Tech giant Meta finds itself at the center of a class action lawsuit, facing serious allegations of exploiting vulnerabilities in Android smartphones to track users’ private information. The controversy began last year when researchers unveiled a “novel tracking method” that Meta purportedly employed to link user browsing activity with their accounts on Instagram and Facebook.
On the same day that these revelations came to light, a group of Android users initiated legal action against Meta, claiming that the company knowingly took advantage of weaknesses in the Android operating system. The lawsuit alleges that these vulnerabilities enabled Meta to unlawfully access and de-anonymize the personal data of millions of Android users, presumably to enhance its advertising profiling capabilities.
Despite Meta’s attempts to dismiss nine privacy-related claims from the lawsuit, US District Court Judge Rita Lin ruled last week that the majority of these claims must proceed. In her 23-page ruling, Judge Lin stated, “Plaintiffs have plausibly alleged a highly offensive intrusion [upon their privacy].” She emphasized the distinction between utilizing known system functionalities in unexpected ways and employing subterfuge to exploit lesser-known design flaws.
Meta faces “very significant” privacy breach
Rahat Masood, a senior lecturer at the UNSW School of Computer Science and Engineering, commented on the potential implications of the case, describing it as a “very significant privacy breach.” He noted that the concern extends beyond mere data collection; it involves Meta allegedly using a hidden communication mechanism between Android apps and mobile browsers to associate browsing activity with users’ Facebook or Instagram identities. This could occur even when users believed they were operating under anonymity or utilizing privacy features like incognito mode or cookie clearing.
“If those allegations are proven, it would raise serious questions about transparency, informed consent, and whether users were given a realistic opportunity to understand or prevent this type of tracking,” Masood added. The plaintiffs pointed out that Meta typically struggles to connect data to accounts when users are not logged into a web browser, a common scenario for mobile users who access social media through apps. Judge Lin noted that “according to Plaintiffs, Meta was not content with that status quo.”
To circumvent this limitation, Meta allegedly exploited an Android vulnerability to bypass a fundamental principle of modern internet security known as ‘sandboxing,’ which is designed to keep apps like web browsers and social media platforms isolated from one another. This exploitation reportedly allowed Meta to link browsing information—including tracked names, email addresses, and button click data—to personal information on users’ Facebook and Instagram accounts, thereby enhancing its targeted advertising capabilities. Interestingly, Meta has reportedly ceased using this alleged tracking method.
Meta scores some wins
In a twist of fate, Information Age has learned that Meta successfully dismissed two of the plaintiffs’ claims. Allegations related to unjust enrichment and the assertion that Meta’s modified pixel code functioned as a ‘trap and trace device’ were thrown out, with an amendment deadline set for June 1. The plaintiffs also brought two claims against Google for negligence and negligent misrepresentation. While one of these claims was dismissed, Judge Lin ruled that the plaintiffs had plausibly alleged that Google breached its duty of care by designing Android with an “overly permissive” architecture.
Amid the ongoing lawsuit, reports have surfaced of Meta employees in the US protesting the company’s use of controversial mouse-tracking software across multiple offices.
Parents get insight on teen algorithms
In other developments, Meta has announced a suite of new features aimed at enhancing compliance with global social media age and safety regulations. Among these is the Family Center, which allows parents to manage their teen’s supervised experience across Instagram, Facebook, Messenger, and the virtual reality platform Meta Horizon. Parents will soon be able to send a single invitation to supervise their teens across these platforms, gaining insights such as “aggregated time spent” that are expected to roll out in the coming months.
Additionally, the company is introducing a ‘Your Algorithm’ feature that will enable algorithmic customization on Instagram’s main feed. Parents will also receive notifications regarding the general topics their teens engage with. Lisa Given, a professor of Information Sciences at RMIT, emphasized that while the ability to review algorithmic topics will be automatically set up in teen accounts, it will require proactive engagement from parents. “More importantly, parents will need to prompt conversations with their children to determine the nature of the content within general topics, like ‘beauty’ or ‘photography,’” Given noted. “These types of general categories will not provide specific details, so parents will need to be very engaged with their children to determine potential risks or concerns.”
Last week, Meta also unveiled plans to utilize AI to assess users’ bone structure and height as a means to detect underage accounts on Facebook and Instagram.
