Meta sued for allegedly secretly tracking iPhone users • The Register

Meta was sued Wednesday for alleged secret tracking and data collection on its Facebook and Instagram apps on Apple iPhones.

That legal action [PDF]filed in a US district court in San Francisco, alleging that the two applications use a proprietary browser known as a WKWebView which injects JavaScript code to collect data that would otherwise not be available if the apps opened links in the default standalone browser set by iPhone users.

The claim is based on the findings of security researcher Felix Krause, which were published last month an analysis how WKWebView browsers are embedded in native applications can be misused to track individuals and violate privacy expectations.

“When users click a link within the Facebook app, Meta automatically redirects them to the in-app browser it monitors instead of the default smartphone browser without notifying users that this is happening or that they are being tracked,” it said it in the complaint.

“The user information that Meta intercepts, monitors, and records includes personally identifiable information, private health information, text input, and other sensitive confidential facts.”

Faced with Krause’s findings last month, Meta insisted its code injection was done to respect its users’ privacy settings (aside from their choice of default browser).

“We intentionally developed this code to accommodate people’s choices about App Tracking Transparency (ATT) on our platforms,” ​​said a Meta spokesperson The registry Last month. “The code allows us to aggregate data before it is used for targeted advertising or measurement purposes.”

Meta Communications Director Andy Stone expressed a similar sentiment via twitter.

The complaint, which seeks certification of a class action, alleges that Meta’s undisclosed tracking violates federal wiretapping laws, the California Invasion of Privacy Act and state competition laws — based on the assumption that the data obtained from Meta enabled it to track its To increase profits and to gain an advantage over competitors.

“Meta’s JavaScript injection coincides with recent privacy updates for iPhones and other iOS devices,” the complaint reads, citing the 2021 launch of iOS 14.5 and its data-denying App Tracking Transparency (ATT) framework.

bullshit and nonsense?

The legal salvo makes much of how Meta (then known as Facebook) ran a PR campaign in an unsuccessful attempt to reverse ATT, claiming it would harm small businesses that rely on the social ad business’s data-driven ads leaving.

Meta claims to follow Apple’s ATT rules and Krause doesn’t deny it.

However, Meta’s use of in-app browsers in its mobile apps predates Apple’s ATT initiative. Apple introduced WKWebView at its 2014 Worldwide Developer Conference as a replacement for its older UIWebView (UIKit) and WebView (AppKit) frameworks. That was in iOS 8. With the arrival of iOS 9 as described below WDC 2015there was another way SFSafariViewController. Currently this is what is recommended to display a website within an app.

And the company’s use of in-app browsers has been a concern before.

“In addition to the limited functionality, WebViews can also be used to effectively carry out intentional man-in-the-middle attacks because the IAB [in-app browser] Developer can any Insert JavaScript code and also intercept network traffic‘ wrote Thomas Steiner, developer relations engineer at Google, in a blog entry three years ago.

Steiner emphasizes in his post that he hasn’t seen anything unusual like a “call home” function.

Krause has taken a similar line, only pointing out the potential for abuse. in the a follow-up posthe identified additional data acquisition code.

He wrote: “Instagram iOS subscribes to every tap of a button, link, image or other component on external websites rendered in the Instagram app” and “also subscribes to every time the user clicks a UI element ( like a text box) on Third Party selects websites to render in the Instagram app.”

However, “subscribing” simply means that analytics data is accessible within the app without revealing what, if anything, is done with the data. Krause also points out that since 2020 Apple has been using a framework called WKContentWorld which isolates the web environment from scripts. Developers using an in-app browser can implement WKContentWorld to make scripts undetectable from the outside, he said.

Whatever Meta does internally with its in-app browser, and even given the company’s insistence that its injected script validate ATT settings, the plaintiffs suing the company argue that there has been no disclosure of the process.

“Meta does not disclose the consequences of browsing, navigating, and communicating with third-party websites within Facebook’s in-app browser — namely, that it overrides their default browser’s privacy settings, which users rely on to enable tracking to block and prevent.” states the complaint. “Similarly, Meta hides the fact that it injects JavaScript that modifies external third-party websites, allowing it to intercept, track, and record data it otherwise would not have access to.”

Meta dismisses the claims of the lawsuit. “These allegations are unfounded and we will vigorously defend ourselves,” a company spokesman said in an emailed statement.

“We carefully designed our in-app browser to respect users’ privacy settings, including how data may be used for ads.” ® Meta sued for allegedly secretly tracking iPhone users • The Register

Laura Coffey

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button