Facebook owner Meta is once again under fire, this time for allegedly building a workaround to Apple’s recent privacy rules. Bloomberg reported that two Facebook users filed a proposed class-action complaint against Meta this Wednesday in the US District Court for the Northern District of California. The users accuse the company of bypassing Apple’s 2021 privacy rules and breaking state and federal laws limiting the collection of personal data.
This was the second lawsuit filed against Meta Platforms over privacy concerns this month. Both are based on a report by security researcher Felix Krause, who we wrote about just last month. Krause claimed that Meta’s Facebook and Instagram iOS apps inject JavaScript code into websites visited through the in-app browser.
Krause explained exactly what Instagram and Facebook do on his blog:
- Links to external websites are rendered inside the Instagram app, instead of using the built-in Safari.
- This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.
- The Instagram app injects their JavaScript code into every website shown, including when clicking on ads. Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.
Meta reached out to Krause shortly after the blog post went live to clarify a few points. First, the company claims that the JavaScript code injection doesn’t ignore the user’s App Tracking Transparency (ATT) choices. Krause notes that Meta did not fully answer his question, but he concedes that “Meta is following the ATT rules.”
A Meta spokesperson told Bloomberg that the allegations are “without merit” and that Meta will defend itself. “We have designed our in-app browser to respect users’ privacy choices, including how data may be used for ads,” the spokesperson added.
We’ll be keeping an eye on the lawsuit as it progresses.