears to violate this commitment.

Not the reality we wanted

Elsewhere in data collection, researchers from the University of California, Irvine and an unaffiliated colleague probed the privacy practices of Meta’s Oculus VR platform and found that associated VR apps also collect a large amount of data with inadequate disclosure.

Rahmadi Trimananda, Hieu Le, Hao Cui, Janice Tran Ho, and Athina Markopoulou, all with UC Irvine, and independent researcher Anastasia Shuba describe their findings in a document titled “OVRseen: Auditing Network Traffic and Privacy Policies in Oculus VR,” to be presented at the Usenix Security Symposium in August.

Academics applied network traffic analysis to 140 free and paid VR apps and found that 70% of data flows are not properly described in privacy policies.

And when they looked at the privacy policies for VR apps available through the Oculus and SideQuest app stores, 69% of the data collected was used for purposes unrelated to the app’s core functions.

The data flows in question relate to personal information (identifiers, name, e-mail, location), fingerprints (SDK version, hardware, version of the information system, cookies, etc.) and VR sensory data (area VR gaming, VR motion, VR pupil distance, and VR field of view). Advertising-related activity — Facebook began testing on-device ads for Oculus in June 2021 — was not included in the study.

Personal meta limit image

Meta Strikes Against 30% ‘App Store Tax’ by Charging 47.5% Metaverse Toll


Trimananda, a postdoctoral researcher at UC Irvine, reported what the group found to Oculus Support in September 2021, and was told he emailed the wrong address.

“However, even after trying to contact Meta (still Facebook then) with the web resources the person provided us with, we still haven’t received a response from the company,” he explained in an email. email to The register.

“So we’re not entirely sure of their true position/comment/opinion regarding our findings. On the contrary, we’ve received much more positive feedback from Oculus app developers.”

Trimananda said the main issue is that the data collection practices for many of these apps aren’t covered by the apps’ privacy policies.

“We believe that many app developers neglected to provide a privacy policy in the first place and when they did have a privacy policy, they overlooked the fact that they were using these third-party libraries, such as Unity, in their application,” he said.

“Meta/Facebook hasn’t carefully checked the privacy policies of these apps, so it’s even happened to some of the official Oculus store apps.”

Some of that disconnect could be resolved by linking the privacy policies of Oculus, VR apps, and game engines like Unity used to create them, the document suggests. When the researchers looked at them together, the data practices conformed better to the policy descriptions.

“Oculus and Unity’s privacy policies are well written and clearly disclose the types of data collected,” the document explains. “…[D]developers may not be aware of their responsibility to disclose third-party data collections, or they may not know exactly how their apps’ third-party SDKs collect user data. »

Meta/Facebook did not respond to a request for comment. ®

Sherry J. Basler