Meta faces two class-action lawsuits after both Facebook and Instagram were found to track iPhone users even after users denied permission to do so via Apple’s App Tracking Transparency function.
In recent iOS updates, iPhone users have been able to decline in-app tracking, barring any app from tracking their data. The decision by Apple sent shockwaves through the tech industry, with Meta saying that the decision alone cost them an estimated $10 billion a year.
Last month, a researcher found evidence that Meta embedded tracking code into every website shown in its in-app browsers on Facebook and Instagram apps, even when users were asking the app not to track them. In extreme cases, this would allow Facebook and Instagram to monitor every interaction a user has on its browser, including password inputs and credit card numbers.
“I don’t have a list of precise data Instagram sends back home,” Felix Krause, founder of fastlane, an open source app building tool, wrote in his report. “I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS [software development kit code] without the user’s consent, as well as tracking the user’s text selections. If Instagram is doing this already, they could also inject any other JS code.”
The lawsuits hinge on these built-in browsers both Facebook and Instagram put into their apps, which are used whenever a user taps a link, instead of directing them outside the app to something like Apple’s Safari browser.
After the report, Meta was hit with two class action lawsuits this week. Both cases were filed in the Northern District of California, and are largely arguing the same concerns about Meta circumventing Apple’s privacy efforts.
Both call Meta’s “undisclosed tracking of citizens’ browsing activity and communications” a violation of federal and state privacy and wiretapping laws and claim that this unlawful activity entitles plaintiffs and class members to damages.
“The user information Meta intercepts, monitors, and records includes personally identifiable information, private health details, text entries, and other sensitive confidential facts,” Mitchell v. Meta Platforms, Inc. said in its complaint.
The other, Willis et al v. Meta Platforms, Inc., cites the Krause report in the complaint.
“If a user accessed the same third-party website directly through their web browser, instead of Facebook’s in-app browser, the user’s browser would actively block and prevent Meta’s ability to intercept and track the user’s activity on the third-party website,” the complaint said. “But Meta tracks the same activity if the user engages on its in-app browser.”
In a statement to the Daily Dot, a Meta spokesperson said the allegations were “without merit” and said the company has “designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.”
Both suits are seeking “the greater of $10,000 or $100 per day for each day of violation” for plaintiffs.