If you visit a website you see on Facebook and Instagram, you may have noticed that you are redirected to a special in-app browser, not your preferred browser. Researcher Felix Krause discovered that these browsers inject javascript code into every website visited, allowing parent company Meta to potentially track you on websites.
As Krause said in a blog post, “Instagram app provides tracking code, including when clicking ads, allowing them to track all user interactions such as every button and link tapped, text selections, screenshots, as well as any form input such as passwords, addresses, and credit card numbers. it injects it into every website shown.”
Krause’s research focused on iOS versions of Facebook and Instagram. This research is particularly important as Apple allows users to enable or exit app tracking through App Tracking Transparency (ATT) introduced in iOS 14.5 the first time they open an app. Meta previously described this feature as “a $10 billion headwind in our 2022 work.”
Meta said the tracking code injected matches users’ preferences in ATT. “The code allows us to collect user data before we use it for targeted advertising or measurement purposes,” a spokesperson told The Guardian. “We don’t add any pixels. The code is injected so we can collect conversion events from pixels. For purchases, we ask for user consent to save payment information for autofill purposes.”
Krause stated that Facebook does not use javascript injection to collect sensitive data. However, there is no way to inject a similar javascript into any secure site when applications open in a user-preferred browser such as Safari or Firefox. In contrast, the approach used by Instagram and Facebook in-app browsers “works for any website, encrypted or not,” he says.
According to Krause’s research, WhatsApp does not make similar changes to third-party websites. So he recommends Meta do the same on Facebook and Instagram, or use Safari or another browser to open links: “It’s best for the user and the right thing to do.”