Facebook’s Meta, tracking code, and the student financial aid website

Meta’s Facebook subsidiary has been collecting hashed personal data from students seeking US government financial aid, even from those without a Facebook account and those not logged into the student aid website, according to a research study published this week.

News non-profit The Markup, working with Mozilla via its Rally data monitoring extension, found that the Meta pixel code has been gathering digital fingerprints representing the first name, last name, phone number, zip code, and email address of students filling out the Free Application for Federal Student Aid, or FAFSA, on the US Department of Education’s StudentAid.gov website.

This data is hashed – meaning it is one-way encrypted, using the SHA-256 algorithm – before it is sent to Meta, so Facebook doesn’t obtain the actual content of the information, such as someone’s name or email address. The info is scrambled into long numbers that act as digital fingerprints for each person’s form submissions. Though Facebook can’t see exactly what was entered, it could potentially use these hashes for tracking purposes or linking submissions to people’s Facebook profiles; if the hashes are useless to the biz, one wonders why it’s collected at all.

“Federal Student Aid works hard to protect the privacy and security of customer data for those who visit our our StudentAid.gov website,” Federal Student Aid chief operating officer Richard Cordray told The Register. “In this instance, we have determined that we need to go back and research this issue more fully. We will do that and provide more information as it becomes available.”

The Meta pixel consists of JavaScript code publishers add to their web pages for tracking ad conversions, usage analytics, and other data collection. As of 2020, according to The Markup, it could be found on 30 percent of the top 100,000 websites.

Meta’s tracker can tell Facebook who visited a page – based on existing cookies – and other information – HTTP headers, including IP address, Pixel ID, Facebook Cookie, clicked buttons and their labels, data set by developers and marketers, and web form field name (eg “Email address”). As mentioned, the content of the form fields is hashed.

Used in conjunction with a feature called Advanced Matching, the Meta pixel allows Facebook to capture the values entered into form fields (e.g. your email address) – even if the user has chosen to block Facebook cookies. This allows Meta to determine whether visitors to third-party sites have a Facebook account and to target ads based on previous site visits.

The Department of Education allegedly denied the tracking had occurred when first asked about it, then told The Markup that a settings change related to a March 22 ad campaign inadvertently caused some StudentAid.gov user information, like first and last name, to be tracked. However, The Markup reports seeing personal data like the user’s first and last name, country, phone number, and email address being sent to Facebook as early as January.

The StudentAid.gov privacy policy states, “The information you provide on StudentAid.gov or the myStudentAid app will be used only for the purpose for which you provided it.” Allowing Facebook to collect personal data appears to violate that commitment.

Not the reality we wanted

Elsewhere in data harvesting, researchers from the University of California, Irvine, and an unaffiliated colleague have plumbed the privacy practices of Meta’s Oculus VR platform and found that associated VR apps also collect a large amount of data with inadequate disclosure.

Rahmadi Trimananda, Hieu Le, Hao Cui, Janice Tran Ho, and Athina Markopoulou, all with UC Irvine, and independent researcher Anastasia Shuba describe their findings in a paper titled, “OVRseen: Auditing Network Traffic and Privacy Policies in Oculus VR,” scheduled to be presented at the Usenix Security Symposium in August.

The academics applied network traffic analysis to 140 free and paid VR apps and found that 70 percent of the data flows are not properly described in privacy policies.

And when they looked at the applicable privacy policies for the VR apps available via the Oculus and the SideQuest app stores, 69 percent of the data collected was used for purposes unrelated to the core functions of the app.

The data flows at issue involve personal information (identifiers, name, email, location), fingerprinting (SDK version, hardware, info system version, cookies, etc.), and VR sensory data (VR play area, VR movement, VR pupillary distance, and VR field of view). Ad-related activity – Facebook began testing on-device ads for Oculus in June, 2021 – was not included in the study.

Meta Personal Boundary image

Meta strikes blow against 30% ‘App Store tax’ by charging 47.5% Metaverse toll

READ MORE

Trimananda, a postdoctoral researcher at UC Irvine, reported what the group found to Oculus support in September, 2021, and was told he’d emailed the wrong address.

“However, even after we tried contacting Meta (still Facebook then) with the web resources the person gave us, we still have not received any response from the company,” he explained in an email to The Register.

“So, we are not entirely sure what their real position/comment/opinion is with regard to our findings. On the contrary, we received much more positive feedback from Oculus app developers.”

Trimananda said the main issue is that the data collection practices for many of these apps are not covered in app privacy policies.

“We think that a lot of app developers neglected providing a privacy policy in the first place and when they did have a privacy policy, they neglected the fact that they were using these third-party libraries, such as Unity, in their app,” he said.

“Meta/Facebook did not carefully check the privacy policies of these apps, so this even happened to some of the apps from the official Oculus store.”

Part of this disconnect could be solved by linking together the privacy policies of Oculus, VR apps, and the game engines like Unity used to create them, the paper suggests. When the researchers looked at these all together, the data practices conformed better to policy descriptions.

“The Oculus and Unity privacy policies are well-written and clearly disclose collected data types,” the paper explains. “…[D]evelopers may be unaware of their responsibility to disclose third-party data collections, or they may not know exactly how third-party SDKs in their apps collect data from users.”

Meta/Facebook did not respond to a request for comment. ®

READ MORE HERE