Instagram and Facebook apps track what people do when browsing third-party websites without their consent, privacy researcher Felix Krause has warned.
Krause, a former Google engineer, wrote on a blogpost on Wednesday that the iOS app injects codes into every website shown and uses “a custom in-app browser” instead of the built-in Safari to monitor users’ activity.
The app does so “without the consent from the user, nor the website provider,” Krause wrote.
The researcher said that he could not determine the exact data Instagram is tracking but stressed that such in-app browsers allow everything a user does on a website to be tracked, including “every tap” and “scrolling behavior.”
He added that such browsers could be exploited to steal sensitive data, such as home addresses.
In a statement to The Guardian on Thursday, Instagram’s parent company Meta said that injecting a tracking code was in accordance with users’ preferences on whether or not they allowed apps to follow them.
“We intentionally developed this code to honor people’s [Ask to track] choices on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes.”
The spokesperson added: “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”
In response to Meta’s statement, Krause argued that the practice still “exposes a big risk for the user,” and that “there is no way to opt-out of the custom in-app browser.”
Commenting on its privacy white paper released last month, Meta said its goal was to “balance privacy and integrity when using people’s data to reduce bad experiences with our technologies.”