Meta under the microscope for pixels Student Help website • The Register

Facebook subsidiary Meta has collected hashed personal data from students seeking financial assistance from the US government, even from those without a Facebook account who are not logged into the student help site, according to a research study published this week.

The news nonprofit The Markup, which works with Mozilla via the Rally Data Monitor extension, Found that dead pixels The code collects digital fingerprints representing the first and last name, phone number, zip code, and email address of students who fill out a Free Application for Federal Student Aid, or FAFSAon the US Department of Education’s website.

This data is hashed — meaning it’s encrypted one way, using the SHA-256 algorithm — before it’s sent to the Meta, so Facebook doesn’t get to see the actual content of the information, like someone’s name or email address. The information is aggregated into long numbers that act as digital fingerprints for each person’s form submissions. Although Facebook can’t see exactly what’s entered, it’s likely to use this hash to track purposes or associate submissions with people’s Facebook profiles; If retail is useless for business, one wonders why it is collected at all.

“Federal Student Aid works hard to protect the privacy and security of customer data for those who visit our website,” said Richard Cordray, chief operating officer of Federal Student Aid. record. “In this case, we have decided that we need to go back and research this issue fully. We will do that and provide more information as it becomes available.”

Meta pixel consists of publishers of JavaScript code that they add to their web pages to track ad conversions, usage analytics, and other data collection. As of 2020, according to The Markup, they can be found on 30 percent of the top 100,000 websites.

The Meta Tracker can tell Facebook who visited a page – based on the cookies present – and other information – the HTTP headers, including the IP address, Pixel ID, Facebook Cookie, buttons clicked, their labels, data set by developers and marketers, and the name of the web form field (such as “E-mail address”). As mentioned, the content of form fields is fragmented.

Used in conjunction with a feature called advanced matchingMeta pixel allows Facebook to capture values ​​entered in form fields (such as your email address) – even if the user chooses to block Facebook cookies. This allows Meta to determine if visitors to third-party sites have a Facebook account and to target ads based on previous site visits.

The Department of Education allegedly denied tracking when first asked about it, and then told The Markup that a settings change related to an ad campaign on March 22 inadvertently caused some user information, such as first and last name, to be tracked. However, The Markup reported seeing personal data such as a user’s first and last name, country, phone number and email address being sent to Facebook as early as January. . website private policy It states that “The information you provide on or the myStudentAid application will only be used for the purpose for which you provided it.” Allowing Facebook to collect personal data appears to violate this obligation.

Not the truth we wanted

Elsewhere in data collection, researchers from the University of California, Irvine, and an unaffiliated colleague audited the privacy practices of the Meta Oculus VR platform and found that associated virtual reality apps also collect a large amount of data with insufficient disclosure.

Rahmadi Trimananda, Hugh Low, Hau Cui, Janis Tran Ho, and Athena Markopoulou, all from UC Irvine, and independent researcher Anastasia Chuba describe their findings in a sheet Titled “OVRseen: Auditing Network Traffic and Privacy Policies in Oculus VR,” scheduled to be presented at the Usenix Security Symposium in August.

The academics applied network traffic analysis to 140 free and paid virtual reality apps and found that 70 percent of data flows were not properly described in privacy policies.

And when they looked at the privacy policies of virtual reality apps available across the Oculus and SideQuest app stores, 69 percent of the data collected was used for purposes not related to the app’s core functionality.

The problem data streams include personal information (identifiers, name, email, and location), fingerprints (SDK version, hardware, information system version, cookies, etc.), and sensory VR data (VR playing area, VR motion, VR pupillary distance). , and VR field of view). Ad-related activity — Facebook began testing ads on the device for Oculus in June 2021 — was not included in the study.

profile border picture

Meta Hits Beat 30% “App Store Tax” by Imposing 47.5% Metaverse Fee

Read more

Triimananda, a postdoctoral researcher at the University of California, Irvine, reported what the group found in support of Oculus in September 2021, and was told he had sent an email to the wrong address.

Explained in an email to record.

“Therefore, we are not entirely sure of their true position/comment/opinion regarding our findings. On the contrary, we have received much more positive feedback from Oculus app developers.”

The main issue, Tremananda said, is that the data collection practices of many of these apps are not covered by the apps’ privacy policies.

“We think a lot of app developers neglected to provide the privacy policy in the first place and when they had a privacy policy, they neglected the fact that they were using these third party libraries, like Unity, in their apps,” he said.

“Meta/Facebook has not carefully checked the privacy policies of these apps, so this has happened even with some apps from the official Oculus Store.”

Part of that disconnect could be resolved by linking the privacy policies of Oculus and the VR apps and game engines like Unity used to create them, the paper suggests. When the researchers looked at it all together, the data practices were better aligned with the policy descriptions.

The research paper states that “Oculus and Unity’s privacy policies are well written and clearly disclose the types of data collected.” “…[D]Developers may not be aware of their responsibility to disclose third-party data sets, or may not know exactly how third-party SDKs in their apps collect data from users.”

Meta/Facebook did not respond to a request for comment. ®