Meta is facing a second lawsuit for violating user privacy on iOS

Users of Facebook’s iOS app have sued Meta for allegedly collecting their data even after they opted out of it with a privacy feature introduced by Apple in April 2021. Two iOS users with Facebook filed a class-action lawsuit Wednesday in San Francisco federal court, the second such class action against Meta in one week.

According to the allegations in the class action lawsuit lawsuitMeta circumvented App Tracking Transparency (ATT) privacy-preserving capabilities, such as disabling cross-host tracking on iOS, by configuring alternative tracking methods on third-party websites through apps in the app browser.

When released with iOS 14.5, ATT’s opt-out (tracking) percentage in the US was 98%, i.e. only 2% of US users have allowed apps to track them. As of May 2022, the number of US users who have enabled app tracking (connection ratio) on iPhone is up to 18%. Similarly, the global opt-in rate for tracking on iOS increased from 11% in April 2021 to 25% in May 2022.

The litigants argued that Meta violated the Wiretapping Act and the Invasion of Privacy Act by continuing to track users and intercept data not otherwise available to it.

“Meta tracked and intercepted her specific electronic activities and private communications with external third-party websites without her [one of the litigants] knowledge or consent,” the lawsuit says.

“Ms. Davis reasonably believed that her communications with third-party websites were confidential, solely between her and those websites, and that such communications—including text entries, passwords, personal information, and other sensitive, confidential, and private information — will not be intercepted or tracked by Meta.”

The lawsuit relied on the findings of Felix Krause, a data privacy researcher and former Google engineer. He discovered that Meta still tracks Facebook and Instagram users, bypassing the privacy settings implemented in the rest of the apps via ATT.

Krause’s August report entitled iOS privacy: Instagram and Facebook can track everything you do on any website in your browser in the appdetails how users are redirected to a website through an in-app browser developed by Meta itself, instead of Apple’s Safari or any other third-party browser, when they click a link in the Facebook or Instagram apps.

Flowchart of tracking users on Facebook and Instagram via browsers in the app | Source: Felix Krause

More details: South Korea fines Google and Meta $72 million for privacy violations

In-app browsers are different from third-party browsers. Meta can and does develop in-app browsers to inject JavaScript code into websites. “Building your own in-app browser requires a non-trivial amount of programming and maintenance time, much more than just using the privacy and convenience alternative that’s already been built into the iPhone for the past seven years,” Krause noted.

Facebook's in-app browser inserts JavaScript code into a third-party website

A browser in the Facebook app that injects JavaScript code into a third-party website on iOS (left) and Android (right) | Source: Felix Krause

Although not mentioned in the lawsuit, in-app browsers also affect the usability of the app. When a website opens in an app’s browser, it limits users’ ability to return and use the app unless the app’s browser is closed. A simple prompt asking “always open in browser” used to do this trick, but has been removed.

The plaintiffs also alleged that while Meta monitored and tracked users without their consent, it also failed to disclose those activities in the off-Facebook activities section of the Facebook app.

“Meta does not disclose the consequences of browsing, navigating, and connecting to third-party websites from Facebook’s internal browser, namely that it overrides the default browser privacy settings that users rely on to block and prevent tracking,” the lawsuit says.

“Similarly, Meta hides the fact that it injects JavaScript that modifies external third-party websites so that it can intercept, track, and record data that it could not otherwise access.”

The latest lawsuit was filed by Gabriela Willis of California and Kerisha Davis of Louisiana, while Wayne Mitchell of California filed the previous one. Both class action cases apply to anyone with an active Facebook account who visited an external third-party website through a Facebook browser in the US app

Meta, like Google, relies on online advertising for the lion’s share of its revenue. U 1st quarter of 2021before the introduction of ATT and more recently Q2 202287.2% of Meta’s total revenue came from advertising.

But unlike Google, the company doesn’t have a popular mobile OS or search engine to fall back on for business. As a result, the social media giant’s total revenue fell in the second quarter of 2022, while its profit fell for the third quarter in a row. The company is currently trying cut costs and started layoffs.

If Willis and Davis or Mitchell win, eligible individuals will receive $10,000 or $100 per day for each day of violation under the Wiretapping Act and statutory damages of $5,000 for each violation under the Act California Invasion of Privacy Act (CIPA).

Meta was fined 30.8 billion won (~$22.11 million) in September 2022€17 million (~$18.6 million) in March 2022and €60 million (~$67.87 million) in January 2022 by South Korean, French, and Irish regulators, respectively, for data privacy violations.

Let us know if you enjoyed reading this news LinkedIn, Twitteror Facebook. We would love to hear from you!


https://www.spiceworks.com/it-security/security-general/news/meta-class-action-lawsuit-for-bypassing-ios-att/ Meta is facing a second lawsuit for violating user privacy on iOS

Back to top button