IRD admits supplying Facebook with ‘raw’ data on 268,000 taxpayers

Forums › Social networks, social media and tools › IRD admits supplying Facebook with ‘raw’ data on 268,000 taxpayers

wellygary

8312 posts

Uber Geek

#317681 5-Nov-2024 13:26

And no one put up their hand and thought this was a bad idea!!!!

Inland Revenue provided Facebook owner Meta with the names, addresses and other contact details of 268,000 taxpayers in “raw” unencrypted form, its chief executive Peter Mersi has admitted.

The department had begun writing to the those taxpayers to explain what had happened and to apologise, he said.

The letters would explain what information had been released and would provide a contact number for anyone who had further questions, he said.

The raw data included people’s phone numbers and email addresses, but not the reason why Inland Revenue was trying to target them with particular adverts, Mersi said.

Inland Revenue had also provided similar information on an unknown number of people to LinkedIn, but could not now tell who they were, so could not contact them about the privacy breach, he said.

https://www.thepost.co.nz/business/360474178/ird-admits-supplying-facebook-raw-data-268000-taxpayers

1 | 2 | 3 | 4

298 posts

Ultimate Geek

#3305555 5-Nov-2024 13:34

For people who don't have a paid account with the post.

https://www.rnz.co.nz/news/national/532905/ird-to-stop-sharing-taxpayers-details-with-social-media-platforms-following-backlash

Following on from this. What the hell. I had no idea. That's really crap of them.

ascroft

396 posts

Ultimate Geek

#3305561 5-Nov-2024 13:49

So the story so far:

No we didn't
If we did, it was anonymised
OK it was just sent as a raw file

Lovely........

common sense is not very common

tehgerbil

1102 posts

Uber Geek

ID Verified

Subscriber

#3305584 5-Nov-2024 14:23

Heads should roll for this. Arrogant naive fools.

Zuck: yea so if you ever need info about anyone at harvard
Zuck: just ask
Zuck: i have over 4000 emails, pictures, addresses, sns
Friend: what!? how’d you manage that one?
Zuck: people just submitted it
Zuck: i don’t know why
Zuck: they “trust me”
Zuck: dumb f%^&s

cddt

1548 posts

Uber Geek

#3305585 5-Nov-2024 14:24

Absolutely wild that government departments are shovelling citizens' data at these multinational advertising platforms.

A couple of years ago while working at a FMCG company, we assessed this exact scenario. We determined that the right thing to do was to not provide customers' PII data to Facebook etc... incredible that we could get it right but the IRD couldn't.

My referral links: BigPipe | Mercury

cokemaster

Exited
4927 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#3305590 5-Nov-2024 14:46

Whether or not it was encrypted is besides the point.

Why are IRD sending out PII to advertising companies (Facebook/Linked In)? Why is it not opt-in?
Departments like IRD are in a privileged position where everyone has to interact with them.

Fully agree with @cddt.

webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

tehgerbil

1102 posts

Uber Geek

ID Verified

Subscriber

#3305613 5-Nov-2024 15:32

The plot thickens, this is a Reddit post from three years ago alleging they saw the IRD amongst advertisers on Facebook. [Can't confirm, the imgur link doesn't work for me.]

[Reddit user] chch0000: In Facebook settings you can see which advertisers have uploaded audience lists that include you. I was surprised to see IRD are one of them: https://imgur.com/a/g6gi6jn It seems strange that they are possibly sharing personal details of taxpayers with Facebook. There are plenty of ways for them to advertise on social media if they need to without having it directly linked to individuals.

I do not think this data privacy scandal is over yet by a wide margin.

wellygary

8312 posts

Uber Geek

#3305614 5-Nov-2024 15:38

On reflection I can see how IRD managed to internally rationalise this,

I think IRD believed that because they were essentially only confirming data that Meta already had, they were not "giving" any information to Meta

(Meta could only match its hashed data to IRD's Hashed data) - Other then when IRD screwed up and sent raw,,

However, by taking the hashed data from IRD, meta get to authenticate their data with a Tier one data source (A Government tax agency) thus allowing them to give more credence to the unchecked data that people plug into their F/B accounts...

But by becoming part of the Verification process, IRD surely become complicit in any future use of FB's data for other purposes....

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

wellygary

8312 posts

Uber Geek

#3305615 5-Nov-2024 15:41

tehgerbil:

The plot thickens, this is a Reddit post from three years ago alleging they saw the IRD amongst advertisers on Facebook. [Can't confirm, the imgur link doesn't work for me.]

[Reddit user] chch0000: In Facebook settings you can see which advertisers have uploaded audience lists that include you. I was surprised to see IRD are one of them: https://imgur.com/a/g6gi6jn It seems strange that they are possibly sharing personal details of taxpayers with Facebook. There are plenty of ways for them to advertise on social media if they need to without having it directly linked to individuals.

I do not think this data privacy scandal is over yet by a wide margin.

IRD's been doing this ( sending Hashed Data to Meta) since 2014

https://www.ird.govt.nz/-/media/project/ir/home/documents/about-us/social-media/review-and-analysis-of-social-media-for-custom-audiences.pdf

tehgerbil

1102 posts

Uber Geek

ID Verified

Subscriber

#3305627 5-Nov-2024 16:09

wellygary:

tehgerbil:

The plot thickens, this is a Reddit post from three years ago alleging they saw the IRD amongst advertisers on Facebook. [Can't confirm, the imgur link doesn't work for me.]

[Reddit user] chch0000: In Facebook settings you can see which advertisers have uploaded audience lists that include you. I was surprised to see IRD are one of them: https://imgur.com/a/g6gi6jn It seems strange that they are possibly sharing personal details of taxpayers with Facebook. There are plenty of ways for them to advertise on social media if they need to without having it directly linked to individuals.

I do not think this data privacy scandal is over yet by a wide margin.

IRD's been doing this ( sending Hashed Data to Meta) since 2014

https://www.ird.govt.nz/-/media/project/ir/home/documents/about-us/social-media/review-and-analysis-of-social-media-for-custom-audiences.pd

Good lord. During the past 10 years FB have been hit with scandal after scandal including Cambridge Analytica, massive lawsuits and they have shown no intention whatsoever of stopping or slowing down and yet the IRD continued to feed them massive data piles from unwilling kiwi citizens??

It's beyond comprehension that no one thought to themselves man if the public find out this would be quite scandalous?

OldGeek

893 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#3305635 5-Nov-2024 16:22

Taxpayers Union pressure contributed to this:

https://www.taxpayers.org.nz/ird_data_leaking_killed_by_9_000_strong_taxpayers_union_campaign

--

OldGeek.

Voyager referral code: https://refer.voyager.nz/6XQR2QG9Q

cddt

1548 posts

Uber Geek

#3305640 5-Nov-2024 16:31

Reading the details of the review, it gets better:

\> Inland Revenue staff log on to Meta through their personal user accounts

Read that again. They use their personal accounts to upload our data to Facebook.

\> Where data is hashed, this is automatically performed using a standard algorithm within the browser of the Inland Revenue device uploading the custom audience list.

So it's hashed using code provided by whichever platform they are sending the data to, and I suppose they audited the code every time they ran it to ensure it was still doing what they expected?

\> Inland Revenue provided a cleartext CSV [via email] to Meta Support for troubleshooting purposes (following Meta’s request). This had 268,068 entries. Each entry included: phone number(s), first name, last name, city, country, zip code, date of birth, email(s), age, year of birth

That's more than 5% of the country's population. Not sure why so much data was required for "troubleshooting".

\> It is possible to reverse-engineer or brute-force hashes under certain conditions, especially if the input (names, email addresses) is short or from a limited set

Well, at least they finally identified why this might be a bad idea...

My referral links: BigPipe | Mercury

cokemaster

Exited
4927 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#3305646 5-Nov-2024 17:35

If IRD are running targeted campaigns, they should be using email (worse case, with generic messaging, no PII), myir’s messaging or failing that snail mail. PII should not be leaving IRD or NZ Govt systems.

If Facebook are able to determine who (eg. the individual) it should be presented to (outside of generic attributes like ‘resides in NZ’, involved in x,y,z industries), then masking is a joke.

I don’t like it when the Telcos get in bed with Facebook, Adobe analytics, google analytics etc but at least they have a process to opt out (and you can use certain browser addons) and you can ultimately opt out by not consuming their services. Likewise with Banks, insurance companies etc.

This is also different to services like google, Facebook and twitter (refuse to use the other name), where their services are given away in return for targeted advertising.

There needs to be a review of how IRD and government entities manage PII data to 3rd party companies.

webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!