Facebook and Instagram are tracking your interactions, collecting your passwords, screenshots, credit card passwords and many other private data on iPhones without your consent, an investigations has just revealed.
The platforms are tracking and collecting the personal data of iPhone users, despite features and policies made by Apple which are meant to stop that same type of tracking.
Meta, parent company of Facebook and Instagram, is therefore facing a class action lawsuit after the investigations revealed that both Facebook and Instagram are using an App Tracking Transparency workaround to track users on the web, even after they were denied permission to do so.
App Tracking works by Apple assigning a unique identifier to your device.
It doesn’t reveal any details about you, but does allow them to see (for example) that iOS user with specific identifier has visited gadget websites, and therefore would be a good target for gadget ads.
It also allows them to see that iOS user with specific identifier was shown an ad for a particular product on a particular website, then subsequently went to a particular retailer site to buy it – therefore that ad was (likely) successful.
With App Tracking Transparency, app developers must ask you if you want to allow that tracking.
If you say no (as most people do), then the apps are not allowed to use that system.
Meta’s App Tracking Transparency workaround:
Facebook and Instagram each have their own embedded web browsers, which are used whenever a user taps a link in either app.
This means that Meta can track activity in those browsers.
The theoretical risk of this was already well understood, but security researcher Felix Krause last month found concrete evidence that Meta was actually doing this.
He found that both apps injected their tracking code into every website shown, including when clicking on ads.
In the most extreme case, this would enable Meta to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.
Krause doesn’t suggest Meta is going that far, of course.
His research didn’t allow him to see what data the company was extracting, but he was able to confirm that they do extract something.
“I don’t have a list of precise data Instagram sends back home.
“If Instagram is doing this already, they could also inject any other JS code.”
Class action lawsuit:
Bloomberg reports that two users have now sued Meta in a proposed class action lawsuit.
Meta Platforms Inc. was sued for allegedly building a secret work-around to safeguards that Apple Inc.
launched last year to protect iPhone users from having their internet activity tracked.
In a proposed class-action complaint filed Wednesday in San Francisco federal court, two Facebook users accused the company of skirting Apple’s 2021 privacy rules and violating state and federal laws limiting the unauthorized collection of personal data. A similar complaint was filed in the same court last week.
Responding to the report, Meta acknowledged that the Facebook app monitors browser activity, but denied it was illegally collecting user data.
What is class action suit?
A class action suit is when others affected are invited to join the action against the defendant.
Generally this means no more than filling in an online form if the case is successful, and compensation awarded (which is generally just a few dollars per person).
A judge has to approve the conversion of the lawsuit to a class action.