Tracker Installations Are Not Created Equal: Understanding Tracker Configuration of Form Data Collection

This study reveals that while Google trackers are more prevalent than Meta's, Meta's trackers are significantly more likely to be configured to collect sensitive Personally Identifying Information from web forms, a practice often encouraged by inaccurate documentation and default setup flows despite policy violations.

The Gist

Here is an explanation of the paper "Tracker Installations Are Not Created Equal," broken down into simple concepts with creative analogies.

The Big Picture: The "Digital Spy" Setup

Imagine you run a lemonade stand (a website). You want to know who likes your lemonade so you can send them coupons later. To do this, you hire a "marketing assistant" (a tracker like Meta Pixel or Google Tag) to watch your customers.

Usually, these assistants just count how many people stop by. But the companies that own these assistants (Meta and Google) have a secret menu: they can be configured to scoop up personal details like names, phone numbers, and emails from the sign-up sheets your customers fill out.

This paper investigates a crucial question: Are website owners actually turning this "personal info scoop" on, and are the instructions given to them making it too easy to do so?

---

1. The Instruction Manuals are "Tricky"

The researchers looked at the instruction manuals and setup screens provided by Meta and Google. They found that these guides are designed like a salesperson trying to upsell you, rather than a neutral teacher.

• The "Default" Trap: Imagine buying a new coffee machine. The default setting is "Brew the strongest, most expensive coffee possible," and you have to actively uncheck a box to make it weaker. Meta and Google do this with privacy. They set the machine to collect all your personal data by default. If you want to stop them, you have to know exactly which buttons to press.
• The "Magic Hash" Lie: The manuals tell website owners, "Don't worry! We will scramble (hash) the names and emails so they are anonymous." It's like telling someone, "We'll put your name in a blender, so it's safe!" But the researchers found that the companies can still un-blend the smoothie. They can match the scrambled data back to real people. The FTC (the US consumer protection police) has actually warned that this "scrambling" isn't a real privacy shield.
• The "Fear of Missing Out" (FOMO): The guides use language that makes website owners feel like they are losing money if they don't collect data. It's like a gym membership saying, "If you don't track every step you take, you'll never get fit." This pressures owners to turn on the data collection even if they don't fully understand the risks.

2. The Two Assistants: Meta vs. Google

The study compared the two biggest assistants: Meta Pixel (Facebook/Instagram) and Google Tag (Google Ads/Analytics).

• Meta Pixel (The Pushy Salesperson): Meta's setup process is like a guided tour where the guide keeps pointing at the "Collect Everything" button. It's very easy to accidentally (or intentionally) turn on the scoop for names, phones, and emails.
  • Result: 62% of websites using Meta have this "scoop" turned on.
• Google Tag (The Confusing Maze): Google's setup is a bit more complex. The "Collect Personal Info" button isn't right in your face during the main setup; you have to go digging for it.
  • Result: Only 11.6% of websites using Google have this "scoop" turned on.

The Twist: Even though Google is installed on way more websites (72% vs. 28%), Meta is the one actually stealing the data more often because its setup flow pushes you to do it.

3. The "Sensitive" Zones (Hospitals and Banks)

There are special rules for places dealing with sensitive data, like hospitals (Health) and banks (Finance). In the US, it's illegal to leak patient or financial data to advertisers.

• The Self-Report System: Meta and Google have a rule: "If you are a hospital or bank, tell us, and we will turn off the data scoop."
• The Loophole: It's like a "Honor System" at a candy store. The store asks, "Are you a kid?" If you say "No," they give you the candy. But they don't check your ID.
• The Findings: The researchers found many hospitals and banks that should have been protected but weren't. They either didn't tell the tracker they were sensitive, or they were mislabeled.
  • Example: They found a drug rehab center and a credit card company that were configured to send patient names and financial data straight to Meta and Google.

4. What Data is Being Stolen?

When the "scoop" is turned on, what exactly is being taken?

• The Big Three: Almost every time, the trackers are set to grab Emails, Names, and Phone Numbers.
• The "Perfect Profile": By combining these three, the tracker can build a complete profile of a real human being, linking their online browsing habits to their real-world identity.

5. Why Does This Matter?

This isn't just about annoying ads.

• Privacy Risks: If a hospital's tracker leaks a patient's name and condition to an advertiser, that patient could be targeted with ads for specific treatments or insurance, violating their privacy and potentially their legal rights (HIPAA).
• The "Bad Defaults" Problem: The paper argues that the companies (Meta and Google) are designing their tools to make privacy the hard choice and data collection the easy choice. They are counting on website owners (who might be busy or not tech-savvy) to just click "Next" without reading the fine print.

The Takeaway

The paper concludes that tracker installations are not created equal.

• Meta is aggressively guiding website owners to collect personal data, often hiding the risks.
• Google is a bit more passive but still confusing.
• The Solution: Website owners need to be more careful (and maybe hire experts to check their settings), and the government needs to step in because the "self-policing" by these tech giants isn't working.

In short: The instructions for installing these trackers are like a recipe that says, "Add a cup of your customer's private secrets to the mix for better flavor," and most website owners are just following the recipe without realizing they are cooking up a privacy disaster.

Technical Summary

Here is a detailed technical summary of the paper "Tracker Installations Are Not Created Equal: Understanding Tracker Configuration of Form Data Collection."

1. Problem Statement

Targeted advertising relies on the comprehensive tracking of user activity, often requiring the collection of Personally Identifying Information (PII) such as email addresses, names, and phone numbers from web forms. While previous research has established the prevalence of trackers and instances of PII leakage, it has largely treated tracker installation as a binary state (installed vs. not installed).

This paper addresses a critical gap: Tracker installations are not equal. A tracker must be explicitly configured to extract PII from forms. The authors investigate:

• How third-party documentation and user interfaces (UI) guide website administrators in configuring these trackers.
• Whether these interfaces employ "dark patterns" or misleading language (e.g., claiming hashing protects privacy) that encourage data maximization.
• The actual prevalence of form data collection (FDC) configurations in the wild, specifically focusing on Meta Pixel and Google Tag, the two most popular web trackers.
• Whether sensitive verticals (Health and Finance) are effectively protected from these configurations, despite regulatory requirements (HIPAA, Gramm-Leach-Bliley Act).

2. Methodology

The study employs a mixed-method approach combining qualitative analysis of documentation/UI and a quantitative measurement study of 40,150 websites.

A. Qualitative Analysis (Documentation & UI)

• Scope: Analyzed 17 pages of Meta documentation and 60 pages of Google documentation, along with their configuration UIs.
• Method: The authors acted as website administrators, setting up test sites and reverse-engineering the trackers to understand the data flow. They used a codebook to identify specific patterns:
  • Hidden Risk: Hiding privacy implications.
  • Least Private Defaults: Default settings that maximize data collection.
  • Least Private Recommendations: Explicit advice to collect more data.
  • Loss Aversion: Language suggesting missing out on features if data isn't collected.
  • Contradictory Language: Conflicting statements regarding privacy (e.g., claiming no PII is sent while simultaneously describing PII collection).

B. Quantitative Measurement Study

• Dataset: 40,150 websites (derived from the top 1 million Tranco list, categorized by SimilarWeb into Health, Finance, and non-sensitive verticals).
• Infrastructure: 50 parallel Linux Virtual Machines in Google Cloud (US Central) running between September and November 2024.
• Data Collection Pipeline:
  1. Form Injection: A custom Chrome extension injected a synthetic HTML form containing PII fields (email, phone, name, etc.) into the landing page and submitted it.
  2. Network Monitoring: Captured all network traffic to detect requests to known Meta/Google endpoints containing hashed versions of the injected PII.
  3. Static Analysis: Parsed downloaded JavaScript configuration files to detect if FDC was enabled in the code (specifically for Meta Pixel).
• Validation: Performed manual validation on random samples to calculate false negatives (missed detections) and assess the impact of cookie consent banners.

3. Key Contributions

1. Methodological Framework: Established a pipeline for large-scale measurement of tracker configurations (not just presence) and a qualitative coding scheme for analyzing tracker documentation.
2. Documentation Analysis: Exposed how Google and Meta use "least private defaults" and misleading privacy claims (specifically regarding hashing) to encourage PII collection.
3. Configuration Disparity: Revealed that Meta Pixel is significantly more likely to be configured for FDC than Google Tag due to differences in their setup flows.
4. Policy Violations: Identified specific Health and Finance websites that are likely violating their own platform policies and US regulations by having FDC enabled.

4. Key Results

A. Documentation and UI Findings

• Meta Pixel: Uses a streamlined setup flow that explicitly prompts administrators to enable automatic data collection. It defaults to selecting all 11 supported PII fields (email, name, phone, etc.) unless manually deselected. The documentation claims hashing protects privacy, a claim debunked by the FTC.
• Google Tag: Has a complex, fragmented configuration flow. While it also recommends data collection, the prompt to enable FDC is not part of the core setup wizard, making it less likely to be enabled by default. However, its documentation contains contradictory statements (e.g., "No PII is sent" vs. "Send hashed first-party data").
• Sensitive Verticals: Both companies allow website administrators to self-report their vertical (Health/Finance) to restrict FDC. However, this relies on self-reporting with no clear explanation of the consequences, leading to potential circumvention.

B. Measurement Findings (40,150 Websites)

• Prevalence:
  • Google Tag: Installed on 72.6% of websites.
  • Meta Pixel: Installed on 28.2% of websites.
• Form Data Collection (FDC) Configuration:
  • Meta Pixel: 62.3% of sites with Meta Pixel are configured to collect form data.
  • Google Tag: Only 11.6% of sites with Google Tag are configured to collect form data.
  • Correlation: Sites with both trackers are significantly more likely to have FDC enabled for both (Odds Ratio of 4.8 for Google Tag if Meta Pixel is present).
• PII Types Collected (Meta Pixel):
  • Among sites with FDC enabled, 99.5% collect email, 93.7% collect full names, and 93.5% collect phone numbers.
  • 51.3% of sites use the default configuration (collecting all fields).
• Sensitive Verticals (Health & Finance):
  • Meta Pixel: FDC is significantly lower in Health (30.8%) and Finance (20.3%) compared to non-sensitive sites (68%). This suggests Meta's restrictions have some effect, but many sites still bypass them.
  • Google Tag: FDC rates are consistent across verticals (~11-13%), indicating Google's restrictions are less effective or less enforced in practice.
• Violations: The study identified specific high-profile Health and Finance sites (e.g., drug rehab centers, banks, mental health organizations) that are configured to collect PII, violating platform policies and potentially US law.

5. Significance and Implications

• Privacy Risks: The study demonstrates that the "default" behavior of modern analytics tools is often the least private option. Website administrators, often non-technical, are guided by interfaces that prioritize data maximization over user privacy.
• Regulatory Failure: The reliance on self-reporting for sensitive verticals is insufficient. Many regulated entities are inadvertently (or intentionally) leaking PII to third parties, potentially violating HIPAA and GLBA.
• Hashing is Not a Panacea: The paper reinforces the finding that hashing PII (SHA-256) does not anonymize data; it allows trackers to link form submissions to existing user profiles, effectively defeating the purpose of "privacy-preserving" claims.
• Technical Defenses: The authors developed a proof-of-concept Chrome extension that warns users when a page contains a tracker configured to collect form data, offering a potential user-side mitigation.
• Policy Recommendations: The authors call for stricter enforcement of vertical classification, improved documentation that clearly explains privacy risks, and regulatory action to move beyond hashing as a privacy standard.

In conclusion, the paper argues that tracker configuration is the critical weak link in web privacy. The design of documentation and UIs by major tech giants actively drives the collection of sensitive user data, creating a systemic risk that current regulations and self-policing mechanisms fail to mitigate.