After Apple updated its privacy rules in 2021 to easily allow iOS users to opt out of all tracking by third-party apps, so many people opted out that the Electronic Frontier Foundation reported that Meta lost $10 billion in revenue over the next year.
Meta’s business model depends on selling user data to advertisers, and it seems that the owner of Facebook and Instagram sought new paths to continue widely gathering data and to recover from the suddenly lost revenue. Last month, a privacy researcher and former Google engineer, Felix Krause, alleged that one way Meta sought to recover its losses was by directing any link a user clicks in the app to open in-browser, where Krause reported that Meta was able to inject a code, alter the external websites, and track “anything you do on any website,” including tracking passwords, without user consent.
Now, within the past week, two class action lawsuits [1] [2] from three Facebook and iOS users—who point directly to Krause’s research—are suing Meta on behalf of all iOS users impacted, accusing Meta of concealing privacy risks, circumventing iOS user privacy choices, and intercepting, monitoring, and recording all activity on third-party websites viewed in Facebook or Instagram’s browser. This includes form entries and screenshots granting Meta a secretive pipeline through its in-app browser to access “personally identifiable information, private health details, text entries, and other sensitive confidential facts”—seemingly without users even knowing the data collection is happening.
The most recent complaint was filed yesterday by California-based Gabriele Willis and Louisiana-based Kerreisha Davis. A lawyer from their legal team at Girard Sharp LLP, Adam Polk, told Ars that it was an important case to stop Meta from getting away with concealing ongoing privacy invasions. In the complaint, the legal team pointed to prior Meta misdeeds in gathering user information without consent, noting for the court that a Federal Trade Commission investigation resulted in a $5 billion fine for Meta.
“Merely using an app doesn’t give the app company license to look over your shoulder when you click on a link,” Polk told Ars. “This litigation seeks to hold Meta accountable for secretly monitoring people’s browsing activity through its in-app tracking even when they haven’t allowed Meta to do that.”
Meta did not immediately respond to Ars’ request for comment. Krause told Ars he prefers not to comment.
Meta allegedly secretly tracks data
According to the complaints, which rely on the same facts, Krause’s research “revealed that Meta has been injecting code into third-party websites, a practice that allows Meta to track users and intercept data that would otherwise be unavailable to it.”
To investigate the potential privacy issue, Krause built a website called inappbrowser.com, where users could “detect whether a particular in-app browser is injecting code into third-party websites.” He compared an app like Telegram, which doesn’t inject JavaScript code into third-party websites to track user data in its in-app browser, with the Facebook app by tracking what happens in the HTML file when a user clicks a link.
In the case of tests run on Facebook and Instagram apps, Krause reported that the HTML file clearly showed that “Meta uses JavaScript to alter websites and override its users’ default privacy settings by directing users to Facebook’s in-app browser instead of their pre-programmed default web browser.”
The complaints note that this tactic of injecting code seemingly employed by Meta to “eavesdrop” on users was originally known as a JavaScript Injection Attack. The lawsuit defines that as instances where “a threat actor injects malicious code directly into the client-side JavaScript. This allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.”
“Meta now is using this coding tool to gain an advantage over its competitors and, in relation to iOS users, preserve its ability to intercept and track their communications,” the complaint alleges.
According to the complaints, “Meta acknowledged that it tracks Facebook users’ in-app browsing activity” when Krause reported the issue to its bug bounty program. The complaints say that Meta also confirmed at that time that it uses data collected from in-app browsing for targeted advertising.