The Markup found many sites tied to the national mental health crisis
hotline transmitted information on visitors through the Meta Pixel
<https://themarkup.org/pixel-hunt/2023/06/13/suicide-hotlines-promise-anonymity-dozens-of-their-websites-send-sensitive-data-to-facebook>
Websites for mental health crisis resources across the country—which
promise anonymity for visitors, many of whom are at a desperate moment
in their lives—have been quietly sending sensitive visitor data to
Facebook, The Markup has found.
Dozens of websites tied to the national mental health crisis 988
hotline, which launched last summer, transmit the data through a tool
called the Meta Pixel, according to testing conducted by The Markup.
That data often included signals to Facebook when visitors attempted to
dial for mental health emergencies by tapping on dedicated call buttons
on the websites.
In some cases, filling out contact forms on the sites transmitted hashed
but easily unscrambled names and email addresses to Facebook.
See the full data here.
GitHub
The Markup tested 186 local crisis center websites under the umbrella of
the national 988 Suicide and Crisis Lifeline. Calls to the national 988
line are routed to these centers based on the area code of the caller.
The organizations often also operate their own crisis lines and provide
other social services to their communities.
The Markup’s testing revealed that more than 30 crisis center websites
employed the Meta Pixel, formerly called the Facebook Pixel. The pixel,
a short snippet of code included on a webpage that enables advertising
on Facebook, is a free and widely used tool. A 2020 Markup investigation
found that 30 percent of the web’s most popular sites use it.
The pixels The Markup found tracked visitor behavior to different
degrees. All of the sites recorded that a visitor had viewed the
homepage, while others captured more potentially sensitive information.
Illustration of a pink vacuum hose sucking up pixels and dirt from
browser windows. Half of the browser windows are cleaned up of dirt and
sparkling.
Many of the sites included buttons that allowed users to directly call
either 988 or a local line for mental health help. But clicking on those
buttons often triggered a signal to be sent to Facebook that shared
information about what a visitor clicked on. A pixel on one site sent
data to Facebook on visitors who clicked a button labeled “24-Hour
Crisis Line” that called local crisis services.
Clicking a button or filling out a form also sometimes sent personally
identifiable data, such as names or unique ID numbers, to Facebook.
The website for the Volunteers of America Western Washington is a good
example. The social services nonprofit says it responds to more than
300,000 requests for assistance each year. When a web user visited the
organization’s website, a pixel on the homepage noted the visit.
If the visitor then tried to call the national 988 crisis hotline
through the website by clicking on a button labeled “call or text 988,”
that click—including the text on the button—was sent to Facebook. The
click also transmitted an “external ID,” a code that Facebook uses to
attempt to match web users to their Facebook accounts.
If a visitor filled out a contact form on the Volunteers of America
Western Washington’s homepage, even more private information was
transmitted to Facebook. After filling out and sending the form, a pixel
transmitted hashed, or scrambled, versions of the person’s first and
last name, as well as email address.
After publication, Maca Ferguson, a spokesperson for Volunteers of
America Western Washington, said the pixel was used for fundraising
efforts and “not intended to collect personally identifiable information
for purposes of tracking or transmitting this data back to Meta, its
subsidiaries, or any third party for any reason” and that any data was
sent “without our knowledge or consent.” Ferguson told The Markup the
organization has since removed the pixel.
The Markup found similar activity on other sites.
[...]
_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
