Meta bypassing beefy Apple security to spy on millions

Three Facebook, Inc. 196,64 +0,99 +0,51% Facebook and Apple Inc. 225,12 +0,89 +0,40% Apple iOS users have filed class action lawsuits against Meta (parent company of Facebook) accusing of them of bypassing Apple’s updated privacy rules from 2021. These rule changes caused so many people to have opted out that the Electronic Frontier Foundation reported that Meta lost $10 billion in revenue over the next year. To ‘work-around’ this Meta updated the coding of their Facebook and Instagram apps so that links users clicked on were opened in an app browser instead of the user’s default browser. This action was performed without the users knowledge or even consent. Once these links were opened in the in-app browser code was injected into the pages.

Last month, a privacy researcher and former Google engineer, Felix Krause, alleged that one way Meta sought to recover its losses was by directing any link a user clicks in the app to open in-browser, where Krause reported that Meta was able to inject a code, alter the external websites, and track “anything you do on any website,” including tracking passwords, without user consent.

Now, within the past week, two class action lawsuits [1] [2] from three Facebook and iOS users—who point directly to Krause’s research—are suing Meta on behalf of all iOS users impacted, accusing Meta of concealing privacy risks, circumventing iOS user privacy choices, and intercepting, monitoring, and recording all activity on third-party websites viewed in Facebook or Instagram’s browser. This includes form entries and screenshots granting Meta a secretive pipeline through its in-app browser to access “personally identifiable information, private health details, text entries, and other sensitive confidential facts”—seemingly without users even knowing the data collection is happening.

Of course Meta is denying these allegations and contends “We have carefully designed our in-app browser to respect users’ privacy choices, including how data may be used for ads.” This is not the first time (and certainly won’t be the last) Facebook/Meta have gotten into serious legal troubles related to user privacy. In July 2019 the Federal Trade Commission investigation resulted in a $5 billion fine for Meta. Earlier this month Instagram was fined by Irish Data Protection Commission for “its handling of children’s privacy settings on Instagram.” These alleged actions were violations of Europe’s GDRP which resulted in a $402 Million EU fine against Instagram.

So what to do to prevent Meta from “looking over your shoulder” when using Facebook and Instagram? The best way user can protect themselves (short of not using Meta’s products) is by copying and pasting links from within Facebook and Instagram into their preferred browser.

via ARS Technica