In a move that appears to primarily be aimed at iPhone users that have opted out of device tracking, Facebook is now using device accelerometer data as an alternate means of pinpointing locations and following app users about their day. This happens even if users both opt out of targeted advertising and disable location tracking within the Facebook app.
Perhaps more so than any other company, Facebook has been openly hostile to Apple’s iOS 14 privacy updates that force it (along with all other apps) to get express user permission to track a device by its unique identifying number. In addition to the use of accelerometer data, the company is using whatever shreds of information it can still gather via its app (such as IP addresses and the metadata attached to videos and pictures) that it believes does not violate the letter of the law.
Facebook location tracking persists on iOS devices; no way out but to delete the app
Facebook’s internal settings allow app users to “never” have their location tracked, but this is apparently providing a false sense of security. The app will now always access accelerometer data, or information automatically recorded about how the phone is being physically moved in space.
At the user end, the accelerometer is primarily included for automatically adjusting screen orientation as users move their phone around. While iOS is generally seen as a secure and locked-down digital ecosystem, it allows apps to access this particular information freely without permission (so long as the app doing the measuring is currently active and in the foreground).
Facebook appears to be taking full advantage of this soft spot in the phone’s security as an alternate means of location tracking. The iPhone has a particularly advanced set of accelerometer data that is freely available to app publishers, including a gyroscope and barometer. This information allows apps to see a user’s current altitude and environmental air pressure level, as well as make a very reasonable inference as to how the user’s body is currently positioned and how they are holding the phone.
While that is somewhat invasive in terms of location tracking, it is still not enough to get an accurate read on precise location. This is where Facebook relies on its extensive user network for a unique advantage. While you may have disabled all forms of location tracking, another phone user nearby might not have. If that user’s environmental accelerometer data is identical to yours, Facebook now knows your location.
Accelerometer data can go even further, potentially reconstructing sounds from vibrations and measuring biometric data like heart and respiration rate. Researchers Talal Haj Bakry and Tommy Mysk, who previously discovered that apps such as TikTok were harvesting the contents of the clipboard, have studied Facebook’s use of all of this information for location tracking and found that the app is constantly reading accelerometer data no matter what settings the user enables; it’s unclear exactly what it’s capturing, but it cannot be disabled and the app cannot seem to get enough of it.
Accelerometer data open to abuse by any app
In a statement to Forbes about the story, Facebook said that it collects accelerometer data to support certain functions such as camera panning and “shake to report” spam or abusive messaging. However, none of these features explain why it would need to be constantly enabled and reading user data regardless of settings. Surreptitious use for location tracking is the only theory that makes a great deal of sense.
Apple’s App Tracking Transparency requirements cannot protect users from the abuse of accelerometer data, at least as presently constituted. The new rules apply primarily to the use of the IDFA, the unique device identifier granted to advertisers for personalized ad purposes. Apps are not supposed to engage in “device fingerprinting” techniques as a workaround for location tracking, but it is unclear if Apple would regard this as that type of violation given that it does not protect accelerometer data with permissions.
With no option at all to disable this backdoor location tracking, the security experts say that the Facebook mobile app should simply be deleted by anyone who has concerns about being tracked (Facebook could still be used more privately on a computer through a web browser). Apple has yet to comment on the issue, but it is possible that it could be addressed with a privacy update in a future version of iOS. It does not appear to be a part of the upcoming iOS 15.2, however; Apple announced a new “app privacy report” that will detail the data that apps are collecting, something that may reveal more about how Facebook is making use of accelerometer data, but made no mention of securing it further in any way. Apple may be paying closer attention than usual to any privacy issues that Facebook causes for it, given the recent news that it has been working with Google to circumvent its protections using the Safari web browser.
