Meta, the owner of Facebook and Instagram, is rewriting websites its users visit, allowing the company to track them around the web after they click on links in its apps, according to new research from an ex-Google engineer.
The two apps have taken advantage of the fact that users who click on links are taken to web pages in an “in-app browser”, operated by Facebook or Instagram, rather than to the user’s web browser of choice, such as Safari or firefox.
“The Instagram app injects their tracking code into every website displayed, including when they click on ads, turning them on [to] monitor all user interactions, such as every button and link tapped, text selections, screenshots, and all form entries, such as passwords, addresses, and credit card numbers,” said Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.
In a statement, Meta said that injecting a tracking code obeyed users’ preferences about whether or not to allow apps to track them, and that it was only used to collect data before being applied for targeted advertising. or measurement purposes for those users who opted out of such tracking.
“We purposely developed this code to honor the people [Ask to track] choices on our platforms,” said a spokesperson. “The code allows us to collect user information before using it for targeted advertising or measurement purposes. We don’t add pixels. Code is injected so that we can collect conversion events from pixels.”
They added, “For purchases made through the in-app browser, we ask for user consent to store payment information for autofill.”
Krause discovered the code injection by building a tool that could display all the extra commands added to a website by the browser. For normal browsers and most apps, the tool will not detect any changes, but for Facebook and Instagram, it will find up to 18 lines of code added by the app. Those lines of code appear to scan for some cross-platform tracking kit and, if not installed, call instead the Meta Pixel, a tracking tool that allows the company to track a user across the web and build an accurate profile of their interests.
The company does not disclose to the user that it rewrites web pages in this way. Such a code is not added to WhatsApp’s in-app browser, according to research by Krause.
It’s unclear when Facebook started injecting code to track users after they clicked on links. In recent years, the company has had a vociferous public showdown with Apple after the latter introduced a requirement for app developers to ask for permission to track users in apps. After the prompt launched, many Facebook advertisers found themselves unable to target users on the social network, ultimately leading to $10 billion in lost revenue and a 26% drop in the company’s stock price earlier this year. years, says Meta.