Skip to main content

App Tracking Transparency workaround sees Meta face class action lawsuit

Meta is facing a class action lawsuit after both Facebook and Instagram were found to be using an App Tracking Transparency workaround to track users on the web, even after they were denied permission to do so.

The company is accused not just of breaking Apple’s privacy rules, but also violating both state and federal laws …

Background

App Tracking works by Apple assigning a unique identifier to your device. It doesn’t reveal any details about you, but does allow them to see (for example) that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 has visited gadget websites, and therefore would be a good target for gadget ads.

It also allows them to see that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 was shown an ad for a particular product on a particular website, then subsequently went to a particular retailer site to buy it – therefore that ad was (likely) successful.

With App Tracking Transparency, app developers must ask you if you want to allow that tracking. If you say no (as most people do), then the apps are not allowed to use that system.

Meta’s App Tracking Transparency workaround

Facebook and Instagram each have their own embedded web browsers, which are used whenever a user taps a link in either app. This means that Meta can track activity in those browsers.

The theoretical risk of this was already well understood, but security researcher Felix Krause last month found concrete evidence that Meta was actually doing this.

He found that both apps injected their tracking code into every website shown, including when clicking on ads. In the most extreme case, this would enable Meta to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.

Krause doesn’t suggest Meta is going that far, of course. His research didn’t allow him to see what data the company was extracting, but he was able to confirm that they do extract something.

I don’t have a list of precise data Instagram sends back home. I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS SDK without the user’s consent, as well as tracking the user’s text selections. If Instagram is doing this already, they could also inject any other JS code.

Class action lawsuit

Bloomberg reports that two users have now sued Meta in a proposed class action lawsuit.

Meta Platforms Inc. was sued for allegedly building a secret work-around to safeguards that Apple Inc. launched last year to protect iPhone users from having their internet activity tracked.

In a proposed class-action complaint filed Wednesday in San Francisco federal court, two Facebook users accused the company of skirting Apple’s 2021 privacy rules and violating state and federal laws limiting the unauthorized collection of personal data. A similar complaint was filed in the same court last week […]

Responding to the report, Meta acknowledged that the Facebook app monitors browser activity, but denied it was illegally collecting user data.

A Meta spokesperson told us: “These allegations are without merit and we will defend ourselves vigorously. We have designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.”

A class action suit is when others affected are invited to join the action against the defendant. Generally this means no more than filling in an online form if the case is successful, and compensation awarded (which is generally just a few dollars per person). A judge has to approve the conversion of the lawsuit to a class action.

Photo: Glen Carrie/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications