One Hot Potato: Facebook has never claimed a reputation for protecting the privacy of its users. Now, an ex-Google engineer writes that the social network and another meta-owned asset, Instagram, are using their in-app browsers to track users by injecting code into websites.
Researcher Felix Krauss looked at how Facebook and Instagram use custom in-app browsers when users visit webpages by clicking on a link; Apps do not redirect users to their default browser.
“The Instagram app injects their tracking code into every website it displays, including clicking on ads, enabling them to [to] Monitor all user interactions,” Krause writes.
The researcher examined the iOS versions of Meta’s apps. This is particularly relevant because Apple’s App Tracking Transparency (ATT) feature introduced in iOS 14 allows users to block apps on other companies’ apps and websites from tracking their activities. At last count, 96% of those using iOS 14.5 were not enabling in-app tracking.
Meta said it only injects tracking code based on a user’s ATT preferences and that it was only used to collect data before it was implemented for targeted advertising or measurement purposes for users who had made such had opted out of tracking, writes The Guardian.
“We don’t add any pixels,” a Meta spokesperson said. “Code is injected so that we can collect conversion events from Pixel. For purchases made through the in-app browser, we require user consent to save payment information for the purposes of autofill.”
Cross noted that while injecting custom scripts into third-party websites, a practice typically associated with cyberattacks, allows the monitoring of sensitive information such as passwords, addresses and credit card numbers, there is no suggestion that Meta Collecting data secretly. However, Meta added, “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”
The researcher said the technology works for any website, whether encrypted or not, and is not present in WhatsApp. If you want to avoid tracking, Cross says to use the option that opens the currently visited website in a browser like Chrome or Safari. Alternatively, use the mobile web version of the social network instead of their apps.
Meta previously warned that ATT would negatively impact developers and advertisers. Facebook, Snapchat, Twitter and YouTube combined lost $9.85 billion in the two quarters after the ATT was implemented. Meta said it resulted in a $10 billion loss in revenue and a 26% drop in the company’s share price earlier this year.