New research found that Facebook parent company Meta had changed third-party websites accessed through its internal browsers in order to track all of its users’ online activities.
Facebook and Instagram have injected code into websites viewed by users in an “in-app browser” within their iOS and Android apps. The code appears to be used to track the activity on the outside site. The tracking appears to be a major step by Facebook to keep an eye on user data gathered from third-party websites despite pressure from regulators in the United States and Europe over its tracking of user data.
FACEBOOK PARENT COMPANY PUSHES BACK ON TWO CYBER-ESPIONAGE GROUPS
Whenever a user clicks an external link on Facebook or Instagram, it moves the user to an in-app browser, rather than their preferred browser, such as Safari or Google Chrome. “The Instagram app injects their JavaScript code into every website shown, including when clicking on ads,” wrote privacy researcher Felix Krause. “Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.”
Meta did not deny the practice. “We intentionally developed this code to honour people’s [ask to track] choices on our platforms,” a Meta spokesperson told the Guardian.
“For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill,” the spokesperson said.
Krause discovered the code while building a tool that identified any extra commands that a browser may add to a website. While most browsers do not implement additional changes to the code, Krause discovered that Facebook and Instagram’s internal browsers implemented up to 18 additional lines of code within the website. These additional lines of code are not disclosed within Facebook’s terms of service and would typically be classified by cybersecurity specialists as a form of malicious attack.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
This sort of “cross-host tracking” is denounced by other tech companies. Apple has actively worked against this sort of tracking and incorporated an update in iOS 14.5 that required apps to get user permission before tracking their data across apps operated by other companies. Meta has been critical of this notification, alleging that it cost the company $10 billion a year.
This sort of code is also being phased out by normal browsers such as Google Chrome and Mozilla Firefox. It’s unclear when Meta began injecting code into its in-app browser.
Regulators have penalized companies like Meta over their data-gathering practices in the past. They have also been the targets of legislation from the European Union over their data-sharing and gathering practices. U.S. lawmakers have also said that they wish to implement additional policies that would rein in Meta’s data access. However, the company’s employees have also been uncertain about the breadth of user data control that they have and stated in internal memos that they lack an “adequate level of control” over internal data.
