Meta can track users through its built-in Facebook and Instagram browsers

A hot potato: Facebook has never boasted a reputation for protecting the privacy of its users. Now, a former Google engineer writes that the social network and another Meta-owned property, Instagram, use their built-in browsers to track users by injecting code into websites.

Researcher Felix Krause examined how Facebook and Instagram use custom built-in browsers when users visit web pages by clicking on a link; applications do not redirect users to their default browser.

“The Instagram app injects its tracking code into every website viewed, including when you click on ads, allowing them to [to] monitor all user interactions,” Krause writes.

The researcher investigated the iOS versions of Meta’s apps. This is particularly relevant as Apple’s App Tracking Transparency (ATT) feature introduced in iOS 14 allows users to block apps from tracking their activities on other companies’ apps and websites. At last count, 96% of those using iOS 14.5 did not enable in-app tracking.

Meta said it only injects a tracking code based on a user’s ATT preferences and is only used to aggregate data before it is applied for targeted advertising or measurement purposes. users who had opted out of this tracking, writes The Guardian.

“We don’t add any pixels,” a Meta spokesperson said. “The code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we require user consent to save payment information for auto-fill purposes. »

Krause notes that while injecting custom scripts into third-party websites, a practice commonly associated with cyberattacks, allows monitoring of sensitive information such as passwords, addresses, and credit card numbers, nothing suggests that Meta surreptitiously collects this data. Meta added, however, that “for purchases made through the in-app browser, we ask for user consent to save payment information for autofill purposes.”

The researcher added that the technique works for any website, whether encrypted or not, and it is not present in WhatsApp. If you want to avoid tracking, Krause recommends using the option that opens the currently viewed website in a browser such as Chrome or Safari. You can also use the mobile web version of social networks rather than their apps.

Meta previously warned that ATT would negatively impact developers and advertisers. Facebook, Snapchat, Twitter and YouTube lost $9.85 billion in the two quarters following ATT implementation. Meta said that led to a $10 billion loss in revenue and a 26% drop in the company’s share price earlier this year.

Leave a Comment