Search Articles
SAN FRANCISCO (CN) — A federal judge ruled Monday that Meta must face claims brought by Android users who say the tech giant exploited vulnerabilities in Android smartphones to match users’ browsing activity to their Meta social media accounts in an attempt to create more detailed advertising profiles.
U.S. District Court Judge Rita Lin advanced the majority of the class action claiming Meta intentionally and secretly circumvented browser protections to better link users’ browsing behavior with their Meta accounts, which could be viewed as a “highly offensive intrusion” of their data privacy.
“From those allegations of secretive and evasive behavior that was surprising even to technical experts, it is reasonable to infer that plaintiffs did not give Meta permission to evade Android’s sandboxing in this way and that Meta knew it was acting without permission,” the Joe Biden appointee wrote in the 23-page ruling.
“There is a fundamental difference between using known functionality of a system in an unexpected way and employing subterfuge to exploit design flaws that are not broadly known,” she continued.
The judge also greenlit claims that Google breached its duty of care by designing Android with certain flaws that allowed Meta to exploit the operating system. However, she dismissed, with leave to amend, the plaintiffs’ claims of unjust enrichment and pen register against Meta and negligent misrepresentation against Google.
The plaintiffs have until June 1 to file an amended complaint.
Lead plaintiff Devin Rose filed the class action against Meta on June 2, 2025, the same day a group of internet security researchers disclosed that Meta had modified its tracking pixels to exploit a communication channel on Android devices typically used for making audio or video calls to tie users’ browsing information to their Meta social media profiles, making users non-anonymous and identifiable.
Meta developed its pixel to be installed on third-party websites so that it can track users’ online behavior in order to sell targeted advertising based on that behavior. Meta uses its pixel code to create individual profiles of users and then attempts to link them to users’ Instagram or Facebook accounts.
The plaintiffs claim that it was easy for Meta to track users who are signed into their social media accounts on their web browsers. However, they say it was more difficult to match accounts with users who were only signed into the Instagram or Facebook apps due to sandboxing restrictions, which require apps to operate independently of one another and not interact.
According to the amended complaint, Meta modified its pixel code to get around Android’s sandboxing restrictions by passing data from web browsers to Facebook or Instagram using the communication ports. The plaintiffs say Meta’s methods evolved over time to evade detection and sandboxing restrictions.
The plaintiffs additionally argued that Meta specifically targeted Google’s Android systems and not Apple’s iOS systems because Google’s “overly permissive” design allowed Meta to track and identify users without their permission, and that Google should have known about the flaws in its system.
The plaintiffs brought nine state and federal privacy claims against Meta, including intrusion upon seclusion, invasion of privacy and violations of wiretapping and eavesdropping provisions. They additionally brought two claims of negligence and negligent misrepresentation against Google.
In its motion to dismiss, Meta argued that the plaintiffs gave the company permission to track and identify them by agreeing to Meta’s privacy policy. However, Lin rejected that argument, finding that a reasonable user would read the privacy policy as not disclosing that Meta would “perfectly match Android browsing activity to Meta accounts by opening a backdoor to users’ Facebook and Instagram apps.”
“The issue here is not that users had buyer’s remorse, like when users believe something is unlikely to occur simply because a privacy policy used ‘indefinite’ language like ‘may’ instead of will,’” the judge said. “Rather, a reasonable user in this scenario could believe that the conduct at issue would never occur.”
As for the wiretapping claims, Lin ruled that the plaintiffs plausibly claimed that Meta “intercepted and eavesdropped on the contents of their communications during transmission,” including the URLs of webpages visited, what users searched in the search bar, actions users took on a page and the contents of commonly used form fields.
“Plaintiffs have plausibly alleged that users would not agree, and have not agreed, to permit the collection of standard Pixel data in a context where it would be combined via the Modified Pixel with perfectly matched identifiers from their Facebook and Instagram phone apps,” the judge said.
Representatives for the parties did not immediately respond to a request for comment.
Follow @mhattridge_Subscribe to our free newsletters
Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.
