Facebook users sue Meta for bypassing beefy Apple security to spy on millions

After Apple updated its privacy rules in 2021 to easily allow iOS users to opt out of all tracking by third-party apps, so many people opted out that the Electronic Frontier Foundation reported that Meta lost $10 billion in revenue over the next year.

Meta’s business model depends on selling user data to advertisers, and it seems that the owner of Facebook and Instagram sought new paths to continue widely gathering data and to recover from the suddenly lost revenue. Last month, a privacy researcher and former Google engineer, Felix Krause, alleged that one way Meta sought to recover its losses was by directing any link a user clicks in the app to open in-browser, where Krause reported that Meta was able to inject a code, alter the external websites, and track “anything you do on any website,” including tracking passwords, without user consent.

Now, within the past week, two class action lawsuits from three Facebook and iOS users—who point directly to Krause’s research—are suing Meta on behalf of all iOS users impacted, accusing Meta of concealing privacy risks, circumventing iOS user privacy choices, and intercepting, monitoring, and recording all activity on third-party websites viewed in Facebook or Instagram’s browser. This includes form entries and screenshots granting Meta a secretive pipeline through its in-app browser to access “personally identifiable information, private health details, text entries, and other sensitive confidential facts”—seemingly without users even knowing the data collection is happening.

The most recent complaint was filed yesterday by California-based Gabriele Willis and Louisiana-based Kerreisha Davis. A lawyer from their legal team at Girard Sharp LLP, Adam Polk, told Ars that it was an important case to stop Meta from getting away with concealing ongoing privacy invasions. In the complaint, the legal team pointed to prior Meta misdeeds in gathering user information without consent, noting for the court that a Federal Trade Commission investigation resulted in a $5 billion fine for Meta.

“Merely using an app doesn’t give the app company license to look over your shoulder when you click on a link,” Polk told Ars. “This litigation seeks to hold Meta accountable for secretly monitoring people’s browsing activity through its in-app tracking even when they haven’t allowed Meta to do that.”

Meta did not immediately respond to Ars’ request for comment. Krause told Ars he prefers not to comment. [Update: A Meta spokesperson provided Ars with a statement: “These allegations are without merit and we will defend ourselves vigorously. We have carefully designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.”]

Meta allegedly secretly tracks data

According to the complaints, which rely on the same facts, Krause’s research “revealed that Meta has been injecting code into third-party websites, a practice that allows Meta to track users and intercept data that would otherwise be unavailable to it.”

To investigate the potential privacy issue, Krause built a website called inappbrowser.com, where users could “detect whether a particular in-app browser is injecting code into third-party websites.” He compared an app like Telegram, which doesn’t inject JavaScript code into third-party websites to track user data in its in-app browser, with the Facebook app by tracking what happens in the HTML file when a user clicks a link.

In the case of tests run on Facebook and Instagram apps, Krause reported that the HTML file clearly showed that “Meta uses JavaScript to alter websites and override its users’ default privacy settings by directing users to Facebook’s in-app browser instead of their pre-programmed default web browser.”

The complaints note that this tactic of injecting code seemingly employed by Meta to “eavesdrop” on users was originally known as a JavaScript Injection Attack. The lawsuit defines that as instances where “a threat actor injects malicious code directly into the client-side JavaScript. This allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.”

See more: Operator heavyweights push holographic tech

“Meta now is using this coding tool to gain an advantage over its competitors and, in relation to iOS users, preserve its ability to intercept and track their communications,” the complaint alleges.

According to the complaints, “Meta acknowledged that it tracks Facebook users’ in-app browsing activity” when Krause reported the issue to its bug bounty program. The complaints say that Meta also confirmed at that time that it uses data collected from in-app browsing for targeted advertising.

“Nothing alerts users”

Because another popular Meta app, WhatsApp, does not also employ the same tactic, plaintiffs said they reject Meta’s suggestion that the injection of code might be for security purposes. They also note that Meta fails to mention the in-app browser tracking in its Off-Facebook activity settings, where users can monitor how their data is gathered from businesses or websites. For example, users can track data shared when they use Facebook login to access off-Facebook accounts on other websites.

The complaints allege that “there is no justification for” Meta omitting this information from Off-Facebook activity monitoring, “other than to increase” profits, “beyond what it would have otherwise realized.”

Meta’s current policies are intentionally designed to leave users in the dark, the lawsuit alleges.

“Meta does not inform Facebook users that clicking on links to third-party websites from within Facebook will automatically send the user to Facebook’s in-app browser, as opposed to the user’s default web browser, or that Meta will monitor the user’s activity and communications while on those sites,” the complaints state. “Because nothing alerts users as to these facts, they are unaware of the tracking; most do not even realize they are browsing the third-party website from within Facebook’s in-app browser.”

Krause noted in his report that even iOS users in Lockdown mode aren’t protected from the in-app browser tracking, and there is no way to opt out. He recommended that Meta update Instagram and Facebook settings to operate more like WhatsApp and never modify third-party websites. The most obvious solution is to end default in-app browsing and give users the choice to display links they click in chosen browsers.

After Krause submitted what he identified as a privacy concern to Meta through its bug bounty program, he reported that Meta said the script was injected partly because it was a security feature that “helps Meta respect the user’s ATT opt out choice” to not sell or share information. Krause noted this “is only relevant if the rendered website has the Meta Pixel installed” to track visitor activity and that it “wouldn’t be necessary if Instagram were to open the phone’s default browser.”

Ultimately, Meta closed out Krause’s bug report, saying Meta’s insertion of the code was “intentional” and “not a privacy concern.”

Now Facebook users have taken up the mantle and are relying on Krause’s bug report to challenge Meta’s decision in court. Plaintiffs have requested a jury trial and are asking the court to “permanently restrain Meta” from continuing to conduct what they view as JavaScript Injection Attacks designed to allow Meta to “intercept users’ private communications and track users’ Internet activity on third-party websites in a manner that is inconsistent” with users’ desired privacy settings.

If the court agrees that Meta intentionally violated laws—including the Wiretap Act, the California Invasion of Privacy Act (CIPA), and the California Violation of the Unfair Competition Law—Meta could face steep fines.

The lawsuit suggests that millions of users could have been affected in the time since Meta began injecting the code into third-party websites. Meta records could be used to identify “all persons with active Facebook accounts who visited a third-party external website on Facebook’s in-app browser” and are thus eligible to file claims. If plaintiffs win, each user deemed to be negatively impacted would be entitled to statutory damages up to “$10,000 or $100 per day for each day of violation” of the Wiretap Act and “statutory damages in the amount of $5,000 per violation” of CIPA. The court may also assess other fines.

In the meantime, the lawsuits say there is an easy way to stop Meta from collecting this info. Instead of clicking on links shared on Facebook or Instagram, copy and paste them directly into your preferred browser.

Source: Ars Technica