Save content
Have you found this content useful? Use the button above to save it to your profile.
A man holding binoculars viewing sensitive data on a computer

Is your tax information being shared with BigTech and others? Maybe!


Tax software is in the spotlight over in America for sharing sensitive information with online tech giants such as Google and Meta. How did this happen? And could the same thing also be happening closer to home?

18th Jul 2023
Save content
Have you found this content useful? Use the button above to save it to your profile.

In the United States, Senators have released a 54-page report [PDF] detailing what they describe as "outrageous, extensive, and potentially illegal sharing of taxpayers' sensitive personal and financial information with Meta by online tax preparation companies."

In the spotlight are several online services used by US citizens to prepare their tax returns. The report, titled "Attacks on Tax Privacy: How the Tax Prep Industry Enabled Meta to Harvest Millions of Taxpayers’ Sensitive Data," looked specifically at how TaxAct, TaxSlayer, and H&R Block collected sensitive personal and financial taxpayer data using ad tracking tools from Meta and Google.

In their seven-month investigation, the senators discovered that one firm not only shared taxpayer filing status, adjusted gross income, and names of dependents, but also included details like federal tax owed. 

The information was aligned with Meta’s identity tracking which includes personal information such as the person’s full name, email, postal address, phone number, and even gender. Meta was then able to use the data to target ads at taxpayers and train its own AI algorithms, the senators claim.

AccountingWEB was then deluged with enquiries and posts asking whether the same thing could be happening closer to home. The answer (as ever) is ‘it depends’.

Could it happen to me or my client?

It is all down to how you share your tax information and with whom.

The US taxpayers impacted were using online services to prepare their tax returns in advance of them being submitted. The pages on these websites also carried advertisements. The advertisers wanted to track who was viewing their adverts and were using Meta Pixel or Google's ad tools to do so.

Those managing the websites should be able to limit the data that is passed on to the tech giants and then on to advertisers. Google and Meta claim to have mechanisms to prevent the collection of taxpayer data, but in their report the Senators stated that "these filtering systems appeared to be ineffective."

If you enter data directly into the HMRC website (which does not carry advertisements) then you should be in the clear (depending on what other tracking software you have on whatever device you used).

If the information is passed privately between a taxpayer and their accountant then you’d expect this to also be in the clear, but it depends on how the information was shared and stored.

If a web form or web portal was used to enter your data and there were advertisements on the same web page then unless the site was carefully set up to restrict the data shared, the chances are that it was all then passed on to the tech giants.

The site may ask you whether you object to the use of cookies (a nice fluffy word the tech giants use to describe tracking tools) and embedded on the web page along with the advert will be a tag (a nice fluffy word the tech giants use to describe spy pixels) which will feed your data to whoever operates the ad tools (a market dominated by Meta and Google). Even if you object to the use of cookies, you need to trust that the website isn’t ignoring your preference and tracking you all the same.

Authorities target financial data

Regulators are aware that sensitive personal information is collected in this way. Data protection authorities in countries like Austria, France and Italy have found that the use of Google Analytics violates GDPR, and the Swedish authority has gone as far as fining Google.

You might not object to such sensitive data being used to target ads at you or to train AI algorithms, but law enforcement authorities can also seize the data in the US. If you are a US citizen, you are taxed on any income earned anywhere in the world, even outside the US. Even if you are not a US citizen then you might have qualms about your private and financial data being seen by US authorities.

However, this is not the full extent of the potential snooping. If financial information is shared between accountant and client by email, and either party uses an email system run by a US tech giant like Microsoft or Google, then these emails and all the sensitive information they contain could be seized in the same way. The same applies if either client or accountant stores this information with a cloud provider like AWS, Azure or Google Cloud, and also applies to all US-based SaaS apps (applications that run in the cloud).

Note that the US authorities use secret warrants when seizing the data and that they can even seize data held in the UK or EU by US tech firms. The gag orders attached to these warrants prevent the tech firms from even letting you know that your data has been seized. Thankfully HMRC cannot use such warrants and is hampered by the local legal system in the UK and traditions like independent judicial oversight.

Supplementary measures

The only way to counter such US data seizures is to apply what they call supplementary measures - things like encryption - to prevent the data from being of any use if seized. 

Accountants should either use a sovereign cloud and email system or apply specific supplementary measures in this way. A useful list to go from is the list of local cloud providers using tools like VMware Cloud that can be set up to shield data from prying eyes.

If you are an accounting firm seeking a point of differentiation, then you might want to explore this and ensure that you are shielding your clients’ data in this way. Your clients are likely to be more than a little miffed if you aren’t.

Replies (3)

Please login or register to join the discussion.

By gillsoffice
20th Jul 2023 11:17

I have absolutely no confidence that any organisation is keeping our (or our clients') data safe. Despite ever increasing data protection/AML/security legislation the systems we submit info to can be (& are being) hacked, and the temptation to earn a few extra £ by selling on data must be hard to resist.
I have lost count of the times I have been asked to submit id (passport/driving licence/inside leg measurements ...) to banks & other organisations - what do they do with all of this info? I don't believe they keep it safely locked up, many of them use 3rd parties to collect this info for them . I had to submit my id info to one big bank online, who promptly lost it - they told me it would definitely have been destroyed within their security procedures, but they couldn't track that through and provide me with any confirmation. Whoever found that info, wherever it ended up, had all of the info needed to set a bank account in my name.
I'm of an age where we used to hand write tax returns and deliver them to the local tax office, and a tax payer (customer!) signature was proof enough. Digitisation had made the process much easier, but I'm not sure it's safer for any of us.

Thanks (4)
Replying to gillsoffice:
By Hugo Fair
20th Jul 2023 15:24

Quite ... it's not just 'tax information'.

This is the flipside of the 'everything digital' vision beloved by HMRC (and the rest of govt + big business) ... even the legal channels 'share' data (for reasons that start as laudatory but quickly seep into murkier waters).

And the weakest point isn't the legal exchanges (or even the quasi-legal ones in the article), it remains the 'on-site hacker' (aka disaffected and underpaid employees who simply accesses & downloads data with a commercial value).

I can't prove the connection, but after a lifetime of avoiding all but the barest footprint in the digital world (no social networking sites / paper returns where possible / cash not apps / etc) ... I gave in (because I had to) when renewing my (pink paper) Driving Licence for the over-70 variety (photo plastic-card) - only an option via on-line.
Vast troves of confidential data (including passport and photos as well as the more obvious personal identifiers) were uploaded - and a few days later I received the new Driving Licence in the post.

Unfortunately ... the same post contained loads more post from two major UK Banking institutions, thanking me for my successful applications for accounts & cards & overdrafts & etc.
None of which of course were processes that had involved me - but, on investigation, it transpired that all the fraudulent applications were made within 12 hours of my online DVLA application!

[I've not opened a new bank account, or applied for any credit facilities, in over 50 years - and yet the one time that I submit all my details (through a 'secure' govt mechanism) they 'just so happen' to be used for criminal fraud.]

Thanks (3)
By johnjenkins
02nd Aug 2023 12:52

It's not a question of "could". It's a fact that it is happening. Those with dosh can get what they want digitally and there is nothing we can do about it. General Data Poses Risk. High Tech (although has absolutely endless good stuff) has gone too far for anyone to play catch up. So we are left with a few generations that will never be able to cope.

Thanks (0)