On Slashdot, CTealL writes:

“Apparently Intuit thinks it’s okay to share information about taxes with third paries. According to this article, Intuit is using a third party tracking technology on all tax forms submitted to the IRS. “We could capture your name, your Social Security number or any other information that you willingly pass to a Web site,” acknowledged Matt Belkin, who serves as vice president of best practices for Utah marketing giant Omniture, which tracks the online activities of people using Intuit’s TurboTax. The IRS disavows any knowledge of this, saying “The IRS does not take a position on Web tracking tools.” Makes you wonder where your tax information is going…”

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/04/13/BUG2DC78FN1.DTL

Now taxes really can bug you

David Lazarus

Wednesday, April 13, 2005

The Internal Revenue Service and professional tax preparers insist that people’s privacy is ensured if they file their returns online.

But if you’re one of the millions who this year have used the electronic services of Intuit’s TurboTax or H&R Block, you may not know that a stealthy technology commonly known as Web bugs was used to track your comings and goings on the Internet.

Both Intuit and Block, which offer electronic filing for free through the IRS’ Free File program, use hidden Web bugs throughout the tax-preparation process to monitor taxpayers’ online behavior.

Web bugs, also known as Web beacons, are virtually ubiquitous among sites belonging to large companies (including The Chronicle).

The technology connects a company’s site with that of an affiliated marketing firm, which collects and analyzes data on Web usage. Intuit and Block say Web bugs are employed only to maintain the quality of their respective offerings.

But privacy advocates and industry insiders say the technology hinges on the honor system. If a company wanted to, they say, it could easily record or misuse any information provided by consumers.

“We could capture your name, your Social Security number or any other information that you willingly pass to a Web site,” acknowledged Matt Belkin, who serves as vice president of best practices for Utah marketing giant Omniture, which tracks the online activities of people using Intuit’s TurboTax.

But he said Omniture doesn’t do this. The reason, he said, is that client companies don’t authorize Omniture to do it.

“It has nothing to do with technology,” Belkin said. “Technologically, we could capture any data we want. This is about ethics and the policy that each company has.”

Although invisible to the average Web user, Web bugs are routinely used by companies to gather data about online visitors’ browsing habits.

The info is ostensibly confidential. But privacy advocates say relatively little is known about the so-called Web analytics firms that specialize in online tracking.

“The tracking process is not transparent,” said Chris Hoofnagle, who heads the San Francisco office of the Electronic Privacy Information Center. “It’s hard to say how much data they have and what exactly they do with it.”

In 2002, Toys R Us agreed to pay a fine of $50,000 and to revise its privacy policy after New Jersey officials accused the retailer of inappropriately sharing customer information with a San Mateo tracking firm, Coremetrics.

Hoofnagle said Web bugs raise questions about the motives of companies that employ them.

“The whole purpose of this technology is to hide tracking from consumers. You can’t see the Web bugs. You don’t know they’re there. That’s exactly how the direct-marketing industry prefers it — tracking methods that can’t be detected or disabled.”

Jesse Weller, an IRS spokesman, said taxpayers are clearly told when they sign up for one of the Free File services that they’re leaving the federal government’s protection.

“The IRS is aware that there are many commercial companies that use Web tracking tools in conjunction with their Web sites,” he said. “The IRS does not take a position on Web tracking tools.”

He added, though, that Web bugs are not allowed on government sites.

Mountain View’s Intuit said that as of April 2, it had processed 4.3 million federal tax forms online, well over the total 3.2 million federal returns processed by the company last year.

Julie Miller, an Intuit spokeswoman, said hundreds of thousands of returns are typically submitted daily during the last few days before each year’s deadline (which is Friday, for those of you in deep denial).

The company is offering its Free File program at taxfreedom.com. Nowhere on the welcoming screen or at any point in the filing process is it disclosed that Web bugs are being used.

Nor is it mentioned when visitors click on the link for Intuit’s “privacy promise.”

By clicking on a second link to “tell me more,” though, visitors are at last told, amid other fine print, that “we use a service provider, DoubleClick, which places Web beacons on specific pages of our site and passes back usage information to our service provider about that page via the use of cookies.”

Cookies are bits of computer code deposited in your browser that identify you to sites that you visit.

In fact, Intuit’s privacy promise isn’t quite accurate. The company used DoubleClick when it began tracking use of online tax returns last year. This year, however, DoubleClick has outsourced the service to Utah’s Omniture.

In other words, not one but two different marketing companies are involved.

Miller said its Web bugs, whether planted by DoubleClick or Omniture, are not intended to snoop on people’s confidential tax data.

“We’re not collecting personal information,” she insisted. “We’re using this to improve our Web-site design and effectiveness.”

For example, Miller said, if a Web bug shows people are getting stuck at a particular point of the tax-preparation process or are giving up in frustration at a specific juncture, Intuit can use this data to improve its service.

Fair enough. But how can users be sure that their personal info isn’t also being passed to Omniture for marketing purposes?

“You’ve just got to trust us,” Miller replied, adding that “if we didn’t uphold our privacy commitment, we wouldn’t be here.”

H&R Block is also a DoubleClick client. But it uses another service, WebTrends, to track visitors’ online habits.

Tom Linafelt, a Block spokesman, similarly stressed that Web bugs are used primarily to improve the company’s online offerings.

“There would be nothing worse for us than compromising the security of a customer,” he said.

Robert Richardson, who focuses on online crime at San Francisco’s Computer Security Institute, said Intuit and Block are undoubtedly sincere in their commitment to customers’ privacy. But he said it’s unclear how much trust consumers should place in third-party vendors like Omniture.

“Does the company that’s aggregating information also have personally identifiable information?” Richardson asked. “That’s murky territory. Companies like Omniture are not very forthcoming about the information they put together.”

He also said that as the likes of Omniture develop sprawling networks of client companies, they potentially gain the ability to track Web users from one site to another.

“Businesses are very interested in these things so they can learn demographic information about their customers that their customers wouldn’t otherwise volunteer,” he said.

Along with Intuit, Omniture tracks Web usage for more than 400 corporate heavyweights, including AOL, eBay, Microsoft and Wal-Mart.

Omniture’s Belkin said the company would never share data gleaned from one client’s site with another client. But he acknowledged that there are no technological barriers to Omniture (or other Web analytics firms) using Web bugs to record virtually anything about an Internet user.

“The second you hit AOL, for instance, we set an Omniture cookie and track all your activity,” Belkin said.

“It’s a little freaky,” he said, “especially where your tax return is concerned. I can see that.”

The freaky thing is that consumers are being asked to trust the private sector to serve as a conduit for their most intimate financial data. Companies, of course, have every reason to uphold high security standards.

“Helping people get their taxes done is our business,” Intuit’s Miller said. “We take customers’ privacy very seriously.”

On the other hand, one of the nation’s largest handlers of consumer data similarly insists that privacy is a priority. “Good privacy is good business,” it declares.

That company is ChoicePoint, which revealed in February that it had released the names and Social Security numbers of about 145,000 people to identity thieves.

Do you trust them?

David Lazarus’ column appears Wednesdays, Fridays and Sundays. He also can be seen regularly on KTVU’s “Mornings on 2.” Send tips or feedback to .