Facebook users sue Meta for bypassing Apple security to spy on millions

After Apple updated its privacy policies in 2021 to make it easy for iOS users to opt out of any tracking by third-party apps, so many people opted out that the Electronic Frontier Foundation reported that Meta lost $10 billion in revenue over the next year.

Meta’s business model depends on selling user data to advertisers, and it appears the owner of Facebook and Instagram has been looking for new avenues to continue collecting data widely and recoup suddenly lost revenue. Last month, a privacy researcher and former Google engineer, Felix Krause, presumed that one way Meta sought to recoup its losses was to direct any link a user clicked in the app to open in the browser, where Krause reported that Meta was able to inject code, modify external websites and track “everything you do on any website”, including tracking passwords, without user consent.

Now, in the past week, two class action lawsuits [1] [2] of three Facebook and iOS users – which point directly to Krause’s research – are suing Meta on behalf of all affected iOS users, accusing Meta of covering up privacy risks, circumventing iOS users’ privacy choices and intercepting, to monitor and record all activities on third parties. parties’ websites viewed in the browser of Facebook or Instagram. This includes form entries and screenshots granting Meta a secret pipeline through its in-app browser to access “personally identifiable information, private health details, text entries, and other facts.” confidential information” – apparently without users even knowing that the data collection is taking place.

The most recent complaint was filed yesterday by California-based Gabriele Willis and Louisiana-based Kerreisha Davis. A lawyer on their legal team at Girard Sharp LLP, Adam Polk, told Ars that this is an important case to prevent Meta from getting away with covering up ongoing privacy breaches. In the complaint, the legal team pointed to Meta’s past misdeeds in collecting user information without consent, noting for the court that a Federal Trade Commission investigation resulted in a $5 billion fine for Meta.

“Just using an app doesn’t give the app company license to look over your shoulder when you click on a link,” Polk told Ars. “This litigation seeks to hold Meta responsible for secretly monitoring users’ browsing activity through its in-app tracking, even when they have not authorized Meta to do so.”

Meta did not immediately respond to Ars’ request for comment. Krause told Ars he preferred not to comment. [Update: A Meta spokesperson provided Ars with a statement: “These allegations are without merit and we will defend ourselves vigorously. We have carefully designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.”]

Meta secretly tracks data

According to the complaints, which are based on the same facts, Krause’s research “unveiled that Meta injects code into third-party websites, a practice that allows Meta to track users and intercept data that would otherwise not be available to it. not available”.

To investigate the potential privacy issue, Krause created a website called inappbrowser.com, where users can “detect whether a particular in-app browser is injecting code into third-party websites.” He compared an app like Telegram, which doesn’t inject JavaScript code into third-party websites to track user data in its built-in browser, with the Facebook app by tracking what happens in the HTML file when a user clicks on a link.

For tests run on the Facebook and Instagram apps, Krause reported that the HTML file clearly showed that “Meta uses JavaScript to modify websites and override its users’ default privacy settings by directing users to Facebook’s in-app browser instead of their pre-programmed default web browser “.

The complaints note that this code injection tactic apparently employed by Meta to “eavesdrop” on users was originally known as the JavaScript injection attack. The lawsuit defines this as instances where “a threat actor injects malicious code directly into client-side JavaScript. This allows the threat actor to manipulate the website or web application and collect sensitive data , such as personally identifiable information (PII) or payment information.

“Meta is now using this encryption tool to gain an advantage over competitors and, over iOS users, to preserve its ability to intercept and track their communications,” the complaint alleges.

According to the complaints, “Meta acknowledged that it was tracking Facebook users’ in-app browsing activity” when Krause reported the issue to its bug bounty program. The complaints state that Meta also confirmed at the time that it used data collected while browsing the app for targeted advertising.

Comments are closed.