What We Know About the Facebook, FAFSA Data Leak
- FAFSA applicants may have had personally-identifying info shared with Facebook.
- The extent of the data leak, however, has yet to be revealed.
- Republican lawmakers have repeatedly called for the Education Department to be more transparent.
The Department of Education (ED) found itself in hot water this spring after news broke that it may have shared financial aid applicant data with Facebook’s parent company Meta.
Identifying information from those who filled out the Free Application for Federal Student Aid (FAFSA) earlier this year may have been sent directly to Meta, a report from the Markup discovered. However, the extent of the leak and how Meta may be able to access information remains unclear.
Tech, privacy, and student advocacy groups have demanded answers in recent weeks as the department remains silent on the issue.
ED promised to release more details in early June, but those details were scarce and shared privately with U.S. lawmakers.
Here’s what is known about the FAFSA data leak right now:
Data Sharing Tool Added to FAFSA Website
Understanding what Meta Pixel does is important in understanding how personal data may have leaked from the FAFSA.
The tool is a snippet of JavaScript code that allows a website owner to track visitor activity on any website. The tool allows brands to target advertisements to certain audiences, among other things, according to a Facebook outline of the product.
Meta Pixel can collect data like emails and addresses typed into a form field, the company adds.
The Markup’s investigation found that Pixel found its way onto the StudentAid.gov website, where prospective students fill out the FAFSA. The Markup stated in its report that the farther students got in filling out the FAFSA form, the more details Meta collected. That includes:
- Names
- Email addresses
- ZIP codes
- Phone numbers
While Pixel can collect all this information, it remains unclear what Facebook and Meta were able to see and access. The Markup said Facebook generally scrambles sensitive data, but that isn’t a guaranteed form of security and the company may still be able to match people who visit StudentAid.gov to their Facebook profile.
In a statement to the Markup, Federal Student Aid (FSA) Chief Operating Officer Richard Cordray said data sent to Facebook was “automatically anonymized and neither FSA nor Facebook used any of it for any purpose.”
ED Secretary Miguel Cardona addressed the potential leak during a May 26 hearing in front of the House Education and Labor Committee, less than a month after the Markup’s report.
However, Cardona did not get into the specifics of what data may have leaked. Rep. Virginia Foxx of North Carolina, the Republican ranking member on the committee, accused the department of hiding the extent of the leak. Cardona promised to share more information about the leak by June 3, but ED has yet to do so publicly.
Timeline Remains Unclear
Another aspect of this fiasco that remains unclear is when Pixel code was introduced to StudentAid.gov.
Cordray said in his statement to the Markup that the agency changed its tracking settings as part of a March 22 advertising campaign.
“This inadvertently caused some StudentAid.gov user information that falls outside of FSA’s normal collection efforts, such as a user’s first and last name, to be tracked,” he said in late April.
However, the Markup stated that its reporting found that personally-identifying information was being shared with Facebook as early as January.
Furthermore, Cardona added a new wrinkle during his mid-May hearing. He said that information sharing started during President Donald Trump’s administration.
“The moment we learned,” Cardona said, “we put an end to this and started an investigation as to why that happened.”
That would mean data sharing ceased around April 28, when the Markup’s report was released.
If data sharing did begin on March 22, as Cordray said, data for approximately 331,000 FAFSA applicants may have been shared with Facebook. That number uses information from Form Your Future, which tracks FAFSA completions weekly.
Rep. Foxx recently revealed that ED briefed her staff on June 3. At the briefing, Cordray reportedly said code had been “toggled on” for over two years. He did not say how it was turned on or how it remained like that for two years.
Approximately 18 million people fill out the FAFSA each year.
Reactions, Concerns From the Leak
Republican lawmakers have continually hounded ED and Cardona to share more information regarding this leak.
Rep. Foxx and Sen. Richard Burr of North Carolina have sent three letters to Cardona regarding this “breach of security and privacy violations of prospective college students.” The most recent letter was sent on June 14.
In it, the lawmakers ask ED to provide records for:
- The agreement between Facebook and ED for data collection on ED websites
- A list of all departments that use Meta Pixel
- All documents and communications starting Jan. 1 regarding the Markup’s report
- All documents and communications starting Jan. 1 that mention the terms “Facebook,” “Meta Pixel,” “Meta,” and “The Markup”
“This failure to protect individuals’ privacy is unacceptable,” the lawmakers said. “It is imperative that the American people have confidence in interacting with federal agencies when it comes to protecting their privacy and thus are owed accountability and transparency.”
Advocacy groups have also expressed concern over this leak.
Student Defense and Accountable Tech called for a full investigation into the matter on June 9. The groups are primarily concerned with how the for-profit college industry may use this data for predatory and/or discriminatory advertising practices.
The groups ask that the House Committee on Oversight and Reform investigate to answer the following questions:
- What data was sent to Meta and for what period?
- How many applicants have had their data shared?
- What steps has FSA taken to ensure similar breaches won’t occur again?
- How might advertisers, specifically for-profit colleges, use this information?
- What steps has FSA taken to ensure for-profit colleges will not abuse the data?
- Has Meta shared potentially affected users’ data with for-profit colleges for advertising purposes?
- Has this information been collected, released, and used in a way that violates applicants’ civil rights?
Jesse Lehrich, co-founder and senior advisor at Accountable Tech, told BestColleges that while it’s possible Meta has safeguards to prevent this data from being used by bad actors, he believes it’s more likely this information has been used for targeted advertising.
“It’s hard to imagine much more sensitive data than the information students disclose in applying for financial aid, and Meta has a long history — as detailed in our letter — of facilitating discriminatory and predatory advertising campaigns, in addition to data leaks,” he said.
“Their entire business model is selling advertisers precise access to micro-targeted audiences. So baking this kind of data into their surveillance advertising machine is great if you are a for-profit college or a payday lender trying to reach the communities most vulnerable to exploitation.”