You don't expect it: Instagram and Facebook can track all your web activities in their own browser

0
61

Many apps work with an in-app browser. This opens as soon as you tap a link in the app that takes you outside the original platform. For example, a link in an Instagram Story, which you forward to a webshop or an article from a news website. Or the well-known #linkinbio hashtag, with which you can tap from a profile to read more about a topic of an Instagram post. Many apps use Safari, the default browser of the iPhone and iPad, for this. Apple offers developers the possibility to use an in-app version of Safari (a kind of light version), with the functions and controls that you are used to from Safari. But there are also developers and apps who prefer to build their own version and Instagram and Facebook are well-known examples. And that's not without reason: both apps can accurately track your surfing behavior with their own in-app browser, according to research. And that goes further than you think.

Instagram and Facebook follow you via in-app browser

Built into the in-app browser is a piece of JavaScript code called the Meta Pixel. You may have heard of Facebook pixels. Then invisible pieces of code on a web page that allow Facebook to see which website you open and how you use the website. Apple has built in all kinds of measures to prevent this kind of tracking. Users must now actively consent to app tracking before apps can track users on other platforms. All kinds of privacy measures have also been added in Safari. Meta (formerly Facebook) was particularly opposed to this, because the company misses out on a lot of revenue. That's why they're looking for other ways to get around such tracking and so the Meta Pixel was created in its own in-app browser.


Instagram's in-app browser with option to switch to Safari

With this Meta Pixel, Instagram and Facebook can track all interactions you do on a website via their own in-app browser. They can see where you tap and scroll and also see what you enter in terms of text. This way Instagram can (in theory) see which passwords you use if you manually enter them on a website in the in-app browser. The good news is that being able to view your activities is only limited to the Instagram and Facebook app in-app browsers. So you are safe if you use the standard browsers for your regular internet activities, such as Safari or Chrome. Or if you don't have Instagram or Facebook at all.

How to protect yourself

You can recognize the Instagram in-app browser by the Instagram-like icons at the bottom of the screen and the large cross at the top left. The Safari version of the in-app browser uses exactly the same design as the regular Safari app and has a Safari button at the bottom that allows you to switch to the full Safari app.


Differences in-app browser from Instagram (left) vs Safari in-app browser

The most logical way to protect your own privacy is to stop using the Facebook and Instagram apps or to stop using social networks altogether. But the web versions via the regular browser are anything but a pleasant experience. If you do want to continue using the apps, open the link in your own browser right away. Via the menu with the three dots at the top right you will find an option Open in browser, which opens the link in Safari (or another default browser that you have set).

You can find more about the technical background of this method of tracking with researcher Felix Krause.

Also see

How to disable app tracking for apps like this on iPhone and iPad

Advertisers can take your personal interests into account in iPhone apps. They use the Identifier For Advertisers (IDFA), a unique number that is linked to your device. From iOS 14.5 you can disable app tracking