According to the analysis, Facebook and Instagram use a dedicated built-in browser to track users.

While Apple continues to take steps when it comes to overall user privacy and security, especially with iOS, there are still some areas where third parties can take advantage of Apple’s tools. For example, the built-in web browser in apps like Facebook or Instagram, for example, is still based on Apple WebKit. But it looks like Meta has found a way to track users who use this third-party web browser instead of Safari.

This is according to a new analysis by Felix Krause. A wide range of apps still use Safari for web browsing, but there are others that use a third-party option instead. Like Facebook and Instagram. These Meta-owned social networks use their own web browser to access the internet, rather than Apple’s own default web browser.

And it is through these third-party browsers, again based on Apple WebKit, that they can inject a JavaScript-based tracking code to track users who access that web browser. The tracker is actually codenamed “Meta Pixel”and is placed on every website and link. Based on Krause’s findings, this means that Facebook and Instagram can track any user, regardless of their personal desires for digital tracking.

From the report:

The external JavaScript file that the Instagram app injects (connect.facebook.net/en_US/pcm.js) is a metapixel as well as some code to create a bridge to communicate with the host app. It’s not just a pixel/image, but actual JavaScript code that gets executed:

A metapixel is a piece of JavaScript code that allows you to track visitor actions on your site. It works by loading a small library of functions that you can use whenever a site visitor takes an action that you want to track.

Meta Pixel may collect the following data:

• Button click data – includes any buttons clicked by site visitors, the labels of those buttons, and any pages visited as a result of clicking the buttons.
• Form Field Names – Includes website field names such as email, address, quantity, etc. when you purchase a product or service. We don’t capture field values ​​unless you include them as part of extended matching or optional values.

Interestingly, Facebook and Instagram don’t try to hide the Meta Pixel at all. Indeed, the Facebook Developer Portal states that “Meta Pixel”is for “tracking visitor activity on your website”, with each interaction tracked while the user is in a specially crafted web browser.

Krause breaks things down for “non-technical readers”per se:

• Can Instagram/Facebook read everything I do online? No! Instagram can only read and view your online activity when you open a link or ad in your apps.
• Is Facebook really stealing my passwords, addresses, and credit card numbers? No! I didn’t prove the exact data that Instagram tracks, but I wanted to demonstrate what data they can get without your knowledge. As has been shown in the past, if a company has the ability to access data for free without asking the user’s permission, it will track it.
• How can I protect myself? Scroll down to the end of the article for full details. Summary: Whenever you open a link from Instagram (or Facebook or Messenger), remember to click the dots in the corner to open the page in Safari instead.
• Is Instagram doing this on purpose? I can’t say how the decisions were made inside. All I can say is that building your own in-app browser takes non-trivial programming and maintenance time, much more than just using the privacy and convenience alternative that has been built into the iPhone for the past 7 years.

This is the last item that stands out. As Krause points out, it takes a “non-trivial”amount of time to develop, maintain, etc. a custom browser in an application. So Meta, which oversees Facebook and Instagram, made a conscious decision to go that route. Which also includes using the Meta Pixel tracker in the first place.

At first glance, it looks like Meta was trying to bypass Apple’s App Tracking Transparency (ATT) feature, which requires iPhone user consent in order to be tracked on websites and apps owned by other companies. This Meta Pixel in the company’s own third-party browser allows Meta to track users no matter what decisions they’ve made in the past.

We’ll have to see where that leads.