Research shows Meta is injecting code into websites to track its users
This year, Meta has made the headlines for all the wrong reasons. However, the past couple of weeks have been particularly bruising for the tech giant.
Initially, Meta began to receive bad press due to negative reviews about its AI. However, the company has since been embroiled in scandal. This is because research has shown that the parent company of Instagram and Facebook is using code to follow those who click links in its apps.
What does the code do?
An ex-Google engineer alleges that Meta has been rewriting websites its users visit in order to allow the company to follow them across the web. The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an ‘in-app browser’ that is controlled by Facebook or Instagram, rather than being sent to a user’s browser of choice, such as Safari or Firefox.
According to Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017, “the Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers”.
Meta disputes claims
However, in a statement issued in response, Meta said that injecting a tracking code obeyed users’ preferences on whether or not they allowed apps to follow them. The company added that it was only used to aggregate data before being applied for targeted advertising or measurement purposes.
A Meta spokesperson said that “we intentionally developed this code to honour people’s [Ask to track] choices on our platforms… The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”
They added: “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”
How the code was discovered
Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. He subsequently found that the tool did not detect any changes with normal browsers and most apps. However, it found up to 18 extra lines of code added by the Instagram and Facebook apps.
Meta does not disclose to users that it rewrites webpages in this way. As a result, it’s unclear when Facebook began injecting code to track users after clicking links. However, the company has been at the centre of a noisy public standoff with Apple in recent years. This is because Apple introduced a requirement for app developers to ask permission to track users across apps.
Once this prompt was launched, many Facebook advertisers found themselves unable to target users on the social network, ultimately leading to $10bn of lost revenue and a 26% fall in the company’s share price earlier this year, according to Meta.
Meta’s code injection – the view from Spike
Meta’s latest scandal is the latest in a long line of blunders from the tech giant in 2022. Once the undisputed king of the social media space, today Meta’s platforms are under serious pressure from rivals such as TikTok.
In response, senior Meta executives have now returned to London in an attempt to get a grip on the company’s struggles and halt its faltering share price.
Meta remains wedded to the Metaverse concept it has championed for the past couple of years. However, as scandals continue to engulf the company, it will be interesting to see if Meta chooses to divert resources away from the Metaverse and instead rollout other changes that will satisfy its user base, which is dwindling for the first time. One thing is for certain: the company must now make changes as both investors and users.
Author spike.digital