Meta, the owner of Facebook and Instagramrewrites the websites its users visit, allowing the company to track them around the web after they click on links in its apps, according to a new study by a former Google engineer.
These two applications use an “in-app browser” to direct users to web pages when they click on links. Facebook or Instagram, instead of being sent to the user’s web browser of choice, such as Safari or Firefox.
“The Instagram app embeds its tracking code on every website that is displayed, including clicking on ads that enable them. [to] Monitor all user interactions such as every button and link, text selections, screenshots, as well as any form inputs such as passwords, addresses and credit card numbers”. Felix Krause saysPrivacy researcher who founded the software development tool acquired by Google in 2017.
In the statement, Purpose said that the injection of tracking code is subject to users’ choices about whether or not to allow apps to track them, and that it is only used to collect data before it is applied for targeted advertising or measurement purposes for users who opt out of such tracking.
“We made this code intentionally to protect people’s honor [Ask to track] Options on our platforms,” the spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. The code is included so that we can combine conversion events from pixels.”
They added: “For in-app browser purchases, we obtain user consent to store payment information for auto-fill purposes.”
Krause discovered code injection by creating a tool that could list all additional commands added to a website by the browser. For normal browsers and most apps, the tool doesn’t detect any changes, but for Facebook and Instagram, it finds up to 18 lines of code added by the app. These lines of code scan for a special set of cross-platform tracking and, if not installed, call Meta Pixel instead, a tracking tool that allows the company to follow a user around the web and create an accurate profile of their interests.
The company does not disclose to the user that it rewrites its web pages in this way. According to Krause’s research, no such code is added to WhatsApp’s in-app browser.
It’s unclear when Facebook began injecting code to track users after clicking on the links. In recent years, the company has had a high-profile public clash with Apple after the company introduced a requirement to ask app developers for permission to track users between apps. After demand was launched, many Facebook advertisers found themselves unable to target users on the social network, resulting in $10 billion in lost revenue and 26% drop in the company’s stock price earlier this yearAccording to meta.