Social media platforms have had some bad press in recent times, largely prompted by the vast extent of their data collection. Now Meta, the parent company of Facebook and Instagram, has upped the ante.
Not content with following every move you make on its apps, Meta has reportedly devised a way to also know everything you do in external websites accessed through its apps. Why is it going to such lengths? And is there a way to avoid this surveillance?
‘Injecting’ code to follow you
Meta has a custom in-app browser that operates on Facebook, Instagram and any website you might click through to from both these apps.
Now ex-Google engineer and privacy researcher Felix Krause has discovered this proprietary browser has additional program code inserted into it. Krause developed a tool that found Instagram and Facebook added up to 18 lines of code to websites visited through Meta’s in-app browsers.
This “code injection” enables user tracking and overrides tracking restrictions that browsers such as Chrome and Safari have in place. It allows Meta to collect sensitive user information, including “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers”.
Krause published his findings online on August 10, including samples of the actual code.
In response, Meta has said it isn’t doing anything users didn’t consent to. A Meta spokesperson said:
We intentionally developed this code to honour people’s [Ask to track] choices on our platforms […] The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.
The “code” mentioned in the case is pcm.js – a script that acts to aggregate a user’s browsing activities. Meta says the script is inserted based on whether users have given consent – and information gained is used only for advertising purposes.
So is it acting ethically? Well, the company has done due diligence by informing users of its intention to collect an expanded range of data. However, it stopped short of making clear what the full implications of doing so would be.
People might give their consent to tracking in a more general sense, but “informed” consent implies full knowledge of the possible consequences. And, in this case, users were not explicitly made aware their activities on other sites could be followed through a code injection.
Why is Meta doing this?
Data are the central commodity of Meta’s business model. There is astronomical value in the amount of data Meta can collect by injecting a tracking code into third-party websites opened through the Instagram and Facebook apps.
At the same time, Meta’s business model is being threatened – and events from the recent past can help shed light on why it’s doing this in the first place.
It boils down to the fact that Apple (which owns the Safari browser), Google (which owns Chrome) and the Firefox browser are all actively placing restrictions on Meta’s ability to collect data.
Last year, Apple’s iOS 14.5 update came alongside a requirement that all apps hosted on the Apple app store must get users’ explicit permission to track and collect their data across apps owned by other companies.
Meta has publicly said this single iPhone alert is costing its Facebook business US$10 billion each year.
Apple’s Safari browser also applies a default setting to block all third-party “cookies”. These are little chunks of tracking code that websites deposit on your computer and which tell the website’s owner about your visit to the site.
Google will also soon be phasing out third-party cookies. And Firefox recently announced “total cookie protection” to prevent so-called cross-page tracking.
In other words, Meta is being flanked by browsers introducing restrictions on extensive user data tracking. Its response was to create its own browser that circumvents these restrictions.
How can I protect myself?
On the bright side, users concerned about privacy do have some options.
The easiest way to stop Meta tracking your external activities through its in-app browser is to simply not use it; make sure you’re opening web pages in a trusted browser of choice such as Safari, Chrome or Firefox (via the screen shown below).
If you can’t find this screen option, you can manually copy and paste the web address into a trusted browser.
Another option is to access the social media platforms via a browser. So instead of using the Instagram or Facebook app, visit the sites by entering their URL into your trusted browser’s search bar. This should also solve the tracking problem.
I’m not suggesting you ditch Facebook or Instagram altogether. But we should all be aware of how our online movements and usage patterns may be carefully recorded and used in ways we’re not told about. Remember: on the internet, if the service is free, you’re probably the product.
David Tuffley is Senior Lecturer in Applied Ethics & CyberSecurity at Griffith University.
This article first appeared on The Conversation.