Multiple articles last week carried the news that researcher Felix Krause had discovered TikTok included keystroke trackers.
Not so fast.
Krause explains that when you open a link on TikTok, it opens in their in-app browser.
That browser tracks multiple items, which could include each keystroke.
Also important to note, TikTok is not the only app using the code that could allow tracking. Meta’s Instagram injects script onto third-party websites as well.
Krause was able to find the following commands Instagram executes:
- Instagram iOS subscribes to every tap on any button, link, image, or other component on external websites rendered inside the Instagram app.
- Instagram iOS subscribes every time the user selects a UI element (like a text field) on third-party websites rendered inside the Instagram app.
Krause includes a link to everything he found on Instagram in his blog post.
Meta responded via a tweet saying, “The code in question allows us to respect people’s privacy choices by helping aggregate events (such as making a purchase online) from pixels already on websites before those events are used for advertising or measurement purposes.”
“I wanted to showcase that bad actors could get access to this data with this approach,” Krause said in his blog post.
“As shown in the past, if it’s possible for a company to get access to data legally and for free, without asking the user for permission, they will track it.”