Press "Enter" to skip to content

Meta accused of breaking the law by secretly tracking iPhone users

Meta was sued on Wednesday for alleged undisclosed tracking and data collection in its Facebook and Instagram apps on Apple iPhones.

The lawsuit [PDF], filed in a US federal district court in San Francisco, claims that the two applications incorporate use their own browser known as a WKWebView that injects JavaScript code to gather data that would otherwise be unavailable if the apps opened links in the default standalone browser designated by iPhone users.

The claim is based on the findings of security researcher Felix Krause, who last month published an analysis of how WKWebView browsers embedded within native applications can be abused to track people and violate privacy expectations.

“When users click on a link within the Facebook app, Meta automatically directs them to the in-app browser it is monitoring instead of the smartphone’s default browser, without telling users that this is happening or they are being tracked,” the complaint says.

“The user information Meta intercepts, monitors and records includes personally identifiable information, private health details, text entries, and other sensitive confidential facts.”

Confronted last month with Krause’s findings, Meta insisted its code injection was done to respect its users’ privacy choices (apart from their choice of default browser).

“We intentionally developed this code to honor people’s App Tracking Transparency (ATT) choices on our platforms,” a Meta spokesperson told The Register last month. “The code allows us to aggregate data before it is used for targeted advertising or measurement purposes.”

Meta communications director Andy Stone offered a similar statement via Twitter.

The complaint, which is seeking class action certification, contends that Meta’s undisclosed tracking violates the federal wiretapping statute, the California Invasion of Privacy Act, and the state’s competition law – based on the conceit that the data Meta obtained enabled it to increase its profits and to gain an advantage over competitors.

“Meta’s injection of JavaScript coincides with recent privacy updates for iPhones and other iOS devices,” the complaint contends, pointing to the 2021 introduction of iOS 14.5 and its data-denying App Tracking Transparency (ATT) framework.

Fluff and nonsense?

The legal salvo makes much of how Meta (then known as Facebook) waged a public relations campaign in an unsuccessful effort to undo ATT on the grounds it would harm small businesses that rely on the social ad biz’s data-driven ads.

Meta maintains it is following Apple’s ATT rules and Krause does not dispute that.

However, Meta’s use of in-app browsers in its mobile apps predates Apple’s ATT initiative. Apple introduced WKWebView at its 2014 Worldwide Developer Conference as a replacement for its older UIWebView (UIKit) and WebView (AppKit) frameworks. That was in iOS 8. With the arrival of iOS 9, as described at WWDC 2015, there was another option, SFSafariViewController. Presently this is what’s recommended for displaying a website within an app.

And the company’s use of in-app browsers has elicited concern before.

“On top of limited features, WebViews can also be used for effectively conducting intended man-in-the-middle attacks, since the IAB [in-app browser] developer can arbitrarily inject JavaScript code and also intercept network traffic,” wrote Thomas Steiner, a Google developer relations engineer, in a blog post three years ago.

In his post, Steiner emphasizes that he didn’t see anything unusual like a “phoning home” function.

Krause has taken a similar line, noting only the potential for abuse. In a follow-up post, he identified additional data gathering code.

He wrote, “Instagram iOS subscribes to every tap on any button, link, image or other component on external websites rendered inside the Instagram app” and also “subscribes to every time the user selects a UI element (like a text field) on third party websites rendered inside the Instagram app.”

However, “subscribes” simply means that analytics data is accessible within the app, without offering any conclusion about what, if anything, is done with the data. Krause also points out that since 2020, Apple has offered a framework called WKContentWorld that isolates the web environment from scripts. Developers using an in-app browser can implement WKContentWorld in order to make scripts undetectable from the outside, he said.

Whatever Meta is doing internally with its in-app browser, and even given the company’s insistence its injected script validates ATT settings, the plaintiffs suing the company argue there was no disclosure of the process.

“Meta fails to disclose the consequences of browsing, navigating, and communicating with third-party websites from within Facebook’s in-app browser – namely, that doing so overrides their default browser’s privacy settings, which users rely on to block and prevent tracking,” the complaint says. “Similarly, Meta conceals the fact that it injects JavaScript that alters external third-party websites so that it can intercept, track, and record data that it otherwise could not access.”

Meta rejects the lawsuit’s claims. “These allegations are without merit and we will defend ourselves vigorously,” a company spokesperson said in an emailed statement.

“We have carefully designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.” ®

source: The Register