Apple’s major privacy update to iOS last year made it much more difficult for apps to track user behavior beyond their own borders, but a new lawsuit alleges that Facebook and Instagram parent company Meta kept snooping through a workaround.
The complaint, filed in the U.S. District Court for the Northern District of California and embedded below, alleges that Meta evaded Apple’s new restrictions by monitoring users through Facebook’s in-app browser, which opens links within the app. The proposed class-action lawsuit, first reported by Bloomberg, could allow anyone affected to sign on, which in Facebook’s case might mean hundreds of millions of U.S. users.
In the lawsuit, a pair of Facebook users allege that Meta is not only violating Apple’s policies, but breaking privacy laws at the state and federal level, including the Wiretap Act, which made it illegal to intercept electronic communications without consent. Another similar complaint (Mitchell v. Meta Platforms Inc.) was filed last week.
The plaintiffs allege that Meta follows users’ online activity by funneling them into the web browser built into Facebook and injecting JavaScript into the sites they visit. That code makes it possible for the company to monitor “every single interaction with external websites,” including where they tap, and what passwords and other text they enter:
Now, even when users do not consent to being tracked, Meta tracks Facebook users’ online activity and communications with external third-party websites by injecting JavaScript code into those sites. When users click on a link within the Facebook app, Meta automatically directs them to the in-app browser it is monitoring instead of the smartphone’s default browser, without telling users that this is happening or they are being tracked.
Apple introduced iOS 14.5 in April of last year, striking a massive blow to social media companies like Meta that relied on tracking users’ behavior for advertising purposes. The company cited the iOS changes specifically in its earning calls as it prepped investors to adjust to the new normal for its ad targeting business, describing Apple’s privacy changes as a “headwind” that it would need to overcome.
In the new iOS privacy prompt, Apple asks if a user consents to have their activity tracked “across other companies’ apps and websites.” Users who opt out might reasonably believe that they are on an external web browser when opening links within Facebook or Instagram, though the company would likely argue the opposite.
Security researcher Felix Krause surfaced concerns around Facebook and Instagram’s in-app browsers last month and the lawsuit draws heavily from his report. He urged Meta to send users to Safari or another external browser to close up the loophole.
“Do what Meta is already doing with WhatsApp: Stop modifying third party websites, and use Safari or SFSafariViewController for all third party websites,” Krause wrote in a blog post. “It’s what’s best for the user, and the right thing to do.”
Facebook users sue Meta, accusing the company of tracking on iOS through a loophole by Taylor Hatmaker originally published on TechCrunch