Breaking News

Instagram tracking user behavior, data via in-app browser, says report

The Instagram app can track every user interaction — including inputs such as addresses, passwords, text selections, every single tap, and screenshots — using external websites accessed through the in-app browser, a report suggests.

The report said the app injected JavaScript code into every website, including when clicking on ads, allowing the company to monitor user interactions. Meta Platforms, the owner of Instagram, said the script that the Instagram app injected helped it “aggregate events” and respect App Tracking Transparency opt-out choice.

Felix Krause, the owner of fastlane — an open-source platform that attempts to simplify iOS and Android deployment — said in a blog that the Instagram app injected the JavaScript code into every website in the app. Injecting these custom scripts into third-party websites allowed Instagram to “monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers” without user consent.

To put it simply, every time a user taps a website link, swipes up a link, or a link to purchase anything through Instagram ads, it opens an in-app browser window instead of opening it in Google Chrome or Safari, the default browsers.

Krause wrote in his blog: “With 1 Billion active Instagram users, the amount of data Instagram can collect by injecting the tracking code into every third party website opened from the Instagram & Facebook app is a staggering amount.”

“With web browsers and iOS adding more and more privacy controls into the user’s hands, it becomes clear why Instagram is interested in monitoring all web traffic of external websites.”

In iOS 14.5, the App Tracking Transparency feature allows users to decide the apps that can track their data. Meta Platform said this had cost the company $10 billion a year, reports said.

Krause said in the blog that users could copy and open the link in their default or preferred browsers in order to prevent tracking. Apple’s Safari browser, by default, blocks third-party cookies. Google Chrome will also phase out third-party cookies, while Firefox’s new Total Cookie Protection prevents any cross-page tracking.

Meta Platforms, in response to Krause, said the script injected “isn’t the Meta Pixel”. It said it was the pcm.js script that “helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.”

No comments