@dangoodin

Runtime analysis confirms what privacy researchers have warned about: Meta and TikTok ad pixels harvest product-level commerce data, scrape PII from checkout forms, and can transmit data before consent management platforms activate.

The hashing both platforms use? The FTC ruled in 2024 it does not constitute anonymisation. Deterministic SHA-256 hashes of emails and phone numbers are trivially matched against existing platform databases. The BetterHelp enforcement action proved this isn't theoretical.

The underrated risk: every merchant running these pixels feeds competitive intelligence — pricing, conversion rates, catalogue data — directly into platforms that sell targeting to their rivals.

One claim to treat with caution: Jscrambler reports Meta's automatic events feature captured partial payment card details (last four digits, expiry, cardholder name) from checkout pages. The mechanism is plausible — the feature scans visible DOM elements by default — but this specific finding hasn't been independently reproduced yet.

Source: Jscrambler Security Research Team, cross-verified against Meta's own documentation, FTC enforcement actions (BetterHelp, Nomi), and independent CMP vendor warnings.

https://jscrambler.com/blog/beyond-analytics-tiktok-meta-ad-pixels

#gprs #privacy #infosec

@n_dimension @dangoodin The jscrambler site seems to be saying that the "pixels" are actually programs that felch PII right off the pages where they exist.

IDK what to think about that. Clearly the websites including that Tiktok/Meta code are allowing it and are in effect "sharing data with our partners". That points to a general and massive cultural failure in IT, not the least of which is the browser architecture that would allow 3rd party scripts to do this.