App Tracking Transparency workaround – Meta class action lawsuit

Meta is facing a class action lawsuit after both Facebook and Instagram were found to be using a fix to App Tracking Transparency to track users online even after they were denied permission to do so.

The company is accused of not only violating Apple’s privacy rules, but also violating both state and federal laws…


App tracking works by Apple assigning a unique identifier to your device. It doesn’t reveal any details about you, but allows them to see (for example) that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 has visited gadget websites and would therefore be a good target for gadget ads.

It also allows them to see that iOS user 30255BCE-4CDA-4F62-91DC-4758FDFF8512 was shown an ad for a specific product on a specific website, then went to a specific retailer website to purchase it – therefore it was ad (probably) successful.

With App Tracking Transparency, app developers must ask you if you want to allow this tracking. If you say no (as most do), then apps are not allowed to use that system.

Facebook and Instagram each have their own embedded web browsers, which are used whenever a user taps a link in either app. This means that Meta can track activity in these browsers.

The theoretical risk of this was already well understood, but security researcher Felix Krause last month found concrete evidence that Meta actually did this.

He found that both apps injected their tracking code into all websites viewed, including when they clicked on ads. In the most extreme case, this would allow Meta to monitor all user interactions, such as every button and link clicked, text selection, screenshots, as well as any input such as passwords, addresses and credit card numbers.

Of course, Krause isn’t suggesting Meta go that far. His research did not allow him to see what data the company extracted, but he was able to confirm that they extract something.

I don’t have a list of exact data Instagram sends home. I have evidence that the Instagram and Facebook app are actively running JavaScript commands to inject an additional JS SDK without the user’s consent, as well as track the user’s text selection. If Instagram already does this, they can also inject any other JS code.

Class action

Bloomberg reports that two users have now sued Meta in a proposed class action.

Meta Platforms Inc. was sued for allegedly building a secret solution to security measures that Apple Inc. launched last year to protect iPhone users from having their internet activity tracked.

In a proposed class-action lawsuit filed Wednesday in San Francisco federal court, two Facebook users accused the company of violating Apple’s 2021 privacy rules and violating state and federal laws that limit the unauthorized collection of personal data. A similar complaint was filed in the same court last week […]

In response to the report, Meta acknowledged that the Facebook app monitors browsing activity, but denied that it illegally collected user data.

A class action is when other affected parties are invited to participate in the case against the defendant. Generally this means no more than filling out an online form if the case is successful and compensation being awarded (which is generally only a few dollars per person). A judge must approve the conversion of the lawsuit to a class action.

Photo: Glen Carrie/Unsplash

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:


Leave a Reply

Your email address will not be published.