While Apple continues to make moves when it comes to general user privacy and security, especially with iOS, there are still some areas where third-party companies can take advantage of the tools Apple has in place. For instance, a built-in web browser in apps like Facebook or Instagram, for instance, is still based on Apple’s WebKit. But it sounds like Meta has still found a way to track users that use that third-party web browser instead of Safari.
That’s according to a new analysis put together by Felix Krause. A wide range of apps still rely on Safari for web browsing, but there are others that use a third-party option instead. Like Facebook and Instagram. These social networks, owned by Meta, use their own web browser for accessing the web, rather than Apple’s own default web browser.
From the report:
The Meta Pixel can collect the following data:
- Button Click Data – Includes any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks.
- Form Field Names – Includes website field names like email, address, quantity, etc., for when you purchase a product or service. We don’t capture field values unless you include them as part of Advanced Matching or optional values.
What’s interesting is that Facebook and Instagram are not trying to hide Meta Pixel at all. Indeed, on Facebook’s developer portal it indicates “Meta Pixel” is designed to “track visitor activity on your website,” with every interaction tracked while the user is within the custom-built web browser.
Krause breaks things down for the “non-tech readers” as such:
- Can Instagram/Facebook read everything I do online? No! Instagram is only able to read and watch your online activities when you open a link or ad from within their apps.
- Does Facebook actually steal my passwords, address and credit card numbers? No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data for free, without asking the user for permission, they will track it.
- How can I protect myself? For full details scroll down to the end of the article. Summary: Whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.
- Is Instagram doing this on purpose? I can’t say how the decisions were made internally. All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past 7 years.
It’s that last bullet point that stands out. As Krause points out, it takes a “non-trivial” amount of time to develop, maintain, and so on a custom in-app browser. So Meta, which oversees Facebook and Instagram, did make this a conscious decision to go down this particular route. Which also includes involving the Meta Pixel tracker in the first place.
At face value, it does appear that Meta was trying to get around Apple’s App Tracking Transparency (ATT) feature, which requires consent for an iPhone user to be tracked across websites and apps owned by other companies. This Meta Pixel within the company’s own third-party browser makes it possible for Meta to track users no matter what they’ve decided on in the past.
We’ll have to see where this leads.