Both apps are able to track users’ key taps, inputs, and more while using the in-app browser, which is separate to Google Chrome or Safari on iPhones or Android devices.
This allows the company to monitor everything that happens on external websites without needing user consent or the consent of the website.
“This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap,” wrote Felix Krause, a former Google engineer who discovered the code.
A spokesperson said: “We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,. The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”
In a class-action complaint, however, two Facebook users accused the company of bypassing Apple’s 2021 privacy rules which require advertisers to ask for explicit permission when they want to track a users’ behaviour across certain apps.
"This allows Meta to intercept, monitor, and record its users’ interactions and communications with third parties, providing data to Meta that it aggregates, analyzes, and uses to boost its advertising revenue," the lawsuit states.
The change had a huge effect on Meta’s revenue, costing it approximately $10 billion in its first year. Meta also suggested that Apple was misleading customers and that the new policy was really intended to increase Apple’s profits rather than help with privacy.
Meta did not respond to The Independent’s request for comment but told MacRumours: “These allegations are without merit and we will defend ourselves vigorously. We have designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.”
Apple did not respond to The Independent’s request for comment before time of publication.