Meta can track users' credit card, internet history on other websites, researcher claims
An ex-Google employee claims his research shows Facebook's parent company, Meta, is "rewriting" other websites so that it can better track users' data.
The researcher, Felix Krause, claims Meta can "inject" tracking code into other websites whenever those websites are opened by Facebook or Instagram's in-app web browser, as opposed to standalone web browsers like Google Chrome and Safari.
The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," Krause warns in a tweet.
Krause also claims Meta injects this tracking code "without the user’s consent, nor the website operator’s permission."
Why is this a big deal? Instagram & Facebook actively work around the new App Tracking Transparency System which was designed to prevent exactly this kind of abuse, to keep tracking users outside their ecosystem," Krause claims in a follow-up tweet.
The ex-Google engineer apparently discovered the code injection while developing a tool to detect extra commands added to websites by web browsers. For most browsers and apps, the tool doesn't detect any lines of code injection, but for Facebook and Instagram, Krause claims the tool found up to 18 added lines of code.
In response to the allegations, Meta reportedly said the tracking code actually follows users' privacy preferences, and the data gathered is only aggregated for use in targeted advertising.
We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,” a spokesperson said, according to TheGuardian.com. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels."
For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill," the spokesperson reportedly added.
Meta also reached out to Krause, the ex-Google engineer said in another tweet. After the company reached out, Krause made adjustments to his claims, but still stood by his initial warnings.
Facebook reached out to me, saying the system they’ve built honours the user’s ATT choice," Krause said. "However, this doesn’t change anything about my publication: The Instagram iOS app is actively injecting JavaScript code into all third party websites rendered via their in-app browser."
Krause adds in his blog a series of "FAQs" (Frequently Asked Questions) for "non-tech readers." He explains that Facebook and Instagram can only read user data when people use their in-app browsers, and people can simply "make sure to click the dots in the corner to open the page in Safari instead" when using the apps on iPhone.
The ex-Google engineer also makes it clear he doesn't have proof Meta is stealing or storing passwords and credit card data, only that it is possible for the company's apps to do so.
As to why Meta has its apps sending users to websites using its in-app browsers, Krause only says "that building your own in-app browser takes a non-trivial time to program and maintain" even though he "can’t say how the decisions were made internally."
