A recent discovery on Instagram and Facebook mobile applications raises concerns about the processing of personal data. Meta does use unconventional methods to track its users.
Facebook and Instagram make money by tracking people all over the web. It’s hardly a surprise to anyone who has looked closely at the digital world in recent years, but the methods employed by the two companies are sometimes surprising. The founder of the analysis tool Fastlane discovered that the two services very precisely track the actions and gestures of Internet users who use the applications published by Meta.
Able to track “every interaction”
In a long blog post, the specialist explains that web browsing via mobile software is clearly too chatty. To fully understand the process, you must understand how these two apps work. On iOS as on Android, the applications published by Meta include an internal browser. So if you click on a link, the software will by default open a web window within that browser, rather than opening Chrome, Safari or Firefox directly. This very small piece of code, which is mainly used to provide quick access to the links on which Internet users click, contains a cookie capable of “track every interaction with websites, from entering passwords and addresses to the smallest click”.
This misplaced curiosity is only possible when people use the apps’ internal web browser. By injecting JavaScript code into each page you visit (without, of course, asking permission from site editors or Internet users), the two applications are able to collect all the information they want about the surfing session by question. “With a billion active users on Instagram, the amount of data the application can collect (…) is considerable”explains Felix Krause.
This practice goes completely against the direction that the various mobile ecosystems have recently taken. Since the release of iOS 14.5 in April 2021, Apple has effectively limited the tracking of its users through a tool called App Tracking Transparency. If the solution is not perfect, it already allows Internet users concerned about their privacy to limit cross-application tracking by prohibiting the creation of a unique advertising identifier shared by all the software installed on your iPhone. Android is moving towards a similar solution, although less restrictive.
A technically not illegal method
But this is where the method used by Facebook and Instagram is “clever”, if one can say so. By tracking activity via the application’s internal browser, the company does not violate Apple’s rules, which allow software to collect information about Internet users as long as it is not shared with the rest of the system. . Technically, therefore, the two applications have nothing to reproach each other for, apart from the fact that the methods used are misleading, opaque and can potentially cause bugs on the sites visited.
Let’s be clear: it is not proven that Facebook or Instagram really collect all this information, only that it is possible for it to do so. The best way to protect yourself right now is to set these apps to use your browser of choice rather than the internal browser. Hopefully both Apple and Google will ban these practices soon. If you want to know more about how this tracking method works, Felix Krause details the technical process on his site.