Meta was sued Wednesday for alleged secret tracking and data collection on its Facebook and Instagram apps on Apple iPhones.
The claim is based on the findings of security researcher Felix Krause, which were published last month an analysis how WKWebView browsers are embedded in native applications can be misused to track individuals and violate privacy expectations.
“When users click a link within the Facebook app, Meta automatically redirects them to the in-app browser it monitors instead of the default smartphone browser without notifying users that this is happening or that they are being tracked,” it said it in the complaint.
“The user information that Meta intercepts, monitors, and records includes personally identifiable information, private health information, text input, and other sensitive confidential facts.”
Faced with Krause’s findings last month, Meta insisted its code injection was done to respect its users’ privacy settings (aside from their choice of default browser).
“We intentionally developed this code to accommodate people’s choices about App Tracking Transparency (ATT) on our platforms,” said a Meta spokesperson The registry Last month. “The code allows us to aggregate data before it is used for targeted advertising or measurement purposes.”
Meta Communications Director Andy Stone expressed a similar sentiment via twitter.
We do not add pixels to websites. The code in question allows us to respect people's privacy choices by helping aggregate events (such as making a purchase online) from pixels already on websites, before those events are used for advertising or measurement purposes.
— Andy Stone (@andymstone) August 11, 2022
The complaint, which seeks certification of a class action, alleges that Meta’s undisclosed tracking violates federal wiretapping laws, the California Invasion of Privacy Act and state competition laws — based on the assumption that the data obtained from Meta enabled it to track its To increase profits and to gain an advantage over competitors.
bullshit and nonsense?
The legal salvo makes much of how Meta (then known as Facebook) ran a PR campaign in an unsuccessful attempt to reverse ATT, claiming it would harm small businesses that rely on the social ad business’s data-driven ads leaving.
Meta claims to follow Apple’s ATT rules and Krause doesn’t deny it.
However, Meta’s use of in-app browsers in its mobile apps predates Apple’s ATT initiative. Apple introduced WKWebView at its 2014 Worldwide Developer Conference as a replacement for its older UIWebView (UIKit) and WebView (AppKit) frameworks. That was in iOS 8. With the arrival of iOS 9 as described below WDC 2015there was another way SFSafariViewController. Currently this is what is recommended to display a website within an app.
And the company’s use of in-app browsers has been a concern before.
Steiner emphasizes in his post that he hasn’t seen anything unusual like a “call home” function.
Krause has taken a similar line, only pointing out the potential for abuse. in the a follow-up posthe identified additional data acquisition code.
He wrote: “Instagram iOS subscribes to every tap of a button, link, image or other component on external websites rendered in the Instagram app” and “also subscribes to every time the user clicks a UI element ( like a text box) on Third Party selects websites to render in the Instagram app.”
However, “subscribing” simply means that analytics data is accessible within the app without revealing what, if anything, is done with the data. Krause also points out that since 2020 Apple has been using a framework called WKContentWorld which isolates the web environment from scripts. Developers using an in-app browser can implement WKContentWorld to make scripts undetectable from the outside, he said.
Whatever Meta does internally with its in-app browser, and even given the company’s insistence that its injected script validate ATT settings, the plaintiffs suing the company argue that there has been no disclosure of the process.
Meta dismisses the claims of the lawsuit. “These allegations are unfounded and we will vigorously defend ourselves,” a company spokesman said in an emailed statement.
“We carefully designed our in-app browser to respect users’ privacy settings, including how data may be used for ads.” ®
https://www.theregister.com/2022/09/23/meta_app_tracking/ Meta sued for allegedly secretly tracking iPhone users • The Register