Meta accused of breaking the law by secretly tracking iPhone users
Ad goliath reckons complaint is meritless – but it would, wouldn't it?
Meta was sued on Wednesday for alleged undisclosed tracking and data collection in its Facebook and Instagram apps on Apple iPhones.
The claim is based on the findings of security researcher Felix Krause, who last month published an analysis of how WKWebView browsers embedded within native applications can be abused to track people and violate privacy expectations.
"When users click on a link within the Facebook app, Meta automatically directs them to the in-app browser it is monitoring instead of the smartphone’s default browser, without telling users that this is happening or they are being tracked," the complaint says.
"The user information Meta intercepts, monitors and records includes personally identifiable information, private health details, text entries, and other sensitive confidential facts."
Confronted last month with Krause's findings, Meta insisted its code injection was done to respect its users' privacy choices (apart from their choice of default browser).
"We intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms," a Meta spokesperson told The Register last month. "The code allows us to aggregate data before it is used for targeted advertising or measurement purposes."
Meta communications director Andy Stone offered a similar statement via Twitter.
We do not add pixels to websites. The code in question allows us to respect people's privacy choices by helping aggregate events (such as making a purchase online) from pixels already on websites, before those events are used for advertising or measurement purposes.
— Andy Stone (@andymstone) August 11, 2022
The complaint, which is seeking class action certification, contends that Meta's undisclosed tracking violates the federal wiretapping statute, the California Invasion of Privacy Act, and the state's competition law – based on the conceit that the data Meta obtained enabled it to increase its profits and to gain an advantage over competitors.
Fluff and nonsense?
The legal salvo makes much of how Meta (then known as Facebook) waged a public relations campaign in an unsuccessful effort to undo ATT on the grounds it would harm small businesses that rely on the social ad biz's data-driven ads.
Meta maintains it is following Apple's ATT rules and Krause does not dispute that.
- Meta iOS apps accused of injecting code into third-party websites
- Meta, Twitter, Apple, Google urged to up encryption game in post-Roe America
- Here's a neat exploit to trick someone into inadvertently emailing their files to you from their Mac, iPhone via Safari
- Google experiments with user-choice-defying Android search box
However, Meta's use of in-app browsers in its mobile apps predates Apple's ATT initiative. Apple introduced WKWebView at its 2014 Worldwide Developer Conference as a replacement for its older UIWebView (UIKit) and WebView (AppKit) frameworks. That was in iOS 8. With the arrival of iOS 9, as described at WWDC 2015, there was another option, SFSafariViewController. Presently this is what's recommended for displaying a website within an app.
And the company's use of in-app browsers has elicited concern before.
In his post, Steiner emphasizes that he didn't see anything unusual like a "phoning home" function.
Krause has taken a similar line, noting only the potential for abuse. In a follow-up post, he identified additional data gathering code.
He wrote, "Instagram iOS subscribes to every tap on any button, link, image or other component on external websites rendered inside the Instagram app" and also "subscribes to every time the user selects a UI element (like a text field) on third party websites rendered inside the Instagram app."
However, "subscribes" simply means that analytics data is accessible within the app, without offering any conclusion about what, if anything, is done with the data. Krause also points out that since 2020, Apple has offered a framework called WKContentWorld that isolates the web environment from scripts. Developers using an in-app browser can implement WKContentWorld in order to make scripts undetectable from the outside, he said.
Whatever Meta is doing internally with its in-app browser, and even given the company's insistence its injected script validates ATT settings, the plaintiffs suing the company argue there was no disclosure of the process.
Meta rejects the lawsuit's claims. "These allegations are without merit and we will defend ourselves vigorously," a company spokesperson said in an emailed statement.
"We have carefully designed our in-app browser to respect users' privacy choices, including how data may be used for ads." ®