An ex-Google engineer conducted research that revealed Meta has been rewriting websites visited by its users to follow them across the web after they click links in its apps.

The fact that users clicking on links are taken to webpages in a Facebook or Instagram-controlled “in-app browser” is being taken advantage of for the benefit of Meta.

Felix Krause, a privacy researcher who founded in 2017 an app development tool acquired by Google, said that “the Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers." 

Read: Meta planning on shutting down popular post tracking tool

Consequently, a Meta spokesperson responded in a statement that they "intentionally developed this code to honor people’s [Ask to track] choices" on their platforms.

“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”

They added, “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

Krause built a tool that could list all the extra commands added by the browser to a website. For normal browsers and most apps, the tool does not detect any changes, but for Facebook and Instagram, Krause discovered that it finds up to 18 lines of code added by the app.

Read more: Google Chrome extensions can be used to track users online: Report

Those lines of code seem to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that lets the company follow a user around the web and build an accurate profile of their interests.

Meta does not disclose to the user that, in this manner, it is rewriting web pages, and Krause's research showed that no such code is added to the in-app browser of WhatsApp.

The time Facebook began injecting code to track users after clicking links is not clear yet. In recent years, the company has had a noisy public standoff with Apple, after the latter launched a requirement for app developers to demand permission to track users across apps. Later, many Facebook advertisers found they were unable to target users on the social network, which resulted in a loss of $10bn in revenue and a 26 percent fall in the company’s share price this year, according to Meta.