An ex-Google employee claims his research shows Facebook’s parent company, Meta, is “rewriting” other websites so that it can better track users’ data.
The researcher, Felix Krause, claims Meta can “inject” tracking code into other websites whenever those websites are opened by Facebook or Instagram’s in-app web browser, as opposed to standalone web browsers like Google Chrome and Safari.
The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause warns in a tweet.
Krause also claims Meta injects this tracking code “without the user’s consent, nor the website operator’s permission.”
Why is this a big deal? Instagram & Facebook actively work around the new App Tracking Transparency System which was designed to prevent exactly this kind of abuse, to keep tracking users outside their ecosystem,” Krause claims in a follow-up tweet.
The ex-Google engineer apparently discovered the code injection while developing a tool to detect extra commands added to websites by web browsers. For most browsers and apps, the tool doesn’t detect any lines of code injection, but for Facebook and Instagram, Krause claims the tool found up to 18 added lines of code.