App Tracking Transparency is a framework introduced by Apple with iOS 14.5 that requires developers to request permission from their users to collect tracking data. Meta has repeatedly chastised the framework and informed Facebook and Instagram users that it relies on tracking data—or, at the very least, the advertising revenue it generates—to keep its services free. Its apps must still honor user requests not to be tracked, which is why its browsers inject the “pcm.js” script, according to the company.
According to Krause, “injecting custom scripts into third-party websites allows them to monitor all user interactions, such as every button and link tapped, text selections, screenshots, and any form inputs, such as passwords, addresses, and credit card numbers.” He points out that Meta does not appear to be doing anything malicious, but the company has still criticized the report, with Meta policy communications director Andy Stone tweeting:
In response to a comment request, Meta made the following statement: “These assertions are false and misrepresent the functionality of Meta’s in-app browser and Pixel. We created this code with the intention of respecting people’s App Tracking Transparency preferences on our platforms.” However, Krause updated his report to say that the in-app browsers aren’t injecting the Meta Pixel, and the initial request for comment specifically mentioned the “pcm.js” script.
The company did not immediately respond to a request for more information about what kind of data is collected by the “pcm.js” script, how the script prevents Meta Pixel event data from being used for tracking purposes, and whether the Facebook and Instagram in-app browsers also inject other scripts.
For the time being, Meta has designed a system that requires it to knowingly engage in questionable behavior—injecting custom scripts into every third-party website visited by Facebook and Instagram’s billions of users through their in-app browsers—in order to honor their requests not to be tracked.