"The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," Krause said in a blog post.
His research focused on the iOS versions of Facebook and Instagram. That's key because Apple allows users to opt in or out of app tracking when they first open an app, via its App Tracking Transparency (ATT) introduced in iOS 14.5. Meta has previously said that the feature was "a headwind on our business 2022... on the order of $10 billion."
Meta said that the injected tracking code obeyed users preferences on ATT. "The code allows us to aggregate user data before using it for targeted advertising or measurement purposes," a spokesperson told The Guardian. "We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."
According to Krause's research, WhatsApp doesn't modify third-party websites in a similar way. As such, he suggests that Meta should do the same with Facebook and Instagram, or just use Safari or another browser to open links. "It's what's best for the user, and the right thing to do." For more, check out the summary of his findings here.