The in-app browsers of Facebook and Instagram can be used to track users.
Clicks, screenshots, and password form inputs can all be tracked by tracking code.
In a blog post, Krause explained that the Instagram app “injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.”
His investigation concentrated on Facebook and Instagram for iOS. This is significant because, starting with iOS 14.5, Apple introduced App Monitoring Transparency (ATT), which enables users to choose whether or not to enable app tracks when they first open an app. The feature, according to Meta, “will be a headwind on our business in 2022… in the order of $10 billion.”
According to Meta, the injected tracking code complied with ATT user choices. A spokeswoman told The Guardian, “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.” “No pixels are added by us. Injecting code enables us to gather conversion events from pixels. We ask for the user’s permission before storing payment information for autofill when making purchases through the in-app browser.”
Krause’s research indicates that WhatsApp doesn’t alter third-party websites in the same manner. As a result, he advises Meta to open URLs on Safari or another browser instead of doing the same for Facebook and Instagram. It is both the correct thing to do and what is best for the user. Check out the summary of his findings here for more information.