Google 'wiretapped' tax websites with visitor traffic trackers, lawsuit claims

Google was sued on Thursday for allegedly "wiretapping" several tax preparation websites and gathering people's sensitive personal data.

And by wiretapping, they mean Google Analytics code added by the tax firms themselves to their own websites to measure visitor traffic and demographics.

The complaint [PDF], filed in a US federal district court in San Jose, California, on behalf of plaintiff Malissa Adams and others, accuses Google of collecting personal data from US taxpayers using online tax filing websites offered by H&R Block, TaxAct, and TaxSlayer, among others.

"What made this wiretapping possible is Google Analytics' tracking pixel, which is embedded in the JavaScript of online tax preparation websites," the complaint stated.

Google Analytics works like this, mainly: Google generates a snippet of JavaScript code to include in your pages; when people visit those pages, the code pings home to Google, allowing the ads giant to record details of those individual visits. Site owners can then view dashboards summarizing their traffic: how many people were looking at what times, which countries they were in, what kind of device they used, and so on. There are other ways to add pages to Analytics.

"These tax preparation companies sent private tax return information to Google through Google Analytics and its embedded tracking pixel," the lawsuit continued, "which was installed on their websites. These pixels sent massive amounts of user data to Google to improve its ad business and enhance its other business tools."

Doing so is illegal, the complaint contended, because under American law tax-return information cannot be disclosed to unauthorized parties without consent from the payer. It will be interesting to see if the courts rule that Analytics actually vacuums up tax-return info.

Google Analytics can collect as many as 200 different metrics, according to the complaint, which says that while the ad giant maintains such information is not associated with individuals, "a Stanford and Princeton study [PDF] found that Google’s tracking software is able to 'successfully carry out de-anonymization' through a simple process that leverages a user’s web browsing history collected by Google’s tracking tools."

Google did not immediately respond to a request for comment. (Full disclosure: Yes, like many websites, The Register uses Google Analytics among other tools to keep track of readership size.)

The tax privacy lawsuit follows a report [PDF] released last month by seven US lawmakers that said TaxAct, H&R Block, and TaxSlayer had admitted "that they shared taxpayer data via their use of the Meta Pixel and Google’s tools."

The legislators' dossier built on investigative work done by The Markup in early 2022, with the help of Mozilla Rally, to study the Meta Pixel and how it collects data. A subsequent report from the news non-profit focused on tax company websites.

Though privacy concerns about "wiretapping" from tracking pixels and related scripts date back more than two decades, when they were referred to as "web bugs" or more euphemistically "web beacons," government officials didn't really get serious about raising the alarm and doing very little until Facebook's Cambridge Analytica scandal in 2018.

• Tax prep firms 'recklessly shared' your data with Google and Meta – senators
• YouTube accused of aiming ads at kids after promising it wouldn't do that
• Google's browser security plan slammed as dangerous, terrible, DRM for websites
• Get your staff's consent before you monitor them, tech inquiry warns

That year, Facebook CEO Mark Zuckerberg testified in a congressional hearing where it was revealed that there were 2.2 million Facebook pixels installed on websites at the time, not to mention 8.4 million Like buttons and 931,000 Share buttons which fed data back to the social network.

Since then, thanks to state privacy laws, there's been an uptick in litigation alleging privacy violations from web analytics code, particularly in the healthcare sector.

In May, for example, Google was sued for intercepting healthcare information from Planned Parenthood websites. A forensic report [PDF] recently filed in that case, "found extensive disclosures of communications between patients and health care providers to Google."

According to analyst house BakerHostetler's 2023 Data Security Incident Response Report, "since August 2022, more than 50 lawsuits have been filed against hospital systems, alleging they track and disclose patients’ identities and online activities via third-party website analytics tools without the website visitors’ knowledge and consent." ®