“The Instagram app injects its tracking code into every website viewed, including when you click on ads, allowing them to [to] monitor all user interactions, such as every button and link typed, text selections, screenshots, as well as all form inputs, such as passwords, addresses, and credit card numbers,” said Krause in a blog post.
His research focused on the iOS versions of Facebook and Instagram. This is key because Apple allows users to turn app tracking on or off when they first open an app, through its App Tracking Transparency (ATT) introduced in iOS 14.5. Meta previously said the feature was “a headwind on our 2022 business…in the $10 billion range.”
Meta said the injected tracking code obeyed user preferences on ATT. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes,” a spokesperson said. The Guardian. “We do not add any pixels. The code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we ask for user consent to record the payment information for autofill purposes.”
According to Krause’s research, WhatsApp doesn’t modify third-party websites in the same way. As such, he suggests Meta do the same with Facebook and Instagram, or just use Safari or another browser to open links. “It’s best for the user and the right thing to do.” To learn more, see the summary of his findings here.