Facebook and Instagram rewrite websites via in-app browser that can track ‘every single interaction’

Meta has been rewriting websites that Facebook and Instagram users visit to trace them across the internet, according to new research.

Users who click links inside Facebook or Instagram are taken to webpages in an “in-app browser”, rather than using Google Chrome or Safari.

This allows the company to monitor everything that happens on external websites without needing user consent or the consent of the website.

“This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap”, wrote Felix Krause, a former Google engineer.

“I can’t say how the decisions were made internally. All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past 7 years.”

Mr Krause advises that users should use the ‘Open in Browser’ setting that most in-app browsers have. If that option is not available, they will have to copy and paste the URL into a separate browser. Using Facebook and Instagram on the web, rather than through their apps, also avoids these issues.

Smartphone companies have been implementing methods to block websites from tracking users around the web. In April last year Apple introduced iOS 14.5 with App Tracking Transparency, or ATT.

The feature forces developers to ask permission to see the unique identifier that had until recently been used to track phones and their users as they move between different apps.

Given most users are not likely to give the explicit consent to tracking, the move has brought significant changes to advertising companies.

According to Meta CFO Dave Wehner, “the impact of iOS overall” cost Meta “on the order of $10 billion” in 2022.

In a statement, Meta said that injecting tracking code obeyed users’ preferences and was only used to aggregate data.

“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels”, a spokesperson told The Guardian.

“For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”