While Apple continues to make moves when it comes to general user privacy and security, especially with iOS, there are still some areas where third-party companies can take advantage of the tools Apple has in place. For instance, a built-in web browser in apps likeFacebookorInstagram, for instance, is still based on Apple’s WebKit. But it sounds like Meta has still found a way to track users that use that third-party web browser instead of Safari.
That’s according toa new analysisput together by Felix Krause. A wide range of apps still rely on Safari for web browsing, but there are others that use a third-party option instead. Like Facebook and Instagram. These social networks, owned by Meta, use their own web browser for accessing the web, rather than Apple’s own default web browser.
And it’s with these third-party browsers, again, still based on Apple’s WebKit, that they can inject a tracking code based on JavaScript to track users that access this web browser. The tracker is actually codenamed “Meta Pixel,” which is placed within every website and link. Based on Krause’s findings, this means Facebook and Instagram can track any user, despite what their personal desires might be regarding digital tracking.
From the report:
The external JavaScript file the Instagram app injects (connect.facebook.net/en_US/pcm.js) is the Meta Pixel, as well as some code to build a bridge to communicate with the host app. This is not just a pixel/image, but actual JavaScript code that gets executed:
The Meta Pixel is a snippet of JavaScript code thatallows you to track visitor activity on your website. It works by loading a small library of functions which you can use whenever a site visitor takes an action that you want to track […]
The Meta Pixel can collect the following data:
What’s interesting is that Facebook and Instagram are not trying to hide Meta Pixel at all. Indeed, on Facebook’s developer portal it indicates “Meta Pixel” is designed to “track visitor activity on your website,” with every interaction tracked while the user is within the custom-built web browser.
Krause breaks things down for the “non-tech readers” as such:
It’s that last bullet point that stands out. As Krause points out, it takes a “non-trivial” amount of time to develop, maintain, and so on a custom in-app browser. So Meta, which oversees Facebook and Instagram, did make this a conscious decision to go down this particular route. Which also includes involving the Meta Pixel tracker in the first place.
At face value, it does appear that Meta was trying to get around Apple’s App Tracking Transparency (ATT) feature, which requires consent for an iPhone user to be tracked across websites and apps owned by other companies. This Meta Pixel within the company’s own third-party browser makes it possible for Meta to track users no matter what they’ve decided on in the past.
