Met Police website sent information about crime victims to Facebook

The data was transmitted despite the online form for reporting offences claiming to be 'secure'

An investigation by the Observer has revealed that data about individuals who used the Metropolitan Police's website to report sexual offences, domestic abuse and other crimes was shared with Facebook.

The information encompassed specific details about the reported offence, along with the Facebook profile codes of the users.

The data was transmitted to Facebook through a tracking tool called Meta Pixel, which was integrated into the police force's website.

Meta Pixel is a free tool provided by the social media giant and is commonly employed by businesses to target individuals who have visited their websites.

Marketed by Meta as a means to acquire "rich insights" into website performance and user behaviour, the tool gathers information concerning individuals with Facebook accounts, as well as those without it.

Furthermore, Meta uses the received data for its own business objectives, such as enhancing its targeted advertising offerings to other customers.

According to the Observer's analysis, Meta Pixel was integrated into the Metropolitan Police's website, allowing the force to gather browsing data of individuals who used the supposedly secure online form to report offences as victims or witnesses.

Disturbingly, in one instance, Facebook received data from a user who clicked on a link specifically designed for the secure and confidential reporting of rape or sexual assault to the Metropolitan Police online.

This data included details regarding the sexual nature of the offence being reported, a timestamp of the page view, and a code representing the person's Facebook account ID.

In addition to sharing information about the viewed content, the Meta Pixel tool also recorded the buttons clicked on webpages associated with contacting the police, accessing victim services and seeking advice on various crimes.

Upon being informed of the Observer's discoveries, the Metropolitan Police promptly took action and removed the Meta Pixel tracker from its website.

The force said it had been using the Meta Pixel tool for recruitment campaigns since June 2023, and that they would remove the tool from all pages that are not specifically related to recruitment.

The force emphasised that personal data provided by individuals when reporting a crime is never shared with third parties.

According to the Observer's analysis, Police Scotland, Norfolk Constabulary and Suffolk Constabulary were also found to have shared data concerning individuals accessing sensitive webpages.

In a joint statement, Norfolk and Suffolk police acknowledged their usage of tracking tools for recruitment purposes.

"However, recognising the wider implications, we have taken immediate steps … to remove the relevant Meta Pixel," a spokesperson said.

Victims' charities and privacy experts described the issue as a distressing breach of trust that has the potential to further erode confidence in the police.

Mark Richards, an online privacy researcher, likened the use of advertising pixels in this context to reporting a crime with a stranger present in the room.

Although the Meta Pixel tool collects unique identifiers such as IP addresses and Facebook profile IDs, there is no indication that the company has made any attempts to identify individuals as victims of crime or to target them with advertisements based on their victim or witness status.

A spokesperson for Meta stated that they have clearly outlined in their policies that advertisers should refrain from transmitting sensitive information about individuals through their Business Tools.

"Doing so is against our policies and we educate advertisers on properly setting up Business Tools to prevent this from occurring," the spokesperson added.

In May, it was revealed that 20 NHS trusts had shared patients' private medical information with Facebook via Meta Pixel.

After the breach became public, 17 out of the 20 NHS trusts confirmed that they had discontinued the use of Meta Pixel and issued apologies for their actions.

Several trusts explained that they had initially adopted the tracking pixel to monitor recruitment or charity campaigns and were unaware that patient data was being transmitted to Facebook.