Meta, the owner of Facebook and Instagram, has been rewriting the websites its users visit, allowing the company to follow them around the web after clicking links in its apps, according to new research from a former Google engineer. .
The two apps have taken advantage of the fact that users who click on links are taken to web pages in an “in-app browser” controlled by Facebook or Instagram, rather than being sent to the user’s chosen web browser. user, such as Safari or Firefox.
“The Instagram app injects their tracking code on every website that is displayed, including when you click on ads, allowing them to [to] monitor all user interactions, such as every button and link clicked, text selections, screenshots, as well as any form inputs such as passwords, addresses, and credit card numbers,” says Felix Krause, a privacy researcher who founded an app development tool acquired by Google. in 2017.
In a statement, Meta said injecting a tracking code was driven by user preferences about whether or not to allow apps to track them, and was only used to aggregate data before being applied for targeted advertising or measurement purposes. users who opted out. of such monitoring.
“We intentionally developed this code to honor the [Ask to track] options on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so we can add conversion events from pixels.”
They added: “For purchases made through the in-app browser, we seek user consent to save payment information for autofill purposes.”
Krause discovered code injection by creating a tool that could list all the additional commands added to a website by the browser. For normal browsers and most apps, the tool doesn’t detect changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, call up Meta Pixel, a tracking tool that allows the company to follow a user across the web and build an accurate profile of their users. interests.
The company does not reveal to the user that it is rewriting web pages in this way. No such code is added to the WhatsApp app’s browser, according to Krause’s research.
It’s unclear when Facebook started injecting code to track users after clicking links. In recent years, the company has had a noisy public showdown with Apple, after the latter introduced a requirement for app developers to ask for permission to track users in apps. After the notice was released, many Facebook advertisers found themselves unable to target the social network’s users, ultimately leading to a $10 billion loss in revenue and a 26% drop in stock price. of the company earlier this year, according to Meta.