If you visit a link on the iOS Facebook or Instagram app, it can track every onward page you visit, every password you enter, and every tap on the screen. That’s according to new findings this month from privacy researcher Felix Krause.

Technologically, this is achieved by their digitally altering any website you visit, attaching tracking tech to it which reports back what the user is doing. This is made possible by Facebook / Instagram opening links you tap inside its own browser, regardless of which browser you have as default.

Such in-app browsers, as they are called, have long existed inside apps, and when used correctly are not detrimental to privacy. You can often see them when tapping things like support links or privacy policies in an app. They allow a predefined web page to be loaded and displayed without the user ever having to leave the app, or they may be used to embed web content within an app. This is all perfectly innocent.

But Meta, the owners of Facebook and Instagram, appear to have exploited this technology to attach their tracking technology to any web page it displays. So when you click a web link in Facebook for example, you are actually seeing Meta’s digitally altered version of the page. It looks exactly the same, but it contains extra tracking technology.

To be clear, this doesn’t necessarily mean that they are actively using the technology in a privacy-busting way; the research simply indicates that they could collect the above, not that they actively do. And of course, this only affects Meta apps’ in-app browser – this doesn’t allow Meta to spy on your journey through the web using your normal browser (Chrome, Firefox, Safari, etc.).


How can you make sure you’re browsing safely?

So, beware when you tap a link inside an app. Does the app open the link inside your normal browser, or not? In the Facebook / Instagram iOS apps, links tapped will by default open up in the in-app browser, but there is a separate menu option to open in Safari.

If you’re not sure whether a link has opened in an in-app browser, swipe up from the bottom of the screen and hold (iOS & recent Android) or press the square button (older Android) to see which app is currently open. If it’s your usual web browser, you’re good to go; if you’re still in the app from which you tapped the link, then you’re using an in-app browser. 


App Store privacy questionnaires

Both Apple and Google have in recent years had a particular focus on privacy issues, cracking down on recent bad app behaviour. The technology they produce is now more tightly controlled – Android’s tightening of permissions, for example, meaning that apps no longer have quite the free reign they used to. And the app stores themselves are playing a greater role in protecting user privacy, including the privacy questionnaires that both stores require app developers to fill out, detailing everything they collect and what they use it for. On the Apple App Store, this manifests itself in the privacy “nutrition score” you now see against each app.

So how was this not known about sooner? The problem is that there is almost nothing in the app review process that can detect silent collection of data (as opposed to that which is user-entered). The privacy questionnaires therefore show their limitations by not being verifiable. And even if an app does own up to collecting masses of information, a developer can reduce the impact on their privacy score by saying that the data is never used for any purpose. Apple has no way of verifying if this is correct.


In conclusion

As always, “buyer beware” applies to app stores. It is not necessarily surprising that Meta has been caught out in this way, given their bad reputation for privacy anyway. I personally do not use the Facebook or Instagram apps, instead using them in my web browser.
It is always a good idea to be picky about which apps you install, and to remove them when you no longer need them. Android for example will show you which apps are unused. And finally, follow the specific advice on in-app browsers above.