• by Wendy Davis  @wendyndavis, March 24, 2023

Meta Platforms is asking a federal judge to throw out a lawsuit alleging that the company collects data about smartphone users' online activity by injecting tracking code into sites accessed through Facebook's and Instagram's in-app browser.

Among other arguments, Meta says the claims, which drew heavily on a report by security researcher Felix Krause, are too speculative to warrant further proceedings.

“Plaintiffs rushed into court to file this litigation after seeing a blog post critical of Meta ... without closely reading, or else deliberately ignoring, what it actually says,” the company argues in papers Thursday with U.S. District Court Judge Jon Tigar in the Northern District of California. “While the blog post criticizes the use of in-app browsers, based on the concern that app developers could use such browsers to improperly collect user browsing activity, it never asserts that Meta actually uses its in-app browser in such a way.”

The company's argument comes in a class-action complaint dating to September, when Wayne Mitchell and other Facebook users claimed Meta violates the federal wiretap law, as well as various California state laws, through its in-app browser.

The complaint was filed shortly after Krause reported that Facebook and Instagram can track app users who click on links to outside sites -- such as ads or retail sites. Meta is able to do so because its apps automatically open a Meta browser when people click on in-app links; that browser then injects tracking code into those outside sites, according to Krause.

“The Instagram app injects their JavaScript code into every website shown, including when clicking on ads,” he wrote. “Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.”

Krause added that Meta told him the injected code helps to aggregate events such as online purchases, and that the code respects an Apple setting that doesn't allow developers to track users without their explicit consent.

Meta now wants Tigar to rule that the complaint's central allegations -- that the company monitors all activity by users in in-app browsers , and that it violates Apple's no-tracking policy -- are not supported by Krause's blog post.

Without those allegations, “plaintiffs are left only with the Krause Post’s generalized concern that a custom in-app browser could be used to monitor everything a user does, or plaintiffs’ own speculation that Meta could be doing so through the in-app browser,” the company writes, adding that the “the mere possibility of improper conduct,” doesn't establish grounds for a lawsuit.