Meta Faces Second Class-Action Lawsuit for Violating User Privacy on iOS
Users of Facebook’s iOS app are suing Meta for allegedly tracking and collecting their data even after they opted out through iOS’ App Tracking Transparency feature.
Users of Facebook’s iOS app are suing Meta for allegedly collecting their data even after they opted out of it using a privacy feature Apple introduced in April 2021. Two iOS users of Facebook filed a class-action lawsuit on Wednesday in a San Francisco federal court, the second-such class action lawsuit against Meta in one week.
According to allegations in the class-action lawsuit, Meta bypassed the privacy-preserving capabilities of App Tracking Transparency (ATT), such as eliminating cross-host tracking on iOS, by setting up alternative tracking methods on third-party websites through in-app browser applications.
When released with iOS 14.5, ATT had an opt-out (from tracking) rate of 98% in the U.S., i.e., only 2% of the U.S. users allowed apps to track them. As of May 2022, the number of U.S. users that have enabled app tracking (opt-in rate) on iPhones is up to 18%. Similarly, the global opt-in rate for tracking on iOS increased from 11% in April 2021 to 25% in May 2022.
The litigants alleged that Meta violated the Wiretap Act and the Invasion of Privacy Act by continuing to track users and intercept data otherwise unavailable to it.
“Meta tracked and intercepted her specific electronic activity and private communications with external third-party websites without her [one of the litigants] knowledge or consent,” the lawsuit reads.
“Ms. Davis reasonably expected that her communications with third-party websites were confidential, solely between herself and those websites, and that such communications — which include text entries, passwords, personally identifiable information, and other sensitive, confidential and private information — would not be intercepted or tracked by Meta.”
The lawsuit relied on findings by Felix Krause, a data privacy researcher and former Google engineer. He discovered that Meta still tracks Facebook and Instagram users by circumventing the privacy settings otherwise enforced on the remaining apps through ATT.
Krause’s August report, titled, iOS Privacy: Instagram and Facebook can Track Anything you do on any Website in their In-App Browser, details how users are redirected to the website via an in-app browser developed by Meta itself, instead of Apple’s Safari or any other third-party browser, when they click a link in the Facebook or Instagram apps.
Flowchart of User Tracking on Facebook and Instagram Through In-App Browsers | Source: Felix Krause
See More: South Korea Fines Google and Meta a Combined $72M for Privacy Violations
In-app browsers are different from third-party ones. Meta can and is designing in-app browsers to inject javascript code into websites. “Building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past seven years,” Krause noted.
Facebook In-App Browser Injecting JavaScript Code in Third-Party Website on iOS (left) and Android (right) | Source: Felix Krause
Though not mentioned in the litigation, in-app browsers also impact app usability. When a website opens in an in-app browser, it limits the ability of users to go back and use the app unless the in-app browser is closed. A simple prompt asking users to ‘always open in browser’ used to do the trick but has been eliminated.
The plaintiffs also alleged that while Meta non-consensually monitored and tracked users, it also failed to disclose these activities through the Off-Facebook activity section of the Facebook app.
“Meta fails to disclose the consequences of browsing, navigating, and communicating with third-party websites from within Facebook’s in-app browser — namely, that doing so overrides their default browser’s privacy settings, which users rely on to block and prevent tracking,” the lawsuit reads.
“Similarly, Meta conceals the fact that it injects JavaScript that alters external third-party websites so that it can intercept, track, and record data that it otherwise could not access.”
The latest lawsuit was filed by California’s Gabriele Willis and Louisiana’s Kerreisha Davis, while California-based Wayne Mitchell filed the previous one. Both class-action cases apply to everyone with an active Facebook account who visited a third-party external website on Facebook’s in-app browser in the U.S.
Meta, like Google, relies on online advertising for the lion’s share of its revenue. In Q1 2021, before ATT was introduced, and in the most recent Q2 2022, 87.2% of Meta’s total revenue came from advertising.
But unlike Google, the company doesn’t have a popular mobile OS or a search engine to fall back on for business. As a result, the social networking giant saw its total revenue decline in Q2 2022, while its profits slid for the third straight quarter. The company is currently trying to cut costs and has initiated layoffs.
If Willis and Davis or Mitchell wins, eligible people are entitled to $10,000 or $100 per day for each day of violation under the Wiretap Act and statutory damages to the tune of $5,000 per violation under the California Invasion of Privacy Act (CIPA).
Meta was fined ₩30.8 billion (~$22.11 million) in September 2022, €17 million (~$18.6 million) in March 2022, and €60 million (~$67.87 million) in January 2022 by South Korean, French, and Irish regulators, respectively, for data privacy violations.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON META
