If you’re one of the millions of students applying for student aid every year, then chances are Facebook—and Facebook’s parent company Meta—know about it.
That’s the main takeaway from a new investigation by The Markup, which found a tiny, invisible piece of code called the “Meta Pixel” lurking on the website where students apply for Free Application for Federal Student Aid, also known as FAFSA. The FAFSA folks have a pretty robust presence on both Facebook and Instagram and they run an equally robust number of ads across both. Presumably, someone at the Department of Education plopped the pixel on the page in order to better target those ads, using the Pixel to better know who was visiting, and when.
Data points like students’ first and last names, email addresses, and the fact that they applied for aid were all sent back to the company, according to code that the Markup posted for anyone to peruse.
If you peek at it, you might notice that the data is “hashed” in a way that, on paper, removed those identifying details. But it’s also worth noting that hashed data can easily be traced back to the device that produced it, sometimes pretty easily, even for a company without Meta’s tech prowess. After The Markup contacted the U.S. Department of Education about the practice, the agency yanked the offending code from FAFSA’s application page. This still leaves countless aid applicants’ data in Meta’s hands.
Even if you’ve never heard of a Meta Pixel before, there’s a good chance you’ve stumbled onto one somewhere across the web. Aside from the student aid page, there are more than one million websites in the United States alone that have that tiny piece of tech onboard. Meta’s pitch to site operators, in cases like these, is that the Pixel can track users as they roam across a given webpage so that the businesses and brands running these sites can retarget those users across properties like Facebook or Instagram. But the company’s privacy policies are kind of a gnarled mess and even Meta doesn’t know where that data might end up or how it might be used for targeting in the future. The company’s data policies make it clear that it retains this data for years on end.
Gizmodo reached out to Meta for comment on this story and we’ll update this post when we receive a reply. In a statement to The Markup, a spokesperson noted that the company “continues to proactively educate advertisers in sensitive verticals on how to properly set-up our business tools.”
What’s unclear is whether these attempts to educate the Department of Education are actually going anywhere. Government agencies are notoriously dense when it comes to anything technology, and when it comes to comprehending tech privacy, things get even worse. Getting this piece of tech off one site is a good start, but we still have a long way left to go.