Meta faces second class action lawsuit over breach of user privacy on iOS

Users of Facebook’s iOS app are suing Meta for allegedly collecting their data even after opting out using a privacy feature introduced by Apple in April 2021. Two Facebook iOS users filed a lawsuit. Wednesday’s class action lawsuit in federal court in San Francisco, the second such class action lawsuit against Meta in a week.

According to the class action claims court caseMeta circumvented the privacy-preserving capabilities of App Tracking Transparency (ATT), such as eliminating cross-host tracking on iOS, by setting up alternative tracking methods on third-party websites through built-in browser apps to the application.

When released with iOS 14.5, ATT had a 98% opt-out (tracking) rate in the US, i.e. only 2% of US users allowed apps to track them. As of May 2022, the number of US users who have enabled app tracking (opt-in rate) on iPhones is up to 18%. Similarly, the overall iOS tracking acceptance rate increased from 11% in April 2021 to 25% in May 2022.

The plaintiffs alleged that Meta violated the wiretapping law and the invasion of privacy law by continuing to track users and intercept otherwise inaccessible data.

“Meta tracked and intercepted its specific electronic activity and private communications with external third-party websites without it [one of the litigants] knowledge or consent,” the lawsuit reads.

“Ms. Davis reasonably expected that her communications with third-party websites would be confidential, solely between her and those websites, and that those communications – which include text entries, passwords, personally identifiable information and other sensitive, confidential and private information – is not intercepted or tracked by Meta.

The lawsuit relied on the findings of Felix Krause, a data privacy researcher and former Google engineer. He discovered that Meta is still tracking Facebook and Instagram users bypassing privacy settings otherwise enforced on the remaining apps through ATT.

Krause’s August report, titled, iOS Privacy: Instagram and Facebook can track everything you do on any website in their in-app browserdetails how users are redirected to the website through an in-app browser developed by Meta itself, instead of Apple’s Safari or any other third-party browser, when they click on a link in Facebook apps or Instagram.

Flowchart of user tracking on Facebook and Instagram via in-app browsers | Source: Felix Krause

Learn more: South Korea fines Google and Meta a combined $72 million for privacy violations

In-app browsers are different from third-party browsers. Meta can and does design in-app browsers to inject javascript into websites. “Creating your own in-app browser takes a significant amount of time to program and maintain, much more than just using the user-friendly and privacy-enabled alternative that’s already been built into the iPhone for the past seven years,” said noted Krause.

Facebook in-app browser injecting JavaScript into third-party website

In-app browser Facebook Injecting JavaScript code into a third-party website on iOS (left) and Android (right) | Source: Felix Krause

Although not mentioned in the litigation, in-app browsers also impact the usability of the app. When a website opens in an in-app browser, it limits users’ ability to go back and use the app unless the in-app browser is closed. A simple prompt asking users to “always open in browser” did the trick but was eliminated.

The plaintiffs also alleged that while Meta was non-consensually monitoring and tracking users, it also failed to disclose such activities through the Facebook app’s off-Facebook activities section.

“Meta does not disclose the consequences of browsing, browsing and communicating with third-party websites from Facebook’s in-app browser, namely that it overrides their default browser privacy settings, which users rely on to block and prevent tracking,” the lawsuit reads.

“Similarly, Meta conceals the fact that it injects JavaScript that modifies external third-party websites so that it can intercept, track, and log data it could not otherwise access.”

The latest lawsuit was filed by Gabriele Willis of California and Kerreisha Davis of Louisiana, while California-based Wayne Mitchell filed the precedent. Both class action cases apply to anyone with an active Facebook account who visited an external third-party website on Facebook’s in-app browser in the United States.

Meta, like Google, relies on online advertising for the lion’s share of its revenue. In Q1 2021before the introduction of ATT, and in the most recent Q2 202287.2% of Meta’s total revenue came from advertising.

But unlike Google, the company doesn’t have a popular mobile operating system or search engine to fall back on for its business. As a result, the social media giant saw its total revenue decline in the second quarter of 2022, while its profits fell for the third consecutive quarter. The company is currently trying to cut costs and started laying off.

If Willis and Davis or Mitchell win, eligible individuals are entitled to $10,000 or $100 per day for each day of violation under the wiretap law and statutory damages up to $5,000. per violation under the California Invasion of Privacy Act (CIPA).

Meta was fined ₩30.8 billion (~$22.11 million) in September 2022€17 million (~$18.6 million) in March 2022and €60 million (~$67.87 million) in January 2022 by South Korean, French and Irish regulators, respectively, for data privacy breaches.

Let us know if you enjoyed reading this news on LinkedIn, TwitterWhere Facebook. We would like to hear from you!


About Ricardo Schulte

Check Also

ASCI extends code for online advertisements

The Advertising Standards Council of India (ASCI), the self-regulatory body for the advertising industry, plans …