This article was originally published on The Markup. This article was copublished with STAT, a national publication that delivers trusted and authoritative journalism about health, medicine, and the life sciences. Sign up for its health tech newsletter here.
Websites for mental health crisis resources across the country—which promise anonymity for visitors, many of whom are at a desperate moment in their lives—have been quietly sending sensitive visitor data to Facebook, The Markup has found.
Dozens of websites tied to the national mental health crisis 988 hotline, which launched last summer, transmit the data through a tool called the Meta Pixel, according to testing conducted by The Markup. That data often included signals to Facebook when visitors attempted to dial for mental health emergencies by tapping on dedicated call buttons on the websites.
In some cases, filling out contact forms on the sites transmitted hashed but easily unscrambled names and email addresses to Facebook.
The Markup tested 186 local crisis center websites under the umbrella of the national 988 Suicide and Crisis Lifeline. Calls to the national 988 line are routed to these centers based on the area code of the caller. The organizations often also operate their own crisis lines and provide other social services to their communities.
The Markup’s testing revealed that more than 30 crisis center websites employed the Meta Pixel, formerly called the Facebook Pixel. The pixel, a short snippet of code included on a webpage that enables advertising on Facebook, is a free and widely used tool. A 2020 Markup investigation found that 30 percent of the web’s most popular sites use it.
The pixels The Markup found tracked visitor behavior to different degrees. All of the sites recorded that a visitor had viewed the homepage, while others captured more potentially sensitive information.
Many of the sites included buttons that allowed users to directly call either 988 or a local line for mental health help. But clicking on those buttons often triggered a signal to be sent to Facebook that shared information about what a visitor clicked on. A pixel on one site sent data to Facebook on visitors who clicked a button labeled “24-Hour Crisis Line” that called local crisis services.
Clicking a button or filling out a form also sometimes sent personally identifiable data, such as names or unique ID numbers, to Facebook.
The website for the Volunteers of America Western Washington is a good example. The social services nonprofit says it responds to more than 300,000 requests for assistance each year. When a web user visited the organization’s website, a pixel on the homepage noted the visit.
If the visitor then tried to call the national 988 crisis hotline through the website by clicking on a button labeled “call or text 988,” that click—including the text on the button—was sent to Facebook. The click also transmitted an “external ID,” a code that Facebook uses to attempt to match web users to their Facebook accounts.
If a visitor filled out a contact form on the Volunteers of America Western Washington’s homepage, even more private information was transmitted to Facebook. After filling out and sending the form, a pixel transmitted hashed, or scrambled, versions of the person’s first and last name, as well as email address. Volunteers of America Western Washington did not respond to requests for comment.
The Markup found similar activity on other sites.
The Contra Costa Crisis Center, an organization providing social services in Northern California, noted to Facebook when a user clicked on a button to call or text for crisis services. About 3,000 miles away, in Rhode Island, an organization called BH Link used a pixel that also pinged Facebook when a visitor clicked a button to call crisis services from its homepage. (After publication of this article Contra Costa Crisis Center told The Markup that it had removed the pixel.)
Facebook can use data collected by the pixel to link website visitors to their Facebook accounts, but the data is collected whether or not the visitor has a Facebook account. Although the names and email addresses sent to Facebook were hashed, they can be easily unscrambled with free and widely available web services.
After The Markup contacted the 33 crisis centers about their practices, some said they were unaware that the code was on their sites and that they’d take steps to remove it.
“This was not intentional and thank you for making us aware of the potential issue,” Leo Pellerin, chief information officer for the United Way of Connecticut, a partner in the national 988 network, said in an emailed statement. Pellerin said they had removed the code, which they attributed to a plug-in on their website.
Lee Flinn, director of the Idaho Crisis and Suicide Hotline, said in an email that she had “never heard of Meta Pixel” and was asking the outside vendor who had worked on the organization’s site to remove the code. “We value the privacy of individuals who reach out to us, and any tracking devices are not intentional on our part, nor did we ask any developer to install,” she said. “Anything regarding tracking that is found will be immediately removed.”
Ken Gibson, a spokesperson for the Crisis Center of Tampa Bay, said the organization had recently placed the pixel on its site to advertise for staff but would now reduce the information the pixel gathers to only careers pages on the site.
In follow-up tests, four organizations appeared to have completely removed the code. The majority of the centers we contacted did not respond to requests for comment.
“Advertisers should not send sensitive information about people through our Business Tools,” Meta spokesperson Emil Vazquez told The Markup in an emailed statement that mirrored those the company has previously provided in response to reporting on the Meta Pixel. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Vazquez did not respond to a question about whether or how Meta could determine if this specific data was filtered.
There is no evidence that either Facebook or any of the crisis centers themselves attempted to identify visitors or callers, or that an actual human ever identified someone who attempted to call for help through a website. Some organizations explicitly said in response to The Markup’s requests for comment that they valued the anonymity promised by the 988 line.
Mary Claire Givelber, executive director of New Jersey–based Caring Contact, said in an email that the organization had briefly used the pixel to recruit volunteers on Facebook but would now remove it.
“For the avoidance of all doubt, Caring Contact has not used the Meta Pixel to identify, target, or advertise to any potential or actual callers or texters of the Caring Contact crisis hotline,” Givelber said.
Meta can use information gathered from its tools for its own purposes, however, and data sent to the company through the pixels scattered across the web enters a black box that can catalog and organize data with little oversight.
Divendra Jaffar, a spokesperson for Vibrant Emotional Health, the nonprofit responsible for administering the national 988 crisis line, pointed out in an emailed statement that data transmitted through the pixel is encrypted.
“While Vibrant Emotional Health does not require our 988 Lifeline network of crisis centers to provide updates on their marketing and advertising practices, we do provide best practices guidelines to our centers, counselors, and staff and hold them to rigorous operating standards, which are reviewed and approved by our government partners,” Jaffar said.
The organization did not respond to a request to provide any relevant best practices.
Jen King, the privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence, said in an interview that, regardless of the reasons, Meta is gathering far too much data through its tools.
“Even if this is accidental still on the part of the developers, you shouldn’t still be able to fall into this trap,” she said. “The time has long passed when you can use that excuse.”
The Pixel and Sensitive Data
Meta, Facebook’s parent company, offers the pixel as a way to track visitors on the web and to more precisely target ads to those visitors on Facebook. For businesses and other organizations, it’s a valuable tool: A small company can advertise on Facebook directly to people who purchased a certain product, for example, or a nonprofit could follow up on Facebook with users who donated on their last visit to a website.
One organization, the Minnesota-based Greater Twin Cities United Way, said it did not use its website to reach out to potential 988 callers but instead focused on “donors and other organizational stakeholders.” Sam Daub, integrated marketing manager of the organization, said in an emailed statement that the organization uses tools like the pixel “to facilitate conversion-tracking and content retargeting toward users who visit our website” to reach those people but did not track specific activity of 988 callers.
Apart from encouraging users to buy ads, this sort of data is also potentially valuable to Meta, which, in accordance with its terms of service, can use the information to power its algorithms. The company reserves the right to use data transmitted through the pixel to, for instance, “personalize the features and content (including ads and recommendations) that we show people on and off our Meta Products.” (This is one of the reasons an online shopper might look at a pair of pants online and suddenly see the same pair follow them in advertisements across social media.)
The pixel has proved massively popular. The company told Congress in 2018 that there were more than two million pixels collecting data across the web, a number that has likely increased in the time since. There is no federal privacy legislation in the United States that regulates how most of that data can be used.
Meta’s policies prohibit organizations from sending sensitive information through the pixel on children under 13, or generally any data related to sensitive financial or health matters. The company says it has an automated system “designed to filter out potentially sensitive data that it detects” but that it is advertisers’ responsibility to “ensure that their integrations do not send sensitive information to Meta.”
In practice, however, The Markup has found several major services have sent sensitive information to Facebook. As part of a project in partnership with Mozilla Rally called the Pixel Hunt, The Markup found pixels transmitting information from sources including the Department of Education, prominent hospitals, and major tax preparation companies. Many of those organizations have since changed how or whether they use the pixel, while lawmakers have questioned the companies involved about their practices. Meta is now facing several lawsuits over the incidents.
The types of sensitive health information Meta specifically prohibits being sent include information on “mental health and psychological states” as well as “physical locations that identify a health condition, or places of treatment/counseling.” Vazquez did not directly respond to a question about whether the data sent from the crisis centers violated Meta’s policies.
There is evidence that even Meta itself can’t always say where that data ends up. In a leaked document obtained and published by Vice’s Motherboard, company engineers said they did not “have an adequate level of control and explainability over how our systems use data.” The document compared user data to a bottle of ink spilled into a body of water that then becomes unrecoverable. A Facebook spokesperson responded to the report at the time, saying it left out a number of the company’s “extensive processes and controls to comply with privacy regulations,” though the spokesperson did not give any specifics. “It’s simply inaccurate to conclude that it demonstrates non-compliance,” the spokesperson said.
“The original use cases [for the pixel] perhaps weren’t quite so invasive, or people weren’t using it so widely,” King said but added that, at this point, Meta is “clearly grabbing way too much data.”
988 History and Controversy
The national 988 crisis line is the result of a years-long effort by the Federal Communications Commission to provide a simple, easy-to-remember, three-digit number for people experiencing a mental health crisis.
Crisis lines are an enormously important social service—one that research has found can deter people from suicide. The new national line, largely a better-funded, more accessible version of the long-running National Suicide Prevention Lifeline, answered more than 300,000 calls, chats, and texts between its launch in the summer of last year and January.
But the launch of 988 has been accompanied by questions about privacy and anonymity, mostly around how or whether callers to the line can ever be tracked by emergency services. The national line is advertised as an anonymous service, but in the past callers have said they’ve been tracked without their consent when calling crisis lines. Police have sometimes responded directly in those incidents, leading to harrowing incidents.
The current 988 line doesn’t track users through geolocation technology, according to the service, although counselors are required to provide information to emergency services like 911 in certain situations. That requirement has been the source of controversy, and groups like the Trans Lifeline, a nonprofit crisis hotline serving the trans community, stepped away from the network.
The organization has launched a campaign to bring the issue more prominence. Yana Calou, the director of advocacy at Trans Lifeline, told The Markup in an interview that there are some lines that “really explicitly don’t” track, and the campaign is meant to direct people to those lines instead. (Trans Lifeline, which is not involved in the national 988 network, also uses the Meta Pixel on its site. After being alerted by The Markup, a Trans Lifeline spokesperson, Nemu HJ, said they would remove the code from the site.)
Data-sharing practices have landed other service providers in controversy as well. Last year, Politico reported that the nonprofit Crisis Text Line, a popular mental health service, was partnering with a for-profit spinoff that used data gleaned from text conversations to market customer-service software. The organization quickly ended the partnership after it was publicly revealed.
Having a space where there’s a sense of trust between a caller and an organization can make all the difference in an intervention, Calou said. “Actually being able to have people tell us the truth about what’s going on lets people feel like they can get support,” they said.
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.