Looks like potential privacy violations aren’t the only problem with the use of so-called Web bugs to track people’s actions as they file online tax returns.
They might also be illegal.
As I wrote last week, Web bugs, or Web beacons, are a technology used by Intuit’s TurboTax and H&R Block to monitor users’ comings and goings during the electronic filing process.
Hidden Web bugs on an Internet site essentially instruct third-party marketers to deposit a cookie in the taxpayer’s browser. A cookie is the computer equivalent of tagging a deer.
The combination of Web bugs and cookies, in turn, allows information about your use of the site to be gathered as you prepare and file your return.
While Web bugs are ubiquitous on the Internet, their use with online tax returns is relatively new. Mountain View’s Intuit, for example, began using them just last year.
It turns out, though, that the technology may violate Section 17530.5 of the California Business and Professions Code.
The law states that it’s a misdemeanor for any company “to disclose any information obtained in the business of preparing federal or state income tax returns or assisting taxpayers in preparing those returns, including any instance in which this information is obtained through an electronic medium.”
The sharing of such information is allowed only if “consented to in writing by the taxpayer in a separate document that states to whom the disclosure will be made and how the information will be used.”
State Sen. Joseph Dunn, D-Santa Ana, introduced the legislation in 2000 to amend a law on disclosure of tax info. His bill expanded the law to include electronic filing.
He said Intuit and H&R Block strongly lobbied against the legislation, arguing that existing safeguards were sufficient to protect taxpayers.
However, Dunn said, it looks like both companies are violating the law by using Web bugs to gather information on taxpayers and share it with so-called Web analytics firms that process the data.
“It appears that the worst nightmare of tax-privacy advocates has come true,” he said. “This is exactly why I authored the bill — to ensure that Californians’ personal tax information would not be left to the honor system.”
Intuit and H&R Block insist that no personal info is captured by the Web bugs. They say the technology merely monitors site usage to make sure that things are running smoothly.
However, privacy advocates say that tracking people as they fill out online tax returns could open the door to confidential data leaking out.
Tom Linafelt, a spokesman for H&R Block, said the company’s use of Web bugs “is in accordance with all federal and state privacy laws.”
Intuit didn’t respond to repeated requests for comment
A spokesman for the Internal Revenue Service, which steers taxpayers to both Intuit’s and H&R Block’s online services via its Free File program, declined to discuss the matter. (Meanwhile, the IRS proudly declares that its own site is free of Web bugs.)
Chris Hoofnagle, who heads the San Francisco office of the Electronic Privacy Information Center, said it appears that Web bugs are prohibited under the California law’s broad embrace of “any information obtained in the business of preparing federal or state income tax returns.”
“This is going to be a problem for the tax-preparation companies,” he said. “They’re obtaining information about people through the Web bugs, and they don’t seem to be getting the proper consent.”
Hoofnagle said he can’t imagine Intuit and Block going to all the trouble of seeking written consent from customers to authorize use of tracking technology during tax preparation.
“The upshot will be no more Web bugs,” he said. “When data-collection is burdened with more responsibilities, businesses tend to collect less data.”
As far as your tax return goes, that’s probably not such a bad thing.
Zaba update: Things are changing fast at ZabaSearch.com, the online people-finder I wrote about the other day that offers oodles of info about virtually anyone, free of charge.
The service already tells others, with alarming accuracy, your birth year, home address and phone number, along with links to a map to your house, a satellite photo and even a weather report for your neighborhood.
Now ZabaSearch has expanded its offerings to allow people to see whether you’re listed in a database of federal prison inmates, or whether your name appears in death records or a legal directory.
“We’re still determining the kind of information people want to find out, ” said Nicholas Matzorkis, the company’s chairman (who was born in 1962 and resides at 2600 Scenic Drive in Austin, Texas, an affluent neighborhood on the shore of Lake Austin, where a chance of thunderstorms is forecast for today).
“We’re trying lots of different things,” he said. “We expect to keep adding more.”
Another thing ZabaSearch is trying is a more laborious process for removing oneself from the company’s database. As of last week, people could opt out by e-mail.
Now, however, ZabaSearch requires a written request, by mail, that includes your name, home address, e-mail address, phone number and year of birth — basically everything they want to know about you.
Matzorkis said the snail-mail process isn’t meant to deter people from deleting themselves from the company’s files, and he said the personal info only ensures that all relevant records are erased.
A new-and-improved online opt-out procedure, Matzorkis said, will be introduced next month.
“We made a determination that until we had a reliable automated system, the only way to do this reliably is to do it by mail,” he said.
However, ZabaSearch still says in its terms and conditions that it can’t guarantee you’ll be removed from the company’s database even if you mail in all that info.
If that’s not enough to discourage you, the opt-out address is ZabaTools, 820 Park Row, Suite 658, Salinas, CA 93901.