• by Laurie Sullivan , Staff Writer @lauriesullivan, April 28, 2022

The Markup, a non-profit newsroom that investigates how technology reshapes society, has released the initial findings from its Facebook Pixel Hunt study, which found that Facebook has been quietly gathering personal data about a variety of situations, including when prospective college students apply online for financial aid.

The study, released in in conjunction with Rally, Mozilla’s privacy-first data-sharing platform, analyzes data gathered between January and April 2022. It’s a first-of-its-kind joint research — working with Firefox users to reveal how Meta’s Pixel, a piece of computer code that tracks internet users across the web, is embedded in HTML of a website and provides a way to track and measure the effectiveness of the company's ads on everything from ecommerce to online gambling apps and student loans.

When asked to cite the most surprising discovery from the data, Colin Lecher, reporter at The Markup, said "finding this on such a potentially sensitive website" and that the "data collection happens regardless of whether [or not] you're signed in to Facebook. In this case, he said, it starts "even before you actually sign in to apply for aid." 

As it turns out, the free application for federal student aid (FAFSA) form included a code that sent personal information back to Facebook. The code sends Meta a detailed log of user interactions, such as when someone clicks on the image of a linked product to research more information. 

Volunteers were asked to install the Rally browser add-on, which detected the presence of the Pixel in their browser.

As of April 25, the study detected 2,635,130-pixel events, the majority of which are events sent by default:

• 39.1% (1,032,218) are PageView events.  
• 22.8% (602,166) are Microdata events.
• 14.6% (384,286) are SubscribedButtonClick events.
• 9.0% (236,870) are standard events other than the default PageView. 
• 14.5% (381,919) are custom events, including 5,520 unique custom event types.

The website developer manually determines the pieces of data to send via the Meta Pixel that will automatically look for recognizable fields, which contain information such as first name, surname, and email address.

The Meta Pixel receives information entered in these fields, as well as the event or action that took place. The study describes this here.

The group began with 5,447 participants, and will continue through July 13, 2022, but that number changes daily. Some 80% encountered the Meta Pixel on websites visited.

The study found that sensitive user information could have been sent to Meta from any number of sites without the person’s awareness or consent, but it’s not clear how the data was used.

The goal of the study is to gain insight into that data collection.

The group analyzed the pixel parameters to identify “Sensitive data” -- the data used to potentially identify users, or data about children under the age of 13, health information, financial information, or similar categories of information. 

It's interesting to note that a Department of Education spokesperson wrote in an email to The MarkUp that the department had “not sent any personally identifiable information to Meta (Facebook).”

Still, The Markup’s data shows the personal information was indeed being sent to Facebook before the tracking stopped following The Markup’s inquiry. It’s not clear if the department was clear on the actions taken.