Meta Injecting Code Into Websites Visited By Its Users To Track Them, Research Says (theguardian.com) 49
Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer. The Guardian reports: The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an "in-app browser," controlled by Facebook or Instagram, rather than sent to the user's web browser of choice, such as Safari or Firefox. "The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.
Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests. The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause's research. [...] It is unclear when Facebook began injecting code to track users after clicking links. "We intentionally developed this code to honor people's [Ask to track] choices on our platforms," a Meta spokesperson told The Guardian in a statement. "The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels."
They added: "For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."
Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests. The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause's research. [...] It is unclear when Facebook began injecting code to track users after clicking links. "We intentionally developed this code to honor people's [Ask to track] choices on our platforms," a Meta spokesperson told The Guardian in a statement. "The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels."
They added: "For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."
Translation (Score:2, Insightful)
All the other double-talk wank they spew out is mere veneer. They want to use information about you to make more money. Once they have it, they have it forever.
That is all.
Fuck the engineers (Score:5, Insightful)
Sure, we can blame management and shareholders and VCs. But the engineers themselves have no sense of ethics. They allow themselves to be used, and don't question orders.
And fuck everyone on Slashdot who says ethics should never be considered in any problem - only money and code. If you work for companies that makes billions of dollars, making salaries of mid to high six figures, you can afford to think about "first world problems" such as fucking ethics.
Re:Fuck the engineers (Score:5, Insightful)
In my experience a lot of these people are so caught up in the really cool tech they're developing, that they simply don't even realize what the results could be, or simply don't have the mental capacity to think these things through.
The stereotype 'autistic' programmer with no clue about broader social consequences exists for a reason.
I mean, Facebook is a prime example of exactly that from its inception.
Most crypto companies are also good examples of people generating code without any thought to what that might do in a broader context.
Intelligence vs Wisdom, I suppose.
Re:Fuck the engineers (Score:4, Interesting)
In my experience a lot of these people are so caught up in the really cool tech they're developing, that they simply don't even realize what the results could be, or simply don't have the mental capacity to think these things through.
The stereotype 'autistic' programmer with no clue about broader social consequences exists for a reason.
I would agree, as the movie Real Genius could have easily been a documentary.
I mean, Facebook is a prime example of exactly that from its inception.
Uh, not quite. Mark "Dumb Fucks" Zuckerberg didn't earn that moniker because he had no clue of what he was doing or abusing. He knew exactly how gullible his future customers were from Day Zero.
Re: (Score:2)
Yet those same people will continue to use FB and the FB app after reading this. So why should I care?
When using firefox mobile, it opens youtube videos in the browser and not in the preferred youtube app like chrome does. I call that a feature.
Re: (Score:1)
The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser.
Yes, Facebook is evil and should die. But people are helping them be evil by doing dumb shit like browsing websites using a Facebook app, not a normal web browser. This is willful stupidity.
Re:Fuck the engineers (Score:5, Insightful)
The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an "in-app browser,"
This isn't people preferring the in-app browser. They have no control over the fact that clicking on the link takes them to the in-app browser.
This is willful stupidity.
No it's not. Most people don't understand the difference, and you can't blame them because these apps do it sneakily. They're literally doing phising.
You seriously cannot expect ordinary people to understand the difference between clicking a link that goes to a proper web browser, vs an in-app browser.
Your attitude of "not my problem people can't understand that convoluted tech stack on their phone" is the exact problem. Fuck you and your ilk who make these decisions to make it impossible for them to understand what's happening.
Re: (Score:2)
Does this / will this include other Facebook supplied apps like WhatsApp?
Re: (Score:2)
You seriously cannot expect ordinary people to understand the difference between clicking a link that goes to a proper web browser, vs an in-app browser.
The exploit works because Meta/FB know how tech-aware their average user is, and intentionally create a process that's sufficiently beyond their users' understanding.
Meta/FB are entirely in control of their code, processes, and how hidden or obfusticated they are.
If their average user became more tech-aware and, stopping the exploit fromt working, Meta/FB would 'complexify' the process until it was still beyond the understanding of their users.
Re: (Score:3)
tech-aware their average user is
They're really not. We all work in tech, so our perception of "average" is heavily skewed.
Once you start hanging out with real people and try to talk even basic tech with them, such as when they ask for help, they get left behind real fast.
Re:Fuck the engineers (Score:5, Insightful)
There is a great rule for privacy and security. Never use a custom app to do something that you can do from the web browser. Many times apps exist solely to force you into accepting the security profile that the app wants. This is ALWAYS much more lenient and grabs much more of your data than it does when you do the same task from the browser.
Re:Fuck the engineers (Score:5, Insightful)
It very much is the engineers, but not just at Meta. It is the engineers of web browsers. 90% of the API's that enable user tracking should have never been put in web browsers in the first place. Even things that sound simple compromise your security and privacy. Like the API that allows mouse and keystroke tracking in real time. Nothing should be sent until the user types it into a field and takes an action that tells the browser to send it. It should not even be possible to use keystroke cadence to uniquely identify people. It should not be possible to grab the cursor from another application and pull. Think of Google's crappy search bar that both grabs the cursor and starts the search before you have even finished typing. Do you have any idea how many people that thing grabs the cursor while they are typing a password in another app and then immediately does a google search on what you typed in real time. Fuck that and fuck them. Eliminate these API's that even enable this shit.
Re: (Score:2)
You're talking about basic html, javascript, and persistence.
Persistence is what lets web sites know it's "you" without you having to constantly log in every time you return to your favorite website. Cookies and local storage can also be used for ad-tracking too, but most people like the convenience of autofill.
Javascript is what allows single page applications to work. You want anything more interactive than the '90s? You have to have it.
And even basic html. You do know that a "pixel" is just a load of a z
Re: (Score:2)
90% of the API's that enable user tracking should have never been put in web browsers in the first place.
90% of anything which enables tracking was never designed for tracking and instead designed for other very legitimate use cases. The problem is the people who got wind of it misuse it for tracking.
It's like saying **** the creator of TCP/IP for including an IP address. It's core to the functionality, ... but is absolutely used for tracking.
Re: (Score:1)
Re: (Score:1)
I used to have some colleagues who wrote tank missile guidance systems. It was all just a bunch of details, that didn't add up to anything they really understood. Then go home and have a beer, eat supper, and put the kids to bed.
And? Are you implying they were bad people because they worked on military hardware? What about people that spend all day writing software to lie to emissions testing? Or optimize mineral extraction by polluting at a level just under what they know the EPA will detect? You think they have problems sleeping at night?
Yeah, I know not everyone is a fan of military spending. Many people say "they can be using that money to eliminate social problems at home" which sometimes translates to "they could be doin
Aw, what the heck! (Score:1)
Wow, I get to use it again so soon! (Score:4, Funny)
Facebook doing something underhanded and aggressively evil? I am shocked. SHOCKED!
Have they claimed otherwise? (Score:2)
I'm pretty sure it wasn't Mark that said, "Do no evil." In fact, I think it's on the acceptance criteria for most deliverables. "Have evil opportunities been considered?"
One company did say, "Do no evil." I wonder how that turned out?
GDPR (Score:5, Interesting)
Re: (Score:1)
How long before a conversation like "Hello, Europe calling. We don't think this passes the meaningful consent requirements. And we'd like 4% of your annual revenue" ensues?
Not going to happen. Facebook has a lot of money, and that money can buy a lot of lawyers and politicians. Seriously, when has the GDPR ever forced one of these big companies to make a *SIGNIFICANT* change in the way they do business?
Re:GDPR (Score:4, Informative)
I was obviously being provocative with my question, but GDPR is having an effect, with companies having mandatory all-staff training; with multi-million dollar (tens of $M) software upgrades; with significant changes in how they do business.
Meta however has a problem. Its core business model is arguably incompatible with GDPR, so it's really difficult to fix. And as pointed out here [daringfireball.net], it may have even more fundamentally existential problems.
Re: (Score:2)
About that... I used to work for a German company that has been acquired by an American one. And we did have a mandatory all-staff training. The GDPR part of the training amounted to one single sentence: "it's an EU thing".
I bullshit you not.
Re: (Score:2)
This is not America where money wins lawsuits by default. EU surely is not free of corruption, but blatant privacy violations are much more likely to be harshly punished here.
Re: (Score:2)
Privacy violations by unimportant irrelevancies, like corporations, who want to know if you are more interested in buying diapers for babies or diapers for old people.
Privacy violations by government, though? Full steam ahead in Europe. You know, the type of spying that hurts actual freedom.
Not if you blacklist thier JavaScript (Score:1)
Re: (Score:3)
I have a better idea. Someone (who has the skill) write a plugin that trades the tracking tokens between users so they become utterly worthless and Facebook can't even tell real from fake data, so they have to throw it all on the garbage heap.
You can't keep them from getting data. There's just too many ways. But you can poison their data.
More Evidence for DOJ's antitrust division (Score:3)
Re: (Score:2)
Re: More Evidence for DOJ's antitrust division (Score:2)
In order to avoid being tracked by Facebook youâ(TM)re going to get an Android phone so that you can get tracked by Google? Nice move.
Re: (Score:2)
Re: (Score:2)
How do you propose a law like this looks and how do you scope it? It's not as trivial as you think. When you're doing this consider the following:
- Electron apps (yeah that's an easy one to define).
- Steam (specifically the payment processor is embedded in a browser that is connected to the store, my bank's website opens right in steam).
- Steam Overlay (even if you don't want the Steam client to do something, there are situations where you may want to access the internet but not have the ability to display
Re: (Score:2)
The law is already there. The law does not have to "solve" your perceived problems. You want to use an in-app browser? The law doesn't stop you. It only says that personally identifiable information cannot be used without prior consent, that there must be a proper opt-out that is as easy to use as the opt-in. When opting out, standard functionality cannot be impacted (ie, you can't just make the phone unusable to force people to always opt-in).
Every time (Score:4, Informative)
Every single time you think Facebook can't get any scummier as a company, they pull shit like this.
stalking (Score:5, Insightful)
Why is it okay for Facebook to stalk you while it is not okay for your crazy ex to stalk you? When are we going to outlaw mass stalking but companies?
Turning it off (Score:1)
There's an option to use the device browser instead, at least on Android. Of course, it's kind of hard to find, it's not under "Apps and websites", "Browser", or "Off-Facebook activity". Hamburger > Settings > Media > Links open externally
Shitbook give it up (but no profit in that) (Score:2)
It's this kind of crap that makes this world a slightly shittier place. And instead of facing consequences like in the old dats, they will be showered with riches.
We're doomed, and we are becoming a reverse Disney movie where the villains always win and the good guys suffer or die.
Security 102 (Score:2)
The purpose of log-on apps has always been spying, frequently branded as 'preventing identity theft'. Security 102 is compartmentalizing and isolating, (101 is authentication/identification) yet no-one sounded the alarm on the tech-giants' apps demanding access to everything, data silos (call history/contacts/calendar/messages), location, microphone and camera. Google even made a point of hiding the network permissions required by an app.
Wonder if this creates copyright liability.... (Score:2)
... creating unauthorized derivative works, and things of that nature...
Take it a step further (Score:2)
What if the content is in some way illegal and you now participated in its creation?
Non-default browsers are a cancer (Score:2)
Not just in-app browsers, they are may be the worst but practically any act of using a browser to access a webpage that is outside the default setting of the users is a cancer.
Be it clicking a link on Facebook and getting the Facebook browser.
Clicking a link in the Google bar and it opening in embedded Chrome (though you can disable this "feature")
Clicking anything on the fucking Windows 11 task bar and it opening in Edge.
We chose browsers for a reason, but companies don't like the fact those reasons includ
FB had been inbedded in websites for years (Score:3)
Re: (Score:2)
It actually doesn't matter if you log in, or even if you don't have a a Facebook account. Pretty much every website in the world has a "Like us on Facebook" button, and the code behind that sends your data to Facebook. If you aren't logged in or don't have an account, what gets sent to Facebook is a GUID and your IP address. At that point they might not know who you are. But if you EVER log in to any website that has this integration with Facebook, Facebook has you. They can now tie your anonymous ID and IP
Zucked again (Score:1)
In other words... (Score:2)
Facebook is running a "man in the middle" attack on all of its users and has the nerve to claim that it is doing it to protect them.
"Open in external browser" (Score:2)
I wonder if that "added code" follows the user when they choose to open in an external browser? I was just thinking today why FB/IG did away with the option to "always open in external browser" years ago. I guess I have my answer to that.