Instagram and Facebook track you on websites you access through their apps

ANKARA, TURKEY - JULY 25: Social networking company Facebook's logo is seen in Ankara, Turkey on July 25, 2018. (Photo by Aytac Unal/Anadolu Agency/Getty Images)

Facebook and Instagram track users through their apps (Credit: Getty)

Social media platforms have had some bad press recently, largely due to the sheer scale of their data collection.

Now Meta, the parent company of Facebook and Instagram, has turned it up a notch.

Not content with following your every move on its apps, Meta has reportedly developed a way to also know everything you do on external websites you access through their apps.

Why does it go so far? And is there a way to avoid this monitoring?

‘Injects’ code to follow you

Meta has a custom browser in the app that operates on Facebook, Instagram and all websites you can click through to from both of these apps.

Now former Google engineer and privacy researcher Felix Krause has discovered that this proprietary browser has extra program code inserted into it. Krause developed a tool that found Instagram and Facebook added up to 18 lines of code to websites visited through Meta’s in-app browsers.

This “code injection” enables user tracking and overrides tracking restrictions that browsers such as Chrome and Safari have in place. It allows Meta to collect sensitive user information, including “every button and link pressed, text selection, screenshots, as well as all form input, such as passwords, addresses and credit card numbers”.

Krause published his findings online on August 10, including samples of the actual code.

In response, Meta has said that they do not do anything that users have not consented to. A spokesperson for Meta said:

We intentionally developed this code to honor people [Ask to track] choices on our platforms […] The code allows us to collect user data before it is used for targeted advertising or measurement.

The “code” mentioned in the suit is pcm.js – a script that works to collect a user’s browsing activities. Meta says that the script is inserted based on whether users have given consent – and information obtained is used only for advertising purposes.

So is it ethical? Well, the company has done its due diligence by informing users of its intention to collect a wide range of data. However, it stopped short of making clear what the full implications of doing so would be.

People can give their consent to tracking in a more general sense, but “informed” consent implies full knowledge of the possible consequences. And in this case, users were not explicitly made aware that their activities on other websites could be tracked through a code injection.

Why does Meta do this?

Data is the central commodity in Meta’s business model. There is astronomical value in the amount of data Meta can collect by injecting a tracking code into third-party websites accessed through the Instagram and Facebook apps.

At the same time, Meta’s business model is under threat – and events from the recent past can help shed light on why they are doing this in the first place.

It boils down to Apple (which owns the Safari browser), Google (which owns Chrome) and the Firefox browser all actively restricting Meta’s ability to collect data.

Last year, Apple’s iOS 14.5 update came with a requirement that all apps hosted on the Apple App Store must get users’ explicit permission to track and collect their data across apps owned by other companies.

Meta has publicly said that this single iPhone notification costs Facebook’s business $10 billion each year.

Apple’s Safari browser also uses a default setting to block all third-party “cookies”. These are small pieces of tracking code that websites place on your computer that tell the website owner about your visit to the website.

Google will also soon phase out third-party cookies. And Firefox recently announced “total cookie protection” to prevent so-called cross-page tracking.

In other words, Meta is flanked by browsers that introduce restrictions on extensive tracking of user data. The answer was to create their own browser that bypasses these limitations.

How can I protect myself?

On the bright side, users concerned about privacy have some options.

The easiest way to stop Meta tracking of external activities through the in-app browser is to not use it; make sure you open web pages in a trusted browser of your choice, such as Safari, Chrome or Firefox (via the screen shown below).

If you can’t find this screen option, you can manually copy and paste the URL into a trusted browser.


Click “open in browser” to open a website in a trusted browser like Safari (Credit: The Conversation)

Another option is to access social media platforms via a web browser. So instead of using the Instagram or Facebook app, visit the sites by typing their URL into the search bar of your trusted browser. This should also resolve the tracking issue.

I’m not suggesting you ditch Facebook or Instagram entirely. But we should all be aware of how our online movements and usage patterns can be carefully recorded and used in ways we are not told about. Remember: on the internet, if the service is free, you’re probably the product.

By David Tuffley, Senior Lecturer in Applied Ethics and Cyber ​​Security, Griffith University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

MORE: Facebook handed over teen’s messages about her abortion to police

MORE: Facebook’s AI chatbot still thinks Donald Trump is president

Leave a Reply

Your email address will not be published.