App Tracking Transparency is a framework introduced by Apple with iOS 14.5 that requires developers to request permission to collect tracking data from their users. Meta has repeatedly criticized the framework and told Facebook and Instagram users that it relies on tracking data – or at least the ad revenue it supports – to keep Google free. its services. However, its apps still have to honor user requests to not be tracked, and the company claims that’s why its browsers inject the “pcm.js” script.
Krause states that “injecting custom scripts into third-party websites allows them to monitor all user interactions, such as every button and link typed, text selections, screenshots, as well as all form entries. , such as passwords, addresses and credit card numbers”. He notes that Meta doesn’t appear to be doing anything that malicious, but the company has always been critical of the report, with Meta’s political communications director Andy Stone saying on Twitter:
Meta responded to a request for comment with the following statement: “These claims are untrue and misrepresent the operation of Meta’s in-app browser and pixel. We intentionally developed this code to honor tracking transparency choices. apps on our platforms.” This statement was provided after Krause updated its report to say that in-app browsers do not inject the Meta Pixel, however, and the original request for comment specifically mentioned the “pcm.js” script.
Recommended by our editors
The company did not immediately respond to a request for additional information regarding the type of data collected through the “pcm.js” script, how the script prevents Meta Pixel event data from being used for tracking, or whether the Facebook and Instagram in-app browsers also inject other scripts.
For now, it appears that Meta has created a system that compels it to knowingly engage in questionable behavior – injecting custom scripts into every third-party website visited by Facebook and Instagram’s billions of users via their in-app browsers – just to honor their requests not to be tracked.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.