iPhone in hand with Meta logo showing Apple privacy rules and in-app browsers

Lawsuit Accuses Meta of Dodging Apple Privacy Rules by Using Facebook and Instagram In-App Browsers

In-app browsers offer mobile device users the convenience of loading up web pages without having to leave the app they’re currently in, but unbeknownst to some the apps can also inject their own code into the page. Meta now stands accused of breaking Apple privacy rules in this way, as a set of proposed class-action lawsuits describes it using its browsers to track activity without user knowledge or consent.

The “App Tracking Transparency” framework that Apple debuted with iOS 14.5 requires app developers to disclose tracking of personal information and obtain user consent to do so, either when the app is downloaded or when it is updated. Apps are not allowed to reject users or limit features if the user opts out of tracking.

Meta accused of using in-app browsers to get around Apple privacy rules

The lawsuits accuse Meta of failing to notify users that the in-app browsers of Facebook and Instagram track their activity, and to obtain proper consent for this tracking as required by the current Apple privacy rules. The suits claim that these in-app browsers inject JavaScript code into the links that they open that tracks a wide variety of user activity, up to and including viewing text and passwords the user enters.

In addition to violating Apple privacy rules, the lawsuits claim that the in-app browser are in violation of an assortment of state-level digital privacy laws that regulate collection of personal data. The suits were filed in California, where the California Consumer Privacy Act has been the law of the land for some time now (and stands to be replaced by the similar California Privacy Rights Act (CPRA) in 2023). The other four states that have enacted comprehensive state-level laws will not see them go into effect until 2023, but it is possible that the actions of the in-app browsers could be in violation of more general privacy laws already in effect in several other states that involve data brokers, wiretapping or protection of the personal information of children.

Meta has called the suits “without merit” and said that it plans to defend itself in court. The company has been the fiercest critic of the new Apple privacy rules since they were first proposed, waging a media campaign against them that included taking out full-page print ads at one point. The company is projecting a $10 billion hit to its ad revenue in 2022 owed solely to the Apple privacy changes, and this comes as the company has seen its stock take several major plunges already throughout the year. Some third-party predictions have put the expected damage to Meta at closer to $13 billion.

The suits are potentially open to any users of the iOS Facebook or Instagram apps, which has been estimated to be about 11% of Facebook’s roughly 220 million and Instagram’s roughly 153 million United States users. This could translate into a major expense for the company, which agreed to a $650 million settlement involving Illinois’ biometric privacy laws in 2021 and a $37.5 million settlement involving Facebook location tracking this past August.

Much of the information on Meta’s alleged malfeasance comes from the “inappbrowser.com” website, created by former Google engineer Felix Krause to allow users to see if in-app browsers are injecting code and overriding privacy settings. Krause has also noted that another Meta app, WhatsApp, does not inject code in the way that the Facebook and Instagram in-app browsers do. This would seem to preclude claims by Meta that this code injection is for some sort of security purpose. Krause has said that this is functionally no different from a JavaScript injection attack, a point that the lawsuits have taken up in addition to the violations of Apple privacy rules.

The iOS “lockdown” mode does not defend users from in-app browser tracking, and Meta does not offer a way to opt out of being tracked in this way. The apps do offer the ability to disable the in-app browser, but one must first enter it and navigate through a settings menu to do so.

In-app browsers just one of many tricks used to circumvent Apple’s new rules

In-app browsers are just one of a number of methods that companies are using to try to sneak around the new Apple privacy rules. One is to use “fingerprinting” techniques that Apple has also declared to be illegal, but does not have a great track record of spot-checking and chasing off of the platform thus far. Just before the ATT framework went into effect, it was widely reported that China’s leading advertising association was testing its own new standardized fingerprinting method (called the CAID) in what appeared to be open defiance of Apple.

And all of this is when Apple itself is not opening the back door for certain major tech firms. As the Financial Times reported in early 2022, Apple has granted certain companies the right to quietly gather ad tracking data without consent so long as the company vouchsafes that it is “anonymized” and “aggregated.” The Apple privacy rules were reportedly felt to be too disruptive to the ad ecosystem and too damaging to “top performing” apps, leading to quiet compromises of this nature that iOS users may not be aware of.