Social media platforms have had some bad ones Press in recent times, largely motivated by the sheer size of their data collection. Now Meta, the parent company of Facebook and Instagram, has raised the bar.
Not content with tracking every move you make in its apps, Meta has reportedly devised a way to also know everything you do on external websites that can be accessed by means of are apps. Why is it going so far? And is there a way to avoid this surveillance?
‘Injecting’ code to track you
Meta has a custom in-app browser that works on Facebook, Instagram, and any website you can click through from both apps.
Now ex-Google engineer and privacy researcher Felix Krause has discovered that this proprietary browser contains additional code. Krause developed a tool that: found it Instagram and Facebook added up to 18 lines of code to websites visited through Meta’s in-app browsers.
This “code injection” enables user tracking and removes the tracking restrictions that browsers such as Chrome and Safari have. It allows Meta to collect sensitive user information, including “every button and link tapped, text selections, screenshots, and all form entries, such as passwords, addresses, and credit card numbers.”
In response, Meta has said it won’t do anything that users have not given permission for. A Meta spokesperson said:
We purposely developed this code to honor people [Ask to track] choices on our platforms […] The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.
The “code” mentioned in the case is pcm.js – a script that collects a user’s browsing activities. Meta says the script is inserted based on whether users have consented – and that the information obtained is only used for advertising purposes.
Is it then ethical action? Well, the company has done due diligence by informing users of its intention to collect an extensive range From the data. It didn’t stop there, however, to clarify what the full implications of this would be.
People can give their consent to tracking in a more general sense, but ‘informed’ consent implies full knowledge of the possible consequences. And in this case, users were not explicitly notified that their activities on other sites could be tracked through a code injection.
Why is Meta doing this?
Data is the central raw material of Meta’s business model. There is astronomical value in the amount of data Meta can collect by injecting a tracking code into third-party websites accessed through the Instagram and Facebook apps.
At the same time, Meta’s business model is under threat — and events from the recent past may help shed light on why it’s doing this in the first place.
The bottom line is that Apple (which owns the Safari browser), Google (which owns Chrome), and the Firefox browser all actively restrict Meta’s ability to collect data.
Last year, Apple’s iOS 14.5 update came along with a required that all apps hosted in the Apple App Store must get the explicit consent of users to track and collect their data in apps owned by other companies.
Meta has publicly said this single iPhone warning costs his Facebook business $10 billion every year.
Apple’s Safari browser also applies a default setting to block all third-party “cookies”. These are small pieces tracking code those websites deposit on your computer and that inform the website owner about your visit to the site.
Google will soon also phase out third-party cookies. And Firefox recently announced “total cookie protection” to prevent so-called cross-page tracking.
In other words, Meta is flanked by browsers that introduce restrictions on extensive tracking of user data. His response was to create his own browser that circumvents these restrictions.
How can I protect myself?
On the plus side, users who are concerned about privacy have a few options.
The easiest way to prevent Meta from tracking your external activities through the in-app browser is to simply not use it; make sure to open web pages in a trusted browser of your choice, such as Safari, Chrome, or Firefox (using the screen below).
If you cannot find this screen option, you can manually copy the web address and paste it into a trusted browser.
Another option is to access the social media platforms via a browser. So instead of using the Instagram or Facebook app, visit the sites by entering their URL into the search bar of your trusted browser. This should also solve the tracking issue.
I’m not suggesting that you ditch Facebook or Instagram altogether. But we all need to be aware of how to carefully record our online movements and usage patterns and use them in ways we weren’t told. Remember: on the web, if the service is free, you are probably the product.