Apple’s major privacy update to iOS last year made it much harder for apps to track user behavior beyond their own borders, but a new lawsuit alleges that Facebook and Instagram parent company Meta continued to poke around via a workaround.
The complaint, filed in the U.S. District Court for the Northern District of California and embedded below, alleges that Meta circumvented Apple’s new restrictions by tracking users through Facebook’s in-app browser, which opens links within the app. The proposed class-action lawsuit, first reported by Bloomberg, could allow anyone to log in, which in the case of Facebook could mean hundreds of millions of US users.
In the lawsuit, a few Facebook users allege that Meta not only violates Apple policies, but also violates state and federal privacy laws, including the Wiretap Act, which made it illegal to intercept electronic communications without permission. Another similar complaint (Mitchell v. Meta Platforms Inc.) was filed last week.
The plaintiffs allege that Meta tracks users’ online activities by directing them to Facebook’s built-in web browser and injecting JavaScript into the sites they visit. That code makes it possible for the company to monitor “every interaction with third-party websites,” including where they tap and what passwords and other text they enter:
Now, even if users do not agree to be tracked, Meta tracks Facebook users’ online activities and communications with external third-party websites by injecting JavaScript code into those sites. When users click on a link in the Facebook app, Meta automatically directs them to the in-app browser that monitors it instead of the smartphone’s default browser, without telling users that this is happening or that they are being tracked.
Apple introduced iOS 14.5 in April of last year, a huge blow to social media companies like Meta that relied on tracking user behavior for advertising purposes. The company specifically mentioned the iOS changes in its earnings calls as it prepared investors to adapt to the new normal for its ad targeting business, describing Apple’s privacy changes as a “headwind” it should overcome.
In an emailed statement to TechCrunch, a Meta spokesperson said the allegations were “baseless” and that the company would “firmly defend itself.” “We have carefully designed our in-app browser to respect users’ privacy choices, including how data may be used for advertising,” the spokesperson said.
In the new iOS privacy prompt, Apple asks if a user agrees to have their activity tracked “through other company’s apps and websites.” Users who opt out may reasonably believe they are using an external web browser when opening links within Facebook or Instagram, although the company would likely argue the opposite.
Security researcher Felix Krause raised concerns about Facebook and Instagram’s in-app browsers last month, and the lawsuit relies heavily on his report. He urged Meta to send users to Safari or another third-party browser to close the loophole.
“Do what Meta is already doing with WhatsApp: stop modifying third-party websites and use Safari or SFSafariViewController for all third-party websites,” Krause wrote in a blog post. “It’s best for the user and the right thing to do.”
#Facebook #users #sue #Meta #accusing #company #tracking #iOS #loophole