Tech giant Meta has failed to escape a class action lawsuit after the company allegedly exploited vulnerabilities in Android smartphones to track users’ private information.
Last year, researchers sounded the alarm over a “novel tracking method” Meta had allegedly used to match user browsing activity to accounts on Instagram and Facebook.
The same day, a group of Android users filed a lawsuit that accused Meta of knowingly exploiting vulnerabilities in the Android operating system.
According to the allegations, these vulnerabilities “allowed Meta to unlawfully seize and de-anonymise the personal data of many millions of Android users” – presumably in a bid to more effectively profile users for advertising.
Though Meta moved to dismiss fully nine privacy-related claims from the lawsuit, US District Court Judge Rita Lin last week ruled Meta must face the majority of the claims.
“Plaintiffs have plausibly alleged a highly offensive intrusion [upon their privacy],” Lin wrote in a 23-page ruling.
“There is a fundamental difference between using known functionality of a system in an unexpected way and employing subterfuge to exploit design flaws that are not broadly known,” she added.
Meta was contacted for comment but did not respond prior to publication.
Meta faces “very significant” privacy breach
Rahat Masood, senior lecturer at the UNSW School of Computer Science and Engineering, told Information Age the case could mark a “very significant privacy breach”.
“The concern is not simply that browsing data was collected, but that Meta used a hidden communication mechanism between Android apps and the mobile browser to associate browsing activity with a user’s Facebook or Instagram identity, even in situations where users may have believed they were anonymous or protected through privacy tools such as incognito mode or cookie clearing,” said Masood.
“If those allegations are proven, it would raise serious questions about transparency, informed consent, and whether users were given a realistic opportunity to understand or prevent this type of tracking.”
The plaintiffs noted that Meta has a harder time linking data to accounts if the user is not logged into a web browser – which is often the case for mobile phone users who use their social media via apps.
Judge Lin noted that “according to Plaintiffs, Meta was not content with that status quo”.
To address this, Meta allegedly used an Android vulnerability to circumvent a fundamental principle of modern internet security known as ‘sandboxing’ – which ensures apps, such as web browsers and social media, are siloed and prevented from accessing information from each other.
This meant if an Android user simply visited a webpage containing Meta’s highly common ‘Meta Pixel’ code, the company was allegedly able to link their browsing information – including tracked names, email addresses, button click data, and more – to personal information on their Facebook and Instagram apps.
According to the plaintiffs, this increased the tech giant’s ability to serve targeted advertising.
Notably, Meta has reportedly stopped using the alleged tracking method.
Meta scores some wins
Information Age understands Meta did manage to dismiss two of the plaintiffs’ claims.
Allegations surrounding unjust enrichment and an assertion that Meta’s modified pixel code acted as a ‘trap and trace device’ were thrown out with an amendment deadline of 1 June.
The plaintiffs also brought two claims against Google for negligence and negligent misrepresentation.
Though the latter claim was dismissed, Lin ruled the plaintiffs had plausibly alleged Google breached its duty of care by designing Android with an “overly permissive” architecture.
Alongside the unfolding lawsuit, Meta employees in the US have reportedly started to protest the company’s use of controversial mouse-tracking software at multiple offices.
Parents get insight on teen algorithms
In other Meta news, the company has announced a set of new features to bolster its compliance with global social media age and safety laws – including a Family Center where parents can manage their teen’s supervised experience across Instagram, Facebook, Messenger and virtual reality platform Meta Horizon.
Parents will be able to “send a single invitation” to supervise their teen across the apps, with insights such as "aggregated time spent” expected to roll out in coming months.
The company’s ‘Your Algorithm’ feature will soon bring algorithmic customisation to the main feed on Instagram, while parents will be able to view and receive notifications about “the general topics their teens engage with”.
Lisa Given, professor of Information Sciences at RMIT, said although the ability to review algorithmic topics will be set up automatically in teen accounts, it will be “up to parents to engage proactively with these features”.
“More importantly, parents will need to prompt conversations with their children to determine the nature of the content within general topics, like ‘beauty’ or ‘photography’,” said Given.
“These types of general categories will not provide specific details, so parents will need to be very engaged with their children to determine potential risks or concerns.”
Last week, Meta announced plans to check users’ bone structure and height with AI to help detect underage accounts on Facebook and Instagram.
