Meta, the owner of Facebook and Instagramrewrites the websites its users visit, allowing the company to track them around the web after they click on links in its apps, according to a new study by a former Google engineer.
These two applications use an “in-app browser” to direct users to web pages when they click on links. Facebook or Instagram, instead of being sent to the user’s web browser of choice, such as Safari or Firefox.
“The Instagram app embeds its tracking code on every website you visit, including when you click on ads to activate them. [to] Monitor all user interactions such as every button and link, text selections, screenshots, as well as any form inputs such as passwords, addresses and credit card numbers”. Felix Krause saysPrivacy researcher who founded the software development tool acquired by Google in 2017.
In the statement, Purpose said that the injection of tracking code is subject to users’ choices about whether or not to allow apps to track them, and that it is only used to collect data before it is applied for targeted advertising or measurement purposes for users who opt out of such tracking.
“We deliberately developed this code in honor of people [Ask to track] our platforms have options,” he said. “Code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We don’t add any pixels. Code is included so we can aggregate conversion events from pixels.”
They added: “For in-app browser purchases, we obtain user consent to store payment information for auto-fill purposes.”
Krause discovered code injection by creating a tool that could list all additional commands added to a website by the browser. For normal browsers and most apps, the tool doesn’t detect any changes, but for Facebook and Instagram, it finds up to 18 lines of code added by the app. These lines of code scan for a special set of cross-platform tracking and, if not installed, call Meta Pixel instead, a tracking tool that allows the company to follow a user around the web and create an accurate profile of their interests.
Sign up to Issue One, our free daily newsletter – every day at 7am BST
The company does not disclose to the user that it rewrites its web pages in this way. According to Krause’s research, no such code is added to WhatsApp’s in-app browser.
“Javascript injection” – the practice of adding additional code to a web page before it is displayed to the user – is often classified as a type of malicious attack. For example, the cyber security company Feroot, you describe it as an attack it “allows a threat actor to manipulate a website or web application and collect sensitive information such as personally identifiable information (PII) or payment information.”
There is no suggestion that Meta uses Javascript injection to collect such sensitive data. The Meta Pixel, which is typically added voluntarily to websites to help companies advertise to users on Instagram and Facebook, says in the company’s description that the tool “allows you to track visitor activity on your website” and may collect related information.
It’s unclear when Facebook began injecting code to track users after clicking on the links. In recent years, the company has had a high-profile public clash with Apple after the company introduced a requirement to ask app developers for permission to track users between apps. After demand was launched, many Facebook advertisers found themselves unable to target users on the social network, resulting in $10 billion in lost revenue and 26% drop in the company’s stock price earlier this yearAccording to meta.
