Facebook sued for allegedly spying on users via in-app web browser

Facebook on laptop
(Image credit: Luca Sammarco/Pexels)

Meta is being sued for allegedly gathering personally identifiable information (PII) on its Facebook and Instagram users without telling them. 

As per the lawsuit, the problem lies in how the company's Facebook and Instagram platforms handle internet links on an iOS device. Both apps have their own embedded internet browsers, the WKWebView, which render the pages when a user clicks on a link (as opposed to opening the links in, say, Safari, or Chrome).

On the user’s side, clicking a link would make it seem as if the app opened the page, rather than as if it was opened in a separate app. However, the plaintiffs say that the browser also injects JavaScript code that gathers data - something other browsers wouldn’t be able to do.

Personally identifiable information

"When users click on a link within the Facebook app, Meta automatically directs them to the in-app browser it is monitoring instead of the smartphone’s default browser, without telling users that this is happening or they are being tracked," the lawsuit says.

"The user information Meta intercepts, monitors and records includes personally identifiable information, private health details, text entries, and other sensitive confidential facts."

The case was boosted by previous findings from cybersecurity researcher Felix Krause, who raised the issue in August 2022.

When Krause published his findings, Meta responded by saying the code injection was done to respect user privacy choices.

"We intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms," a Meta spokesperson told The Register. "The code allows us to aggregate data before it is used for targeted advertising or measurement purposes."

The plaintiffs, Gabriele Willis and Kerreisha Davis, do not dispute Apple’s data gathering practices, just the fact that it kept quiet about it. 

"Meta fails to disclose the consequences of browsing, navigating, and communicating with third-party websites from within Facebook’s in-app browser – namely, that doing so overrides their default browser’s privacy settings, which users rely on to block and prevent tracking," it says in the complaint. 

"Similarly, Meta conceals the fact that it injects JavaScript that alters external third-party websites so that it can intercept, track, and record data that it otherwise could not access."

The company rejected the claims, with a spokesperson saying: “These allegations are without merit and we will defend ourselves vigorously."

"We have carefully designed our in-app browser to respect users' privacy choices, including how data may be used for ads."

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.