Instagram app can track its users’ every interaction — including all form inputs like passwords, addresses, every single tap, text selections, and screenshots — with external websites that are accessed through the platform’s in-app browser, as per a report. The Instagram app reportedly injects JavaScript code into every website shown, including when clicking on ads, which allows the company to monitor all user interactions. As per Meta, the script which Instagram app injects helps the company “aggregate events” and respect users’ App Tracking Transparency (ATT) opt-out choice.
As per a blog post by Felix Krause, who owns fastlane — an open source platform aimed at simplifying Android and iOS deployment — Instagram app injects their JavaScript code into every website shown, including when clicking on ads, in the app. Injecting custom scripts into third-party websites allows the platform “to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers” without users’ consent.
In layman’s words, when you tap on a website link, swipe up link, or a link to purchase anything through ads on Instagram, it opens a window in the in-app browser instead of opening it in the default browser (Google Chrome, Safari, among others) that you have set on your phone. As per the blog, Instagram app injects their JavaScript code into every website shown, allowing them to “monitor everything happening on external websites — without the consent from the user, nor the website provider” — when you are using the opened website in Instagram’s in-app browser.
App Tracking Transparency feature in iOS 14.5 allows users to decide which apps have the permission to track their data. Meta reportedly said that this has cost the company $10 billion (roughly Rs. 80,000 crore) a year. The blog notes that in order to be safe from the tracking, users can copy and open the link in their preferred browsers. Apple’s web browser Safari blocks third-party cookies by default, Google Chrome will soon start phasing out third-party cookies, and Firefox’s recently-announced Total Cookie Protection will prevent any cross-page tracking.
Meanwhile, Meta responded to Krause saying that the script that gets injected “isn’t the Meta Pixel” — a snippet of JavaScript code that allows tracking visitor activity on a website. Meta says that it is the pcm.js script, which “helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.” Meta also said that the injected script respects the user’s App Tracking Transparency (ATT) opt-out choice “which is only relevant if the rendered website has the Meta Pixel installed.” ATT is a framework on iOS that requires all iOS apps to ask users for permission to share their data.
Krause says he has reverted to Meta asking more details on the same. He, however, points that all of this (injecting code and respecting user’s ATT choice) “wouldn’t be necessary if Instagram were to open the phone’s default browser, instead of building & using the custom in-app browser.”