Meta Responds to Instagram's In-App Browser Tracking User Data and Behavior

An Instagram report claimed that the platform's in-app browser can track every interaction its users have with external websites that they access through its form inputs, such as passwords and addresses. 

A report claims that Instagram injects JavaScript code into all websites, including those displayed when clicking ads, to monitor all user interactions.

Meta reports that the script Instagram employs for its app helps it 'aggregate events' and respects users' opt-out choices regarding App Tracking Transparency.

Whenever a person clicks on an ad in the Instagram app, a JavaScript code is injected into the site, according to Felix Krause, owner of Fastlane, an open source platform for Android and iOS deployment. 

A third-party website can be injected with custom scripts allowing the platform to track all user interactions, such as button and link taps, selections of text, screenshots, and information entered into forms.

Instagram's in-app browser automatically opens when you tap on a website link, swipe up link, or link to purchase anything through ads instead of the default browser you have set on your phone. 

According to Instagram's blog, the app injects JavaScript code into every website shown, so it can monitor everything on external websites without the user's consent, or the website's provider's consent when you are using Instagram's browser to access the websites.

Users can decide which apps can track their data with the App Tracking Transparency feature in iOS 14.5 According to Meta, this is costing Apple $10 billion annually. 

Users are advised to copy the link at the end of the blog to be protected from tracking, and then open it in the browser of their choice. 

Third-party cookies are blocked by default in Apple's Safari browser, Google Chrome will soon phase them out, and Firefox's recent announcement of Total Cookie Protection prevents cross-page tracking.

Krause responded to Meta by saying that the script that gets injected is not the Meta Pixel, a JavaScript snippet that tracks visitor activity. 

According to Meta, the pcm.js script aggregates events like online purchases before the data is used to target advertising and measure Facebook's performance.

A Meta Pixel is a framework on iOS that requires apps to ask users for permission to share their data. Meta says the script respects the user's App Tracking Transparency (ATT) opt-out choices.

According to Krause, Meta has been contacted for more information. Despite this, he makes the point that Instagram could have opened the phone's default browser instead of building and using its own.

For more stories like this

Explore our website