The Instagram app can track every user interaction — including inputs such as addresses, passwords, text selections, every single tap, and screenshots — using external websites accessed through the in-app browser, a report suggests.
To put it simply, every time a user taps a website link, swipes up a link, or a link to purchase anything through Instagram ads, it opens an in-app browser window instead of opening it in Google Chrome or Safari, the default browsers.
Krause wrote in his blog: “With 1 Billion active Instagram users, the amount of data Instagram can collect by injecting the tracking code into every third party website opened from the Instagram & Facebook app is a staggering amount.”
“With web browsers and iOS adding more and more privacy controls into the user’s hands, it becomes clear why Instagram is interested in monitoring all web traffic of external websites.”
In iOS 14.5, the App Tracking Transparency feature allows users to decide the apps that can track their data. Meta Platform said this had cost the company $10 billion a year, reports said.
Krause said in the blog that users could copy and open the link in their default or preferred browsers in order to prevent tracking. Apple’s Safari browser, by default, blocks third-party cookies. Google Chrome will also phase out third-party cookies, while Firefox’s new Total Cookie Protection prevents any cross-page tracking.
Meta Platforms, in response to Krause, said the script injected “isn’t the Meta Pixel”. It said it was the pcm.js script that “helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.”