Surely you have tried to open a link that interests you through Facebook or Instagram. You will have already noticed that the link does not open in the browser you are using, but within the Facebook or Instagram application.
So because the liar and the thief in the first year rejoice, we have news.
Meta, the owner of Facebook and Instagram, rewrites every website visitors visit users of it, helping the company track them on the web, according to new research from a former Google engineer. The Guardian reports:
The two apps take advantage of the fact that users who click on links are taken to web pages in an "in-app browser," controlled by Facebook or Instagram, rather than being sent to the user's browser, such as Safari or Firefox.
“The Instagram app inserts a tracking code on every website it displays, even when you click on advertisements, επιτρέποντάς τους να παρακολουθούν όλες τις αλληλεπιδράσεις των χρηστών, όπως κάθε κουμπί και κάθε σύνδεσμο που πατιέται, επιλογές κειμένου, στιγμιότυπα οθόνης, καθώς και οποιαδήποτε εισαγωγή φόρμας, όπως κωδικοί πρόσβασης, διευθύνσεις και αριθμούς πιστωτικών καρτών”, αναφέρει ο Felix Krause, ένας ερευνητής απορρήτου που κατασκεύασε ένα tool app developer that Google bought in 2017.
Krause discovered code injection by building a new tool that could list all the extra commands added to a website by the browser. In regular browsers and most apps, the tool doesn't detect changes, but on Facebook and Instagram it finds up to 18 lines of code added by the app.
These lines of code appear to scan for a specific cross-platform tracking kit and, if it's not installed, call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests.
The company does not disclose to the user that it rewrites the web pages it opens in this way. It should be noted that no such tracking code was found in WhatsApp's in-app browser, according to Krause's research, and that it's unclear when Facebook began inserting code to track users who clicked on links.
Of course the response from Meta tried to downplay the fact
"We have deliberately created this code," a Meta spokesperson told the Guardian. “The code allows us to collect user data before using it for targeted advertising or measurement purposes. We don't add pixels. The code is inserted so that we can collect conversion events from pixels.”
“For purchases made through the in-app browser, we ask for the user's consent to store information payments for the purposes of auto-completion.”
