Meta is sued for circumventing Apple’s privacy rules to spy on users, Complaint alleges Facebook and Instagram apps’ built-in browser


Meta was sued on Wednesday for allegedly developing a secret workaround that allowed the company to circumvent privacy safeguards introduced by Apple early last year to protect iPhone users from monitoring their activity on the Internet. In a proposed class action lawsuit filed Wednesday in federal court in San Francisco, two Facebook users accuse the company of circumventing Apple’s privacy rules and violating state and federal laws limiting unauthorized data collection. personal.

At the WWDC 2020 conference, Apple announced that with the release of iOS 14, IDFA (IDentifier For Advertisers) will now be an opt-in feature, which means that users must give their explicit consent to both the advertiser and to the destination applications to allow them to track them on the Internet. LIDFA is the standard adopted by Apple allowing mobile advertising networks to track users and serve them targeted advertisements. The same goes for advertising applications, their advertising partners, and their attribution partners.

Privacy settings in iOS 14 will reduce ad targeting for businesses. Meta (then Facebook Inc.) understood this and said at the time that this update that the Apple brand was preparing to launch would seriously harm part of its activities, in particular online advertising which relies on user tracking. According to estimates from the social media company, the new privacy rules introduced by the Cupertino company could cost up to Meta$10 billion this year alone.

If Meta’s protests did not prevent the launch of iOS 14, the company seems to have found a way around the limitations put in place by Apple. In any case, so says a complaint filed Wednesday in San Francisco by two Facebook users. According to sources familiar with the matter, a similar complaint was filed in the same court last week. They accused the tech giant “of circumventing the privacy rules put in place by Apple in 2021 and of violating state and federal laws limiting the unauthorized collection of personal data.”

The charges are based on a report published last August by cybersecurity researcher Felix Krause. Krause, a former Google employee, argued that Meta leverages the “embedded browser” – a feature that allows Facebook and Instagram users to visit a third-party website without leaving the platform – to “inject” JavaScript code that allows monitor all user interactions. This practice is considered in most cases as a type of malicious attack. It allows Meta to track users across the web after they click on links on Facebook and Instagram.

To reach this conclusion, Krause has designed a tool capable of detecting whether JavaScript code is injected into the page that opens in the browser integrated into the Instagram, Facebook and Messenger applications when a user clicks on a link that redirects him to an external link. After opening the Telegram application and clicking on a link opening a third-party page, no code injection was detected. By repeating the same experiment with Instagram, Messenger and Facebook, the tool detected that several lines of JavaScript code had been injected after opening the page in the browser integrated into these applications.

He observed this behavior on both iOS and Android. However, no such code is added to WhatsApp’s built-in browser. According to Krause, the external JavaScript file that the Instagram app injects is connect.facebook.net/en_US/pcm.js, a code to create a bridge to communicate with the host application. Krause concluded that injecting scripts into third-party websites could, even if there is no evidence that Meta is doing it, allow the company to monitor all user interactions, such as interactions with every button and every link.

After the discovery was published, Meta reportedly reacted by saying that injecting this code helped group events, like online purchases, before they were used for targeted advertising and metrics for Facebook. Meta would have added: For purchases made through the in-app browser, we ask for user consent to save payment information for autofill purposes. But Krause said there’s no legitimate reason for Meta to embed a browser into its applications and force users to use it to visit external links.

This allows Meta to intercept, monitor and record its users’ interactions and communications with third parties, providing Meta data which it aggregates, analyzes and uses to increase its advertising revenue, the complaint reads. . The lawsuit argues that collecting user information through the Facebook and Instagram apps allows Meta to circumvent Apple’s privacy regulations, which require all third-party apps to obtain consent from users. users before tracking their online and offline activity.

In response to the plaintiffs’ allegations, Meta admitted that the Facebook application tracks (integrated) browser activity, but denied claims that user data was collected illegally. Additionally, Krause’s report noted that the practice of injecting code into pages of other websites would raise risks on several levels:

  • Privacy and Analytics: The host application can track literally everything that happens on the website like every tap, keystroke, scrolling behavior, what content is copied and pasted, as well as viewed data like online purchases;
  • theft of user credentials, physical addresses, API keys, etc.;
  • ads and referrals: the host application can inject ads on the website, or replace the ads API key to steal revenue from the host application, or replace all URLs to include a referral code;
  • security: browsers have spent years optimizing the security of the user experience on the web, such as displaying the status of HTTPS encryption, warning the user about unencrypted websites, etc.;
  • injecting additional JavaScript code into a third-party website may cause problems that may break the website;
  • browser extensions and user content blockers are not available;
  • deep links don’t work well in most cases;
  • often it’s not easy to share a link through other platforms (e.g. email, AirDrop, etc.).

If you want to evade Meta tracking through its apps’ browser, you can open the webpage in a browser outside of the app first. Usually a button allows you to do this. If this button is not available, you will have to copy and paste the URL to open the link in your browser of choice. Another fairly simple solution that allows you to escape the gaze of Meta is to use the Web version of these applications.

And you?

What is your opinion on the subject?
What do you think of the allegations made against Meta?

See as well

Developers are looking at invasive user tracking techniques in iOS 14 to circumvent Apple’s upcoming privacy update

Meta, the parent company of Facebook and Instagram, is allegedly injecting JS code into websites to track users, according to a recent discovery by researcher Felix Krause

Facebook predicts $10 billion revenue shortfall due to privacy features on iOS that have made it harder to track users since the launch of iOS 14.5

96% of iPhone users have opted out of app tracking since the launch of iOS 14.5, showing that the vast majority of people want to maintain their privacy

Leave a Comment