Revealed: Metropolitan police shared sensitive data about crime victims with Facebook | Metropolitan police
Britain’s biggest police force gathered sensitive data about people using its website to report sexual offences, domestic abuse and other crimes and shared it with Facebook for targeted advertising, the Observer has found.
The data was collected by a tracking tool embedded in the website of the Metropolitan police and included records of browsing activity about people using a “secure” online form for victims and witnesses to report offences.
In one case, Facebook received a parcel of data when someone clicked a link to “securely and confidentially report rape or sexual assault” to the Met online. This included the sexual nature of the offence being reported, the time the page was viewed and a code denoting the person’s Facebook account ID.
The tracking tool, known as Meta Pixel, also sent details to Facebook about content viewed and buttons clicked on webpages linked to contacting police, accessing victim services, and advice pages for crimes including rape, assaults, stalking and fraud.
When confronted with the Observer’s findings last week, the Met removed the Meta Pixel tracker from its website. It said it took “issues of this kind seriously” and was investigating, adding that no personal data “inputted” by people reporting crime – such as their actual messages to police – had been shared.
It suggested the data transmission had occurred by accident and that it had installed the tracking tool to help it serve ads to people “who have indicated an interest in a career at the Met”. It added: “A Meta Pixel was placed on the Met website in June 2023 relating to a recruitment marketing campaign and we are taking steps to remove Pixels from any non-recruitment specific pages to avoid unnecessary concern.”
The use of the pixel by the Met was uncovered during an Observer analysis of police websites in England, Wales, Scotland and Northern Ireland. The testing last week found four police forces using the tool, including the Met. The others were Police Scotland, Norfolk Constabulary and Suffolk Constabulary.
Like the Met, Norfolk and Suffolk were found to have shared data about people accessing sensitive webpages. This included when web visitors clicked links to report antisocial behaviour, domestic abuse, rape, hate crime and corruption, as well as when they clicked to view a page titled: “Tell us something anonymously.” In a joint statement, Norfolk and Suffolk police said they had been using the tracking tools “for recruitment purposes”. “However, recognising the wider implications, we have taken immediate steps … to remove the relevant Meta Pixel,” a spokesperson said.
Victims’ charities and privacy experts said the data sharing was a “shocking violation of trust” that risked undermining confidence in the police. Dame Vera Baird, the former victims’ commissioner, said: “You think you are dealing with a public authority you can trust and in fact you are dealing with Facebook and the wild world of advertising.”
Mark Richards, an online privacy researcher, said use of the advertising pixels in this context was “like asking someone to report a crime while a stranger is in the room”.
Prof David Leslie, director of ethics at the Alan Turing Institute, said the data-sharing seemed “reckless” and that people appeared to have been given “partial” or “misleading” information about how their web browsing data would be used. “The expectation of people going on to police sites is that their data is being protected and not shared with any third-party vendors,” he said. “This just should not be happening.”
The UK’s data privacy watchdog, the Information Commissioner’s Office, said the findings raised “real privacy concerns”.
“These websites are aimed at victims and witnesses of crime, who would expect their information to be handled with particular care,” it said. It is already investigating the use of the Meta Pixel in the websites of NHS trusts and said it would consider the latest evidence.
Meta Pixel – a free tool offered by Facebook – is widely used by businesses that want to reach people who have visited their websites in future marketing campaigns.
after newsletter promotion
The tool – which collects information about people who have Facebook accounts as well as those who do not – is pitched by Facebook as a way for organisations to get “rich insights” into website performance and user behaviour.
Facebook’s parent company Meta also uses the data sent to it by the pixel for its own business purposes, including improving the targeted advertising products it offers to other customers. In one guide, the company explains that it uses data collected by the pixel to improve users’ experiences, for example by showing them ads they “might be interested in”. “You may see ads for hotel deals if you visit travel websites,” it says.
While the Meta Pixel collects details of unique identifiers, such as those of a person’s IP address and Facebook profile ID, there is no suggestion that the company has attempted to identify people as victims of crime, or to target them with ads based on their victim or witness status. There is also no suggestion that information shared with the company includes details of interactions with police beyond buttons clicked and webpages viewed on the website.
As well as data-sharing with Facebook, the Observer’s analysis found many police websites sharing information with Google for advertising purposes. This included the fact a person had visited a police website but did not appear to have included more granular details of their visits to sensitive webpages or use of online reporting tools. At least two police forces are also understood to have shared data with Twitter for advertising. Digital privacy expert Stef Elliott, who has advised the ICO and reported the Google advertising issue to the watchdog earlier this month, described the problems as “systemic”.
In most cases, the police websites – including the website for the Met – began sharing data after the web user clicked “I agree” after being shown a pop-up consent banner. The banner typically said: “We use cookies on this site to give you a better, more personalised experience,” but did not mention advertising or say data would be shared with third parties such as Facebook. Some privacy policies, including the Met’s, did mention advertising but said data collected would be used for recruitment campaigns, and did not say it would be gathered from sensitive webpages or used by third parties for their own business purposes.
Refuge, a charity providing support for victims of domestic abuse, said reporting crime took “time and bravery” and that it was concerned by the claims police had “violated their position of power by passing on data for advertising purposes”. “This practice must end,” the charity said.
An Observer investigation in May uncovered use of the Meta Pixel tracking tool on the websites of 20 NHS trusts in England, which had been sharing browsing data with Facebook in sensitive content linked to medical conditions, appointments and medication requests. In one case, an NHS trust told Facebook when a user viewed a guide for HIV drugs. After being alerted to the presence of the tracking tool on their websites, the trusts removed it. Seven mental health charities were also found using the tracking tool.
Meta, Facebook’s parent company, said it did not want to receive sensitive data via the Meta Pixel and had policies against this. It said: “We’ve been clear in our policies that advertisers should not send sensitive information about people through our business tools. Doing so is against our policies and we educate advertisers … to prevent this from occurring.” It said its system was designed to filter out “potentially sensitive data it is able to detect”.
