Next time you click on someone’s “link in bio,” you might be unsuspectingly granting more access to your data than previously understood.
Instagram, Facebook, and TikTok have the ability to track interactions like searches, clicks, screenshots, and “form inputs” (like passwords and credit card numbers) within what’s called an in-app browser, according to tech researcher Felix Krause.
Next time you click on someone’s “link in bio,” you might be unsuspectingly granting more access to your data than previously understood.
Instagram, Facebook, and TikTok have the ability to track interactions like searches, clicks, screenshots, and “form inputs” (like passwords and credit card numbers) within what’s called an in-app browser, according to tech researcher Felix Krause.
In research published last week on his blog, Krause was able to show that Meta appears to have access to all sorts of data when users open Instagram’s in-app browser—without allowing users a way to opt out. That’s notable because Apple’s currently engaged in a full-court press against tracking that’s made it harder for marketers to measure conversions on apps like Instagram and Facebook. (Krause works part-time for Google as a consultant.)
He followed up that research this week, finding that TikTok’s in-app browser appears to have the ability to monitor “all keyboard inputs” including “every tap on any button, link, image, or other component rendered” on the in-app browser. TikTok confirmed to Forbes that “those features exist in the code,” but said that it is not using them.
US legislators on both sides of the aisle have expressed concern about TikTok, specifically over whether its Chinese parent company, ByteDance, is sharing American user data with Beijing. Some have suggested that any data collected could pose a national-security risk, with FCC commissioner Brendan Carr recommending it be booted from app stores, and staff working in the House of Representatives encouraged not to use or download the app.
Basically, companies like Meta and TikTok can inject JavaScript into every website that loads within their in-app browsers. Once it loads, they can then collect some information about what the user does on that webpage.
- According to Krause’s research, Meta could be able to receive when a user selects text and takes a screenshot.
It also injects what’s called a “pcm script.” Meta told Krause the pcm script is used to help aggregate data like online purchases before it is used for targeted advertising and measurement and “helps Meta respect the user’s ATT opt out choice” in cases where the website has the Meta Pixel installed. Meta Spokesperson Andy Stone tweeted the same thing.
Later, Meta Spokesperson Alisha Swinteck said over email to Marketing Brew that “like many other tech companies, we’ve built security, integrity, and other features on our in-app browser that would not be as effective using the system browser.”
In-app browsers are “something those companies have built consciously, it’s not a nontrivial effort they put in to build that,” Krause told Marketing Brew. “If this is about respecting the user’s choice around ATT,” they could open the more privacy-conscious Safari browser, he explained. “There must be more to this story, but I don’t know what. We didn’t get a clear answer from Facebook.”
Even so, he said, “if there is a way to get additional data, companies are going to use it.”
Bad actors could take advantage of the access—they could insert their own ads or change content, like rewriting headlines in a news article, Krause noted.
While its ads position it as a company that’s pro-privacy and anti-tracking, creating an in-app browser isn’t currently against Apple’s own app-development guidelines. It only recommends that companies rely on Safari as an in-app browser. “Attempting to replicate the functionality of Safari in your app is unnecessary and discouraged,” its guidelines state.
