In a study published on Wednesday, August 10, Krause detailed his tests on Meta apps with a tool he built that reveals concealed code. He found that Facebook and Instagram in-app browsers inject 18 lines of code into every website users visit. This could enable Meta “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.” There is no evidence of code injection when users click links on WhatsApp.
Potential Privacy Violation
The extra lines of code in Meta’s in-app browsers don’t necessarily prove that using these browsers compromises users’ privacy. However, running a simple “custom script” makes it possible to “monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers,” Krause explained. At the moment, it’s impossible to tell precisely what sort of data Meta collects when users open a link using its in-app browsers. Krause said the goal of his study was not to show what sort of data the company collects but to demonstrate the potential privacy and security issues associated with its in-app browsers. Apart from violating users’ privacy, injecting lines of code into websites can “cause issues and glitches, potentially breaking the website,” he noted.
Apple and Facebook Clash Over User Privacy
Apple and Facebook clashed in 2020 after the latter required developers to get users’ consent before tracking them online. “You must use the AppTrackingTransparency framework if your app collects data about end users and shares it with other companies for purposes of tracking across apps and web sites,” Apple explains on its website. Apple’s decision to get users’ consent for tracking cost Facebook about $10 billion in the first year alone, prompting Meta to threaten Apple with a lawsuit and urge users to turn on tracking. In response to Krause’s findings, Meta has said it doesn’t violate Apple’s App Tracking Transparency (ATT). Installing the extra Javascript code supposedly allows Meta to identify users who opt out of tracking and respect their choices. For users who do not reject tracking, Meta told Krause that the extra code “helps aggregate events, i.e. online purchases, before those events are used for targeted advertising and measurement for the Facebook platform.”
How to Protect Your Privacy When Using Meta Apps
Krause recommends opening links with Safari or another browser instead of the Instagram or Facebook in-app browser. If there’s no option to open the link with another browser, copy the link and paste it into your preferred browser. Krause recommends using the web versions of these social media platforms rather than mobile apps. He also provided an HMTL code that web developers can put into their site to “trick the Instagram and Facebook app to believe the tracking code is already installed.” Today, websites, apps, and other digital platforms are tracking users more than ever to gather valuable data. In May, we reported on a study that revealed thousands of websites are using online trackers to record users’ keystrokes. Meanwhile, on Thursday, August 11, the Federal Trade Commission (FTC) signaled its intent to take action against commercial surveillance. To protect your sensitive data online, we recommend you use a privacy-first browser. You can learn more about the data that companies collect about you in our article on big data and privacy.