Social media platforms have gotten some bad press of late, largely caused by the sheer amount of their data collection.
Now Meta, the parent company of Facebook and Instagram, has upped the ante.
Not content with tracking every move you make in their apps, Meta has devised a way to know everything you do on external websites that are accessed as well. through your applications
Why go to such extremes? And is there a way to bypass this surveillance?
‘Injecting’ code to follow you
Meta has a custom in-app browser that works on Facebook, Instagram, and any website you can click from within these two apps.
Now, former Google engineer and privacy researcher Felix Krause has discovered that this proprietary browser has additional program code embedded in it. Krause developed a tool that found that Instagram and Facebook added up to 18 lines of code to websites visited through Meta’s built-in browsers.
This “code injection” enables user tracking and overrides the tracking restrictions that browsers like Chrome and Safari have. It allows Meta to collect sensitive user information, including “every button and link clicked, text selections, screenshots, as well as any form input such as passwords, addresses, and credit card numbers.”
Krause posted his findings online on August 10, including samples of the actual code.
In response, Meta has said that it is not doing anything that users have not consented to. A Meta spokesperson said:
We intentionally developed this code to honor the [Ask to track] options on our platforms […] The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.
The “code” mentioned in the case is pcm.js, a script that acts to aggregate a user’s browsing activities. Meta says that the script is inserted based on whether users have given their consent, and the information obtained is used for advertising purposes only.
So, is it acting ethically? Well, the company has exercised due diligence in informing users of its intention to collect a broader range of data. However, he stopped short of making it clear what the full implications of doing so would be.
People can consent to monitoring in a more general sense, but “informed” consent implies full knowledge of the possible consequences. And, in this case, users were not explicitly informed that their activities on other sites could be tracked through code injection.
Why does Meta do this?
Data is the core product of Meta’s business model. There is astronomical value in the amount of data Meta can collect by injecting a tracking code into third-party websites opened through the Instagram and Facebook apps.
At the same time, Meta’s business model is under threat, and events in the recent past may help shed light on why it’s doing this in the first place.
It all boils down to the fact that Apple (owner of the Safari browser), Google (owner of Chrome), and the Firefox browser are actively placing restrictions on Meta’s ability to collect data.
Last year, Apple’s iOS 14.5 update came along with a requirement that all apps hosted on Apple’s app store must obtain explicit permission from users to track and collect their data on apps owned by other companies.
Meta has publicly said that this one iPhone alert is costing his Facebook business $10 billion each year.
Apple’s Safari browser also applies a default setting to block all third-party “cookies.” These are small pieces of tracking code that websites deposit on your computer that tell the website owner about your visit to the site.
Google will soon phase out third-party cookies. And Firefox recently announced “full cookie protection” to prevent so-called cross-page tracking.
In other words, Meta is being flanked by browsers that introduce restrictions on extensive tracking of user data. His response was to create his own browser that bypasses these restrictions.
How can I protect myself?
On the plus side, privacy-conscious users have a few options.
The easiest way to prevent Meta from tracking your external activities through your in-app browser is to simply not use it; make sure you open web pages in a trusted browser like Safari, Chrome or Firefox (via the screen below).
If you can’t find this screen option, you can manually copy and paste the web address into a trusted browser.
Another option is to access social media platforms through a browser. So instead of using the Instagram or Facebook app, visit the sites by entering their URL into the search bar of your trusted browser. This should also resolve the tracking issue.
I am not suggesting that you abandon Facebook or Instagram altogether. But we all need to be aware of how our online movements and usage patterns can be carefully recorded and used in ways we are not informed of. Remember: on the Internet, if the service is free, you are probably the product.
By David Tuffley, Senior Lecturer in Applied Ethics and Cyber Security, Griffith University
This article is republished from The Conversation under a Creative Commons license. Read the original article.
MORE: Facebook turned over a teen’s posts about her abortion to police
MORE: Facebook’s AI chatbot still thinks Donald Trump is president