A stark new warning for almost all iPhone users, as Facebook is suddenly caught “secretly” harvesting sensitive data without anyone realizing. And worse, there’s no way to stop this especially invasive tracking other than by deleting the app.
A week ago, I warned iPhone users that Facebook still captures location data using the metadata from your photos and your IP address, even if you update your settings “never” to track your location. Facebook admits to this harvesting, refusing to be drawn on why that’s so wrong when users specifically disable location tracking.
Now security researchers have suddenly warned that Facebook goes even further, using the accelerometer on your iPhone to track a constant stream of your movements, which can easily be used to monitor your activities or behaviors at times of day, in particular places, or when interacting with its apps and services. Alarmingly, this data can even match you with people near you—whether you know them or not.
Just like the photo location data, the most serious issue here is that there is absolutely no transparency. You are not warned that this data is being tracked, there is no setting to enable or disable the tracking; in fact, there doesn’t seem to be any way to turn off the feature and stop Facebook (literally) in its tracks.
Researchers Talal Haj Bakry and Tommy Mysk warn that “Facebook reads accelerometer data all the time. If you don’t allow Facebook access to your location, the app can still infer your exact location only by grouping you with users matching the same vibration pattern that your phone accelerometer records.”
The researchers say the issue impacts Facebook, Instagram and WhatsApp, albeit with WhatsApp, it’s possible to disable the feature and the platform assured me that no data ever leaves a user’s device. “In Facebook and Instagram,” Mysk told me, “it is not clear why the app is reading the accelerometer—I couldn’t find a way to disable it.” That means you need to delete the app and access Facebook via your browser instead.
Facebook is awkwardly exposed here, with Mysk telling me: “I tested TikTok, WeChat, iMessage, Telegram and Signal. They don’t do it.”
Given Facebook dominates iPhone social media installs—this will impact almost all the billion-plus iPhone users around the world. Facebook confirmed to me that “we use accelerometer data for features like shake-to-report, and to ensure certain kinds of camera functionality such as panning around for a 360-degree photo or for camera.”
“Although the accelerometer data seems to be innocuous,” Mysk says, “it’s jaw-dropping what apps can make up of these measurements. Apps can figure out the user’s heart rate, movements, and even precise location. Worse, all iOS apps can read the measurements of this sensor without permission. In other words, the user wouldn’t know if an app is measuring their heart rate while using the app.”
While there may be valid benefits in using the camera, this does not explain why your movements are tracked constantly, rather than only when those camera features are in use. It would be simple for Facebook only to tap the accelerometer when needed. As for the shake to report function, Facebook could use Apple’s functionality to limit how much data it pulls—but that’s not how Facebook operates. Worse, even when users toggle off this reporting feature in the Facebook app, Mysk told me, “nothing happens when you shake the phone, but the app continues to read the accelerometer.”
The researchers cite the example of a bus journey to show how such data might be used. “If you are on the bus and a passenger is sharing their precise location with Facebook,” they explain, Facebook can easily tell that you are in the same location as the passenger. Both vibration patterns are going to be identical.”
If you think this is spurious, Facebook actually has a patent application to use wireless phone signals to connect strangers, and even cites the example of just such a bus ride, “it can be advantageous to provide an approach for users, who have met or have likely met, to connect with one another if they so choose.” Remember, none of this information exists in isolation, Facebook’s trillion-dollar magic is joining the data dots. Put more simply, you know all those mysterious new friend connection ideas…
“We tested several apps,” Mysk explains, “and Facebook and Instagram stood out. While Facebook reads the accelerometer all the time, Instagram only reads it when the user is texting in the DM. In addition, WhatsApp also reads the accelerometer by default to animate chat wallpapers. So, this puts these three apps together, and you wonder if they are matching vibration patterns among users. This can get nasty, and the way to end it is by protecting this valuable sensor with a permission.”
You need to remember that Facebook is a trillion-dollar empire built on data, and only data—with Facebook, it’s not so much a metaverse as a dataverse. If the company can use this data, combined with everything else it holds on you and those around you, then it will. Why would it suddenly decide to exercise restraint?
Just look at the staggering privacy labels behind Facebook’s iPhone app—while much of the data Facebook gathers comes from its platform and services, the data it can pull from the app simply adds more third-party information into its mix. All this is linked to your identity, nothing is wasted or thrown away.
As ESET’s Jake Moore warns, “this is, in clear terms, another violation which seems to have gone under the radar when scooping up yet more personal data from iPhones. Many people may not even think twice what sensors an iPhone has, let alone fully understand what this information can offer companies.”
This is another app permission issue. If you use the Facebook app on your iPhone, then you essentially give Facebook permission to access data and information on and about your phone. And while you can restrict some of this, there is other data—just as here with the accelerometer—that you will not know about.
Mysk and Haj Bakry have form for just such privacy exposures. They discovered the iOS clipboard issue that ultimately prompted Apple to change its settings and provide a clipboard warning, which has now led to Android 12 doing the same.
Just as then, Apple needs to act here. The accelerometer should not be a free-for-all, not when data giants such as Facebook can use this as yet another data point to feed into their algorithms, plotting social graphs and tracking locations and behaviors.
“All data which is personal and unique should be viewed as sensitive and must be protected,” Moore says. “This permission needs to be restricted along with other obtrusive data tracking especially if users were previously unaware this information was being analyzed.” And it’s that lack of awareness that is most critical here.
Apple has done a great job this year, preventing data abuses from the likes of Facebook and Google. App Tracking Transparency has already inflicted a drastic impact on data-fueled revenues. In iOS 15, we have seen new privacy innovations around mail tracking, web anonymity and privacy reports. Now we have another simple update that Apple needs to develop, to clamp down on this clear-cut data abuse.