Former Google engineer and privacy researcher Felix Krause revealed in August that the iOS versions of Facebook and Instagram apps can track iPhone users across websites. 

In line with this, users have filed two proposed class action lawsuits accusing Meta of bypassing Apple's App Tracking Transparency (ATT) feature, which aims to protect user privacy.

What Did Krause Discover?

Krause alleged that when you use Meta's in-app browser, it injects tracking code into websites. Whether or not you gave the app permission to track your activity, this javascript purportedly enables it.

You've probably noticed that when you visit a website you see on Facebook or Instagram, a custom in-app browser is used instead of your default web browser. Krause claimed that those browsers inject javascript code into each website you visit, potentially allowing parent Meta to monitor you between websites.

Reports noted that if Facebook or Instagram was launched via a browser, such as Safari or Firefox, there would be no similar javascript injection that would occur. However, Instagram and Facebook in-app browsers "works for any website, no matter whether it's encrypted or not." 

Without the users' consent, Krause said that Meta was able to change the external websites and track everything you do on any website, including tracking passwords.

Other Apps Do Not Have Javascript Injection

Krause developed a website called inappbrowser.com where users may check to see if a specific in-app browser is injecting code into websites.

He found that a browser within an app like Telegram does not inject JavaScript code onto websites to track user data. According to reports, WhatsApp does not have javascript injections either.

Read More: FB Whistleblower Voices Worries About Meta's Privacy Policies in the Metaverse

Meta Sued for Allegedly Evading User Privacy 

According to Bloomberg (via Engadget), users have filed two [1][2] proposed class action lawsuits against Meta, alleging that the social media giant violated both federal and state laws against improper data collection by bypassing Apple's ATT feature.

Evading iOS users' privacy options, intercepting, tracking, masking privacy risks and recording any activity on third party websites accessed in Facebook or Instagram's browser, were among the things users accused Meta of doing, as reported by Ars Technica.

They alleged that because Meta can track screenshots and form submissions, which it then uses to have sneaky access to sensitive data including text inputs and private health information. Apparently, consumers are unaware that their data is being collected.

In April 2021, Apple released the iOS 14.5 update, which included the introduction of Apple's ATT, which allows you to expressly opt-in and prohibits apps from tracking users.

Meta Denied the Allegations

The tech giant said that both claims were "without merit" and that it would "vigorously" defend itself. It also asserted that their in-app browsers follow privacy preferences, even for advertisements.

A Meta spokesperson said to Ars Technica that: "These allegations are without merit and we will defend ourselves vigorously. We have carefully designed our in-app browser to respect users' privacy choices, including how data may be used for ads."

Related Article: Facebook, Instagram Can Track Users by Using In-App Browsers, Researcher Says