Meta can track users through its Facebook and Instagram in-app browsers

A hot potato: Facebook has never boasted a reputation for protecting its users' privacy. Now, an ex-Google engineer writes that both the social network and another Meta-owned property, Instagram, are using their in-app browsers to track users by injecting code into websites.

Researcher Felix Krause looked into how Facebook and Instagram use custom in-app browsers when users visit webpages by clicking on a link; the apps don't redirect users to their default browser.

"The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions," Krause writes.

The researcher investigated the iOS versions of Meta's apps. That's especially relevant as Apple's App Tracking Transparency (ATT) feature introduced in iOS 14 allows users to prevent apps from tracking their activities across other companies' apps and websites. At last count, 96% of those using iOS 14.5 were not enabling in-app tracking.

Meta said that it only injected tracking code based on a user's ATT preferences and that it was only used to aggregate data before being applied for targeted advertising or measurement purposes for those users who opted out of such tracking, writes The Guardian.

"We do not add any pixels," said a Meta spokesperson. "Code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."

Krause notes that while injecting custom scripts into third-party websites, a practice usually associated with cyberattacks, does allow the monitoring of sensitive information such as passwords, addresses, and credit card numbers, there is no suggestion Meta is surreptitiously collecting this data. Meta did add, however, that "for purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."

The researcher added that the technique works for any website, whether encrypted or not, and it isn't present in WhatsApp. If you want to avoid the tracking, Krause says to use the option that opens the currently viewed website in a browser such as Chrome or Safari. Alternatively, use the mobile web version of the social networks rather than their apps.

Meta previously warned that ATT would negatively impact developers and advertisers. Facebook, Snapchat, Twitter, and YouTube lost a combined $9.85 billion in the two quarters following ATT's implementation. Meta said it resulted in $10 billion in lost revenue and a 26% fall in the company's share price earlier this year.