Next time you click on someone’s “link in bio,” you might be unsuspectingly granting more access to your data than previously understood.
Instagram, Facebook, and TikTok have the ability to track interactions like searches, clicks, screenshots, and “form inputs” (like passwords and credit card numbers) within what’s called an in-app browser, according to tech researcher Felix Krause.
In research published last week on his blog, Krause was able to show that Meta appears to have access to all sorts of data when users open Instagram’s in-app browser—without allowing users a way to opt-out. That’s notable because Apple’s currently engaged in a full-court press against tracking that’s made it harder for marketers to measure conversions on apps like Instagram and Facebook. (Krause works part-time for Google as a consultant.)
He followed up that research this week, finding that TikTok’s in-app browser appears to have the ability to monitor “all keyboard inputs” including “every tap on any button, link, image, or other component rendered” on the in-app browser. TikTok confirmed to Forbes that “those features exist in the code,” but said that it is not using them.
US legislators on both sides of the aisle have expressed concern about TikTok, specifically over whether its Chinese parent company, ByteDance, is sharing American user data with Beijing. Some have suggested that any data collected could pose a national-security risk, with FCC commissioner Brendan Carr recommending it be booted from app stores, and staff working in the House of Representatives encouraged not to use or download the app.
Basically, companies like Meta and TikTok can inject JavaScript into every website that loads within their in-app browsers. Once it loads, they can then collect some information about what the user does on that webpage.