If you have Facebook’s mobile app on your phone, then a stark new warning issued this week is aimed at you. But there’s a much more worrying issue this has also exposed, one that should make Facebook’s two-billion users seriously consider whether they should be using the app at all.
The latest update to Facebook’s app has been described on X as “a huge deal that demands press attention” and “the creepiest thing you’ll read all day.” And so you might think this is enough to have you switch off. But this “creepy” change can be easily switched off—and you should do exactly that. The technology lurking behind it is much harder to disable, though, and much creepier.
Let’s start with that update. Facebook’s new “Link History” saves a list of the websites you visit through its in-app browser, so that you can return to any site at any time. When your app updates, you will see the option to disable Link History, forfeiting the convenience of “your Facebook browsing activity all stored in one place,” but also avoiding Facebook’s inevitable sidebar that “we may use link history information from Facebook’s Mobile Browser to improve your ads across Meta.”
This “standard feature for most browsing experiences,” a Facebook spokesperson told The Drum, “makes it easier for people to revisit links they’ve clicked on in the past and can improve the quality of the ads they see.” And Facebook also points to the apparent transparency and user control.
There’s certainly a balance here. Facebook—alongside Google—remains the world’s most valuable data harvesting machine. But while Google has just made headlines finally delivering on its promise to kill the hidden tracking cookies in Chrome, Facebook appears to be doing the opposite, with this seemingly new form of tracking that is sold as a user convenience, but which is used to target ads.
The update is certainly a sensible sop to regulators that privacy controls are being deployed, but on the other hand it provides an opportunity for Facebook to solicit user permission for a tracking technology. And millions of users will opt in. The adversarial Facebook headlines in recent years as Apple has chipped away at its business model with Ad Tracking Transparency have now faded. And the tracking industry is clearly well set on new ways to restore some of what was lost.
While Link History can be dismissed as just the latest form of tracking dressed as convenience which can be disabled, there’s a much more serious issue hidden behind it. In-app browsers are a poorly understood threat to user privacy and security.
The browser built into Facebook’s mobile app is described as “one of the most-popular and under-reported segments of browsers on the web.” The problem is that when you use the in-app browser built into Facebook’s app—or Instagram’s or TikTok’s or any others, you bypass all the browser privacy and security advances made in recent years, including Google’s latest cooking killing.
As one former Google engineer warned last year, Facebook “renders all third party links and ads within their app using a custom in-app browser… with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every tap.”
If you are using Facebook on Apple’s Safari, for example, and click an external link, your privacy is being safeguarded by Apple’s settings. There are limits on what Facebook—or other websites—can do as regards harvesting your data and tracking your activity. But if the browser is Facebook’s, then they technically have free rein, albeit Meta assures that it respects the app privacy settings on your phone.
The issue for Facebook isn’t that Link History is now making waves, as outlets push out warnings to change settings. The issue is that this shines a light on the risks with apps from organizations that track users as part of their business models. Facebook is a tracking business. You’re its product, not its customer. Its customers are the companies buying access to you in the form of ads targeted to deliver the best return on investment possible. Link History has been described as the latest “privacy nightmare” for Facebook, but it’s just the tip of an iceberg that has now floated into view.
While there is a constant stream of commentary on the privacy differentiators between Chrome, Safari, Firefox, Edge, et al, you undo all those protections when you use an in-app browser. Cross-site tracking doesn’t apply within an ecosystem. And secure communications firm Proton even warns that users “don’t use in-app web browsers if you care about keeping your passwords private.”
I asked Facebook what restrictions is applies to data harvesting when a user disables Link History as regards background in-app browser tracking. I await an answer. You should certainly disable Link History when your app updates—if it hasn’t already. If it has, you can access the “browser settings” within the settings menu in the app itself. You should restrict Facebook’s app permissions, permission to track and Off Facebook Activity as well.
Taking Facebook’s example, below is the privacy report (courtesy of Apple’s App Store) on the data harvested either to track you across other apps and sites, or which is linked to you and can be used to build a profile to target you with ads and hone your value as a product to be sold to advertisers.
It’s no surprise that “there’s an app for that” for almost everything you do on your mobile device. And while you can seemingly control your interactions with the app itself, this data tracking expands massively when you use that app to surf the broader, wider web.
When you look at the data harvesting above, you might want to ask if the convenience of an in-app browser is worth the risk. You should certainly think about the sites you visit and the information you provide as you do so, if you don’t want to go as far as avoiding or deleting the apps.