When You Said That You Had Nothing to Hide – Did That Include Your Tax Return Info?
When privacy advocates question the immense sharing of data with others, at least some of them say that they don’t care; they have nothing to hide. Perhaps that is true. I’m kind of on the other side there. I don’t want folks to share my info unless I say so.
For the most part, we don’t know who is sharing what with whom.
Recently several hospitals have been in the news because they have been caught sharing patient data with the likes of Facebook – of course without asking.
Now it is coming to light that some of major tax preparation services like H&R Block, TaxAct and TaxSlayer have been sharing not only your names and emails, but also info like your income, filing status, refund amounts and dependent’s scholarship info.
All without asking permission. Well, maybe it is buried in that legal agreement that not even a lawyer could decipher.
We only know about this because some security researcher got curious. Who else is sharing other information – it is an unknown.
It doesn’t even matter whether you have a Facebook account for Facebook to be collecting your income and refund data, for example.
In the case of TaxAct, they sent your filing status, adjusted gross income to the nearest thousand, refund to the nearest hundred and even your dependent’s names. They also sent similar information, minus the names, to Google.
H&R Block sent information on your health savings account usage, dependents’ college tuition grants and expenses.
TaxSlayer sent phone numbers, the name of the person filling out the form and dependents’ names. Some of the data was lightly obfuscated but easy to reverse.
Dave Ramsey, a popular syndicated radio talk show financial advice company that also sells a lot of financial how to stuff, gathered even more data.
Even Intuit, makers of Turbotax, sent data, but much more limited data. It included the user name and last login time. But they did NOT put the tracking code on any pages after the user logged in, meaning no sensitive personal information could be compromised.
In response, TaxAct said they endeavor to comply with all IRS regulations. First off, that means that they might not comply, but more importantly, the message is that if it is not illegal for us to do this, then the hell with you.
Dave Ramsey said that they did that to deliver a more personalized customer experience. So does that mean that if you make a lot of money they are going to push different products at you than if you are poor?
Ramsey’s folks also claimed that they are ignorant and didn’t know what they were sending to Facebook. I don’t know which is worse – that they didn’t bother to figure out what they were sending before they signed up or that they knew and did it anyway.
TaxSlayer responded by saying that they removed the tracking code to “evaluate its use”. Translated, I guess this means, crap, we got caught and so we are going to stop for now.
The only one that came out smelling okay in this was Turbotax, who said that the tracking code does not track, gather or share information that users enter in TurboTax while filing their taxes.
It is likely that this activity is legal in the United States because it is buried in the 19 page license agreement that nobody reads and the alternative is to fill out your tax return by hand and mail it in to the IRS.
Readers should be clear that this is not an accident or oversight. This is intentional and until they got caught at it, it seemed like a good idea.
In the absence of a law against it, these companies will likely turn this data collection back on when they think the heat is gone.
Which means that researchers need to keep looking. Forever.
Credit: The Verge