According to new research by a former Google engineer, Meta rewrote tracking code on Facebook and Instagram‘s websites to allow companies to track customers‘ activity on the web after they clicked on links in their apps.
Meta Rewrote Tracking Code On Facebook And Instagram's Website
“The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” said Felix Krause, a privacy researcher who created an app development tool that was acquired by Google in 2017.
In a statement, Meta said the injection of the tracking code is in line with user preferences for whether to allow apps to track them, and it is only used to aggregate data before using it for targeted advertising or measurement purposes for those users who have opted out of this tracking.
“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,” a Meta spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”
“For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill,” they added.
Krause discovered code injections by building a tool that lists all the extra commands the browser adds to a website. For normal browsers and most apps, the tool won’t detect any changes, but for Facebook and Instagram, it will find up to 18 lines of code added by the app. The lines of code appear to scan for a specific cross-platform tracking toolkit and, if not installed, invoke the Meta Pixel, a tracking tool that allows companies to track users across the web and serve targeted ads based on their browsing.
The company did not disclose to users that it was rewriting web pages in this way. According to Krause’s research, no such code was added to WhatsApp’s in-app browser.
It’s unclear when Facebook started injecting code to track users after clicking links. In recent years, the company has had a bitter public standoff with Apple, which requires app developers to obtain permission to track users across apps. After the launch according to Meta, many Facebook advertisers found themselves unable to target users on the social network, ultimately leading to $10 billion in lost revenue and a 26 percent drop in the company’s stock earlier this year.
