← Social Media
F

Facebook SDK / Meta Pixel

Fail
Meta Platforms · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: Meta Platforms

⚠️ The bottom line

Hospitals installed Facebook's tracking pixel on their websites. It sent your medical appointment bookings, the conditions you searched for, and your doctor's name directly to Facebook. Crisis hotlines sent call logs. Tax sites sent income data. The website operators had no idea. Facebook's code collected everything the page contained. Your cancer diagnosis, sent to an advertising company via a tracking pixel. A priest was tracked to gay bars using mobile data from the ad-tech ecosystem. The data came from app SDKs — the same infrastructure Facebook SDK, Google Analytics, and ad networks feed. His Grindr usage was cross-referenced with his phone's location. He was outed. He resigned. The data that destroyed his career started as "anonymous app analytics.".

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
4/4 EXTREME
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
0/4 N/A
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
3Contradictions
3Critical
0High
0Medium
2Sources
Findings by concern
Spying 4/4 EXTREME 3 findings
⚠️ criticalmarketing vs third party research
Hospitals installed Facebook's tracking pixel on their websites. It sent your medical appointment bookings, the conditions you searched for, and your doctor's name directly to Facebook. Crisis hotlines sent call logs. Tax sites sent income data. The website operators had no idea. Facebook's code collected everything the page contained. Your cancer diagnosis, sent to an advertising company via a tracking pixel.

What they claim: Facebook SDK described as analytics and advertising tools for app developers

What we found: The Markup's "Pixel Hunt" investigation found Meta Pixel and Facebook SDK sending sensitive health data from hospital websites to Facebook — including appointment bookings, medical conditions searched, and doctor names. Tax filing sites sent income data. Crisis hotlines sent call logs. In each case, website operators had installed Facebook's tracking code without understanding what data it collected.

⚠️ criticalprivacy policy vs third party research
A priest was tracked to gay bars using mobile data from the ad-tech ecosystem. The data came from app SDKs — the same infrastructure Facebook SDK, Google Analytics, and ad networks feed. His Grindr usage was cross-referenced with his phone's location. He was outed. He resigned. The data that destroyed his career started as "anonymous app analytics."

What they claim: Meta describes its SDK as helping developers improve their apps with analytics

What we found: A Catholic news outlet, The Pillar, used commercially available mobile app data — sourced through the data broker ecosystem that Facebook SDK feeds — to track Monsignor Jeffrey Burrill, then-general secretary of the US Conference of Catholic Bishops, to gay bars and his Grindr usage. He was outed and forced to resign. The data trail started with app SDKs collecting location data and ended with the destruction of a career.

⚠️ criticalprivacy policy vs regulatory
$5 billion fine. The largest privacy penalty in history. Facebook's SDK in third-party apps continued collecting data even when users had turned sharing off. The privacy settings were a placebo. The SDK ignored them. Five billion dollars says Facebook knew and did it anyway.

What they claim: Meta states users can control data sharing through privacy settings

What we found: The FTC found Meta violated a 2012 consent decree by continuing to collect and use personal data in ways it had promised to stop. The $5 billion fine — the largest privacy penalty in FTC history — specifically cited data collection through Facebook SDK embedded in third-party apps. Apps using Facebook Login or the Facebook SDK sent data to Meta even when users had adjusted their privacy settings to restrict sharing.

What happened to real people
Documented incidents involving Meta Platforms products and user data.
Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine. [source]
FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009. [source]
What your data is worth to governments
Meta complied with 60,000 government data requests in H2 2023. That's +675% over 10 years. Meta has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine.
Documented: FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources