Meta is facing a class action lawsuit after both Facebook and Instagram were found to be using an App Tracking Transparency workaround to track users on the web, even after they were denied permission to do so.
The company is accused not just of breaking Apple’s privacy rules, but also violating both state and federal laws …
Background
App Tracking works by Apple assigning a unique identifier to your device. It doesn’t reveal any details about you, but does allow them to see (for example) that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 has visited gadget websites, and therefore would be a good target for gadget ads.
It also allows them to see that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 was shown an ad for a particular product on a particular website, then subsequently went to a particular retailer site to buy it – therefore that ad was (likely) successful.
With App Tracking Transparency, app developers must ask you if you want to allow that tracking. If you say no (as most people do), then the apps are not allowed to use that system.
Meta’s App Tracking Transparency workaround
Facebook and Instagram each have their own embedded web browsers, which are used whenever a user taps a link in either app. This means that Meta can track activity in those browsers.
The theoretical risk of this was already well understood, but security researcher Felix Krause last month found concrete evidence that Meta was actually doing this.
He found that both apps injected their tracking code into every website shown, including when clicking on ads. In the most extreme case, this would enable Meta to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.
Krause doesn’t suggest Meta is going that far, of course. His research didn’t allow him to see what data the company was extracting, but he was able to confirm that they do extract something.
I don’t have a list of precise data Instagram sends back home. I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS SDK without the user’s consent, as well as tracking the user’s text selections. If Instagram is doing this already, they could also inject any other JS code.
Class action lawsuit
Bloomberg reports that two users have now sued Meta in a proposed class action lawsuit.
Meta Platforms Inc. was sued for allegedly building a secret work-around to safeguards that Apple Inc. launched last year to protect iPhone users from having their internet activity tracked.
In a proposed class-action complaint filed Wednesday in San Francisco federal court, two Facebook users accused the company of skirting Apple’s 2021 privacy rules and violating state and federal laws limiting the unauthorized collection of personal data. A similar complaint was filed in the same court last week […]
Responding to the report, Meta acknowledged that the Facebook app monitors browser activity, but denied it was illegally collecting user data.
A Meta spokesperson told us: “These allegations are without merit and we will defend ourselves vigorously. We have designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.”
A class action suit is when others affected are invited to join the action against the defendant. Generally this means no more than filling in an online form if the case is successful, and compensation awarded (which is generally just a few dollars per person). A judge has to approve the conversion of the lawsuit to a class action.
Photo: Glen Carrie/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments