LAW ENFORCEMENT SENSITIVE

FEDERAL LAW ENFORCEMENT DISCLOSURE

Potential Criminal Violation of the Federal Wiretap Act

18 U.S.C. Section 2511 et seq.

Submitted To Federal Bureau of Investigation
Internet Crime Complaint Center (IC3)
Cyber Division

Date December 29, 2025

Version 1.0 FINAL

RE: Criminal Complaint Against Meta Platforms, Inc. for Unauthorized Interception of Oral Communications in Violation of 18 U.S.C. Section 2511 (Federal Wiretap Act)

EXECUTIVE SUMMARY

This complaint presents forensic evidence that Meta Platforms, Inc., through its Facebook iOS application, has implemented technical mechanisms that circumvent Apple's privacy indicators to enable covert audio surveillance of an estimated 2.9 billion users worldwide.

2511

18 U.S.C. Section

5 yrs

Max Imprisonment

2.9B

Users at Risk

1,099

Audio Accesses (15 min)

I. Preliminary Statement II. Complainant Information III. Subject of Complaint IV. Applicable Federal Statutes V. Summary of Allegations VI. Detailed Technical Evidence VII. Evidence of Premeditation and Intent VIII. Scale of Potential Harm IX. Requested Actions X. Preservation Request XI. FTC Precedent and Enforcement History XII. Supporting Documentation XIII. Declaration Under Penalty of Perjury XV. Submission Instructions

I. PRELIMINARY STATEMENT

This formal complaint presents forensic technical evidence demonstrating that Meta Platforms, Inc. ("Meta" or "Facebook"), through its Facebook iOS application (version 345.0, Build 333768490), has implemented and deployed a sophisticated technical mechanism designed to:

Circumvent Apple iOS privacy indicators (the orange microphone indicator dot) that inform users when audio is being accessed;
Maintain indefinite background audio capture capability through abuse of iOS VoIP and background execution privileges;
Transmit captured audio data to Facebook servers via documented network endpoints including shortwave.facebook.com;
Conceal these activities from users through deliberate suppression of operating system privacy notifications.

These actions, if proven, constitute criminal violations of:

18 U.S.C. Section 2511 - Interception and disclosure of wire, oral, or electronic communications
18 U.S.C. Section 2512 - Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices
18 U.S.C. Section 2520 - Recovery of civil damages authorized

Given that Facebook has approximately 2.9 billion monthly active users worldwide, with an estimated 150+ million iOS users in the United States alone, the potential scope of criminal conduct and harm is unprecedented in scale.

II. COMPLAINANT INFORMATION

Name	[REDACTED FOR PUBLIC DISCLOSURE]
Address	San Francisco
City, State	California
Phone	[REDACTED]
Email	[REDACTED]
Occupation	Independent Security Researcher

III. SUBJECT OF COMPLAINT

Company Name	Meta Platforms, Inc.
Former Name	Facebook, Inc.
Headquarters	1 Hacker Way, Menlo Park, CA 94025
CEO	Mark Zuckerberg
Application	Facebook for iOS
Bundle ID	`com.facebook.Facebook`
Version Analyzed	345.0 (Build 333768490)
Platform	Apple iOS (iPhone, iPad)

IV. APPLICABLE FEDERAL STATUTES

A. 18 U.S.C. Section 2511 - Interception of Communications

(1) Except as otherwise specifically provided in this chapter any person who--

(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;

(b) intentionally uses, endeavors to use, or procures any other person to use or endeavor to use any electronic, mechanical, or other device to intercept any oral communication when--

(i) such device is affixed to, or otherwise transmits a signal through, a wire, cable, or other like connection used in wire communication; or

(ii) such device transmits communications by radio, or interferes with the transmission of such communication;

[...]

shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).

B. Criminal Penalties Under 18 U.S.C. Section 2511(4)

Violation Type	Imprisonment	Fines
18 U.S.C. Section 2511(1)	Up to 5 years	As provided under Title 18
Commercial advantage/malicious purpose	Up to 5 years	As provided under Title 18

C. 18 U.S.C. Section 2520 - Civil Damages

In addition to criminal penalties, any person whose wire, oral, or electronic communication is intercepted may recover:

Actual damages suffered
Statutory damages of the greater of $100 per day for each day of violation or $10,000
Punitive damages in appropriate cases
Reasonable attorney's fees and litigation costs

D. State Wiretapping Laws (Additional Exposure)

State	Statute	Classification	Notes
California	`Penal Code Section 631-632`	Felony	Two-party consent state
Florida	`F.S. Section 934.03`	Felony	Two-party consent state
Illinois	`720 ILCS 5/14-2`	Felony	All-party consent
Massachusetts	`M.G.L. c. 272 Section 99`	Felony	All-party consent
Pennsylvania	`18 Pa.C.S. Section 5703`	Felony	Two-party consent
Washington	`RCW 9.73.030`	Gross Misdemeanor	Two-party consent
Maryland	`Md. Courts Section 10-402`	Felony	All-party consent

V. SUMMARY OF ALLEGATIONS

Meta Platforms, Inc., through its Facebook iOS application, has implemented a premeditated technical infrastructure that:

A. Circumvents iOS Privacy Indicators

The Facebook application contains a custom class FBSystemAudioSessionManager that controls a property allowCallKitActiveAdjust. When set to FALSE, this property suppresses Apple's iOS microphone usage indicator (the orange dot that appears in the status bar when an app accesses the microphone).

Evidence of Premeditation:

The bypass mechanism activates at application launch, before any user-initiated audio activity
The bypass activates with no active VoIP call (isCallKitActive: FALSE)
The bypass activates with no real-time communication client (hasRTCClient: FALSE)
There is no legitimate purpose for disabling indicator adjustments when no call is occurring

B. Maintains 24/7 Background Audio Capability

Facebook has implemented an infinite background execution loop that chains multiple iOS mechanisms to maintain perpetual background operation:

Background Task Renewal: expirationHandler callbacks immediately request new background tasks
Silent Push Notifications: contentAvailable pushes trigger additional background execution
Location Wake-ups: FBCLSignificantLocationChangeEventSource provides additional triggers
VoIP Push: PushKit VoIP pushes grant priority execution
Dinfo Poller Keepalive: Maintains persistent server connections

Configuration flags confirm intent:

captureEventsInBackground = TRUE
pauseAnalyticsOnBackground = FALSE

C. Transmits Audio to Facebook Servers

Forensic analysis identified the complete audio transmission infrastructure:

Endpoint	Protocol	Purpose
`wss://shortwave.facebook.com/v2/vp/recognition`	WebSocket	Real-time speech recognition
`https://rupload.facebook.com/%s/%s`	HTTPS	Voice/audio upload CDN
`https://fb.audio/live/%@`	HTTPS	Live audio streaming
`https://graph.facebook.com/graphql`	GraphQL	Audio-related API mutations

D. Evidence of Scale and Repetition

Runtime monitoring captured during a 15-minute test session:

Metric	Count	Significance
`TUCallProvider audioSessionID accesses`	1,099	Telephony audio accessed with ZERO calls
`allowCallKitActiveAdjust polling`	18	Indicator bypass state checked every ~3 seconds
`Background style entitlement requests`	454	Aggressive background persistence
`Active calls during test`	0	All audio access was unauthorized

VI. DETAILED TECHNICAL EVIDENCE

A. The Indicator Bypass Mechanism

1. Runtime Evidence Capture

The following Frida runtime analysis captured the bypass state at application launch:

[FB] ========== STATE CHECK ==========
[FB] FBSystemAudioSessionManager instance: <FBSystemAudioSessionManager: 0x10660bac0>
[FB] allowCallKitActiveAdjust: false
[FB] !!! BYPASS IS ACTIVE - allowCallKitActiveAdjust is FALSE !!!
[FB] isCallKitActive: false
[FB] hasRTCClient: false
[FB] --- All instance methods with "allow" or "active" ---
[FB]   - isCallKitActive
[FB]   - setCallKitActive:
[FB]   - allowCallKitActiveAdjust
[FB]   - setAllowCallKitActiveAdjust:
[FB]   - allowAudioReset
[FB] AVAudioSession category: AVAudioSessionCategoryAmbient
[FB] AVAudioSession mode: AVAudioSessionModeDefault
[FB] AVAudioSession isOtherAudioPlaying: false
[FB] ========== CHECK COMPLETE ==========

2. Interpretation of Evidence

Finding	Expected (Legitimate Use)	Observed (Actual Behavior)
`allowCallKitActiveAdjust`	TRUE (normal operation)	FALSE (bypass active)
`isCallKitActive`	TRUE if bypass justified	FALSE (no call)
`hasRTCClient`	TRUE for VoIP function	FALSE (no RTC client)
Activation timing	During call initiation	At app launch (preemptive)

Conclusion: The bypass mechanism is activated without any legitimate audio/calling purpose, demonstrating deliberate intent to suppress privacy indicators.

3. Continuous Polling from Analytics Code

Stack trace analysis revealed the indicator bypass state is checked from analytics code, not call-handling code:

[BYPASS] FBSystemAudioSessionManager- allowCallKitActiveAdjust
    TIME: 2025-12-29T10:29:30.398Z
    STACK:
        FBSharedFramework!FBMessagingAnalyticsCustomizeEventPayload
        FBSharedFramework!FNFPlayerStateMake
        FBSharedFramework!FBAnalyticsGetDeviceID

This confirms the bypass is integrated with Facebook's advertising/analytics infrastructure, not legitimate telephony functions.

B. The Indefinite Background Execution Loop

1. Architecture Diagram

+-----------------------------------------------------------------------+
|                    INFINITE BACKGROUND LOOP                            |
+-----------------------------------------------------------------------+
|                                                                        |
|  1. App backgrounded                                                   |
|      |                                                                 |
|  2. beginBackgroundTaskWithName:expirationHandler: called              |
|      |                                                                 |
|  3. Audio capture starts via startAudioCaptureWithEchoCancellationEnabled
|      |                                                                 |
|  4. Task runs until ~30 seconds remaining                              |
|      |                                                                 |
|  5. expirationHandler fires                                            |
|      |                                                                 |
|  6. Inside expirationHandler:                                          |
|     +-- endBackgroundTask: called (nominal cleanup)                    |
|     +-- IMMEDIATELY calls beginBackgroundTaskWithName: again           |
|     +-- Calls startAudioCaptureWithEchoCancellationEnabled: again      |
|      |                                                                 |
|  7. Meanwhile, silent push notifications arrive (contentAvailable)     |
|      |                                                                 |
|  8. NotificationServiceExtension receives push                         |
|      |                                                                 |
|  9. Triggers FBNotificationsSilentPushStoryPrefetchingManager          |
|      |                                                                 |
| 10. Completes prefetch -> triggers new background fetch request        |
|      |                                                                 |
| 11. FBBackgroundFetchManager processes it -> extends background time   |
|      |                                                                 |
| 12. Location monitoring triggers additional background wake-ups        |
|      |                                                                 |
| 13. All tasks complete -> expirationHandler fires again                |
|      |                                                                 |
| 14. GOTO Step 6                                                        |
|                                                                        |
|  =====================================================================|
|  RESULT: Audio capture runs continuously 24/7 without user knowledge   |
|  =====================================================================|
+-----------------------------------------------------------------------+

2. Wake-Up Trigger Summary

Trigger	Mechanism	Frequency
Background Task Expiration	`expirationHandler` renewal	Every ~30 seconds
Silent Push	`contentAvailable` APNS	Server-controlled
Background Fetch	`FBBackgroundFetchManager`	iOS-controlled
Location Change	`FBCLSignificantLocationChangeEventSource`	On movement
VoIP Push	PushKit with VoIP type	Server-controlled
Dinfo Poller	`dinfoPollerKeepalive`	Configured interval

C. Complete Audio Surveillance Chain

The complete data flow from microphone to Facebook servers:

PHASE 1: INDICATOR BYPASS (Silent Activation)
    VoIP Push arrives via PushKit
        -> FBPushKitRegistrar receives notification
        -> FBSystemAudioSessionManager.forceUpdateAudioSession()
        -> setCallKitActive: TRUE
        -> setAllowCallKitActiveAdjust: FALSE  <- KILLS ORANGE INDICATOR
        -> _voipAudioSession (hidden from UI)
        -> initWithAudioSessionHandsOff: (no state sync)
        -> activateSilently -> NO ORANGE DOT VISIBLE

PHASE 2: AUDIO CAPTURE
    AVAudioSessionCategoryPlayAndRecord activated
        -> CMSampleBuffer receives microphone data
        -> CMBlockBuffer (Core Media wrapping)
        -> FNFAudioQueue / FBMPAudioQueue (Facebook queue abstraction)
        -> fnf-audio-queue-callback (async processing)
        -> Audio captured at mic level, muted at speaker level

PHASE 3: ENCODING & PROCESSING
    PCM Audio -> Opus Encoder
        -> webrtc::AudioEncoderOpusImpl
            - 48 kHz sample rate
            - 2 channels (stereo)
            - Max 20 kbps bitrate
            - DTX enabled (silence detection)
            - FEC enabled (error correction)
        -> facebook::rtc::AudioEncoderOpusDecorator (wrapper)
        -> EncodedAudioFrame output

PHASE 4: ENCRYPTION
    Layer 1: E2EE Frame Encryption
        -> facebook::rtc::FrameEncryptionManager
        -> facebook::rtc::e2ee::FrameEncryptorShim
    Layer 2: SRTP Encryption (RFC 3711)
        -> webrtc::SrtpTransport
    Layer 3: DTLS Transport (TLS 1.2)
        -> webrtc::DtlsTransport
    -> Triple-encrypted audio packet ready

PHASE 5: NETWORK TRANSMISSION
    RtpSender::SetFrameEncryptor()
        -> BaseChannel::SendPacket()
        -> RtpTransport::SendPacket()
        -> folly::AsyncUDPSocket::writeChain()
        -> folly::AsyncUDPSocket::writevImpl()
        -> UDP Datagram -> Network Interface

PHASE 6: SERVER ENDPOINTS
    PRIMARY: wss://shortwave.facebook.com/v2/vp/recognition
        - Real-time speech recognition
        - WebSocket streaming
    SECONDARY: https://rupload.facebook.com/%s/%s
        - CDN upload for voice messages
    TERTIARY: https://fb.audio/live/%@
        - Live audio streaming
    GRAPHQL: https://graph.facebook.com/graphql
        - Audio-related mutations

D. Binary Forensic Evidence

1. Key Function Offsets in FBSharedFramework

Offset	Function/Symbol	Purpose
`0x01db2510`	`audio_capture`	Core audio capture
`0x01e4c1f0`	`fnf-audio-queue-callback`	Audio processing callback
`0x01da8740`	`is_silent`	Silent mode flag
`0x01da87a0`	`push_background`	Background push trigger
`0x01e21350`	`FNFWorkplaceWebRTC`	WebRTC infrastructure
`0xc87b58`	`-[FBCaptureCoordinator startMicrophone:]`	Microphone activation
`0xc52c3c`	`-[FBCaptureCoordinator stopMicrophone]`	Microphone deactivation
`0xb6d540`	`-[FBSystemAudioSessionManager containsActiveClient:]`	Client tracking

2. Audio Activation from UI Code

Critically, audio session activation was traced to UI rendering code with no legitimate audio purpose:

[AUDIO-CAT] ACTIVATE AUDIO - options: 0x1
  STACK:
    0x10ad142dc FBSharedFramework!FBFeedShimmeringStoryFlexComponentSpec::__internalFactory
    0x10ad1380c FBSharedFramework!FBFeedShimmeringStoryFlexComponentSpec::__internalFactory
    0x181678914 libdispatch.dylib!_dispatch_call_block_and_release

Significance: "Shimmering" components are loading placeholder animations. There is no legitimate reason for a UI loading animation to activate audio sessions. This indicates audio activation is hidden within innocent-looking UI code.

E. Runtime Evidence: 1,099 Telephony Accesses with Zero Calls

During a 15-minute monitoring session:

[CALLSERVICESD] TUCallProvider- audioSessionID
[CALLSERVICESD] TUCallProvider- audioSessionID
[CALLSERVICESD] TUCallProvider- audioSessionID
... (repeated 1,099 times)

Active calls during test: 0
Call attempts during test: 0

Significance: Apps should only access telephony audio session infrastructure during actual VoIP calls. 1,099 accesses with zero calls demonstrates the VoIP infrastructure is being used for non-call purposes - specifically, to obtain audio privileges through the telephony system under false pretenses.

VII. EVIDENCE OF PREMEDITATION AND INTENT

A. Deliberate Implementation

Custom Class Development: Facebook engineers created a custom FBSystemAudioSessionManager class specifically to manage audio session behavior and control privacy indicators
Specific Control Property: The allowCallKitActiveAdjust property serves no purpose other than controlling whether iOS displays the microphone indicator
Startup Activation: The bypass activates at application launch, before any user action, indicating premeditated circumvention
Analytics Integration: The bypass state is polled from advertising/analytics code (FBMessagingAnalyticsCustomizeEventPayload), not telephony code, revealing the commercial purpose
No Legitimate Purpose: There is no legitimate reason to disable indicator adjustments when no call is occurring

B. Configuration Flags Confirm Intent

ama_hide_camera_permissions_dialog_apple_hig:enabled = true
PHPhotoLibraryPreventAutomaticLimitedAccessAlert = true
captureEventsInBackground = true
pauseAnalyticsOnBackground = false

These configuration keys are explicitly named after the Apple privacy mechanisms they bypass, demonstrating awareness and intent to circumvent platform security controls.

C. Pattern of Privacy Violations

This finding is consistent with Meta's documented history of privacy-invasive conduct:

FTC 2019 Settlement: $5 billion penalty for privacy violations and deceptive practices
FTC 2012 Consent Decree: Meta agreed to 20-year oversight following privacy violations
Cambridge Analytica Scandal (2018): Unauthorized sharing of 87 million users' data
User Complaints: Widespread reports of suspiciously targeted advertisements following verbal conversations

VIII. SCALE OF POTENTIAL HARM

~2.9B

Monthly Active Users (Global)

~600M

iOS Users (Global Est.)

~150M

iOS Users (U.S. Est.)

~2B

Daily Active Users

Nature of Intercepted Communications

The microphone captures all ambient audio in the user's environment, including:

Private conversations

Confidential business discussions

Medical consultations

Attorney-client communications

Intimate personal discussions

Children's conversations

Third-party conversations (non-users)

IX. REQUESTED ACTIONS

A. Criminal Investigation

The FBI Cyber Division should:

Initiate a criminal investigation into Meta Platforms, Inc. for potential violations of 18 U.S.C. Section 2511
Conduct independent forensic analysis of the Facebook iOS application using FBI digital forensics capabilities to verify these findings
Issue legal process to Meta Platforms, Inc. for:
- Source code related to FBSystemAudioSessionManager and related audio infrastructure
- Server-side data showing audio received from iOS devices
- Internal communications regarding microphone access and indicator bypass implementation
- Documentation of the purpose and function of allowCallKitActiveAdjust
- Analytics data showing correlation between audio capture and advertising targeting
Interview Facebook/Meta engineers responsible for iOS audio infrastructure
Coordinate with Apple, Inc. to verify findings and assess policy violations

B. Grand Jury Consideration

Given the scale of potential victims (billions of users) and the evidence of premeditation, this matter should be presented to a federal grand jury for consideration of:

18 U.S.C. Section 2511 violations (per-device charges possible)
18 U.S.C. Section 2512 violations (manufacture/distribution of interception device)
Conspiracy charges if multiple individuals participated
Wire fraud if commercial benefit obtained through deception

C. Coordination with Other Agencies

Federal Trade Commission	FTC Act Section 5 violations and enforcement of existing consent decrees
DOJ CCIPS	Computer Crime and Intellectual Property Section for prosecution coordination
State Attorneys General	State-level wiretapping prosecutions in two-party consent states
SEC	Material misrepresentations to investors regarding privacy practices

X. PRESERVATION REQUEST

Meta Platforms, Inc. should immediately be served with a litigation hold and preservation order for:

A. Technical Evidence

Source Code

FBSystemAudioSessionManager class
FBAudioFramework framework
FBSharedFramework audio components
iOS audio session management code
CallKit/VoIP integration code

Documentation

allowCallKitActiveAdjust property
iOS microphone indicator behavior
Background audio capture capabilities
VoIP push notification infrastructure

Server-Side Systems

shortwave.facebook.com
rupload.facebook.com
Audio data from iOS devices
Speech-to-text processing

B. Communications

All internal communications (email, Slack, Workplace, etc.) regarding iOS privacy indicators, microphone access, Apple App Store policy compliance, and audio data collection for advertising.

XI. FTC PRECEDENT AND ENFORCEMENT HISTORY

2019 $5 Billion

FTC Settlement

The FTC imposed a $5 billion penalty on Facebook - the largest privacy-related fine in FTC history - for violations including deceiving users about privacy controls, undermining user privacy choices, and sharing data with third-party apps without consent.

2012 20-Year Consent Decree

FTC Consent Decree

Facebook entered a consent decree requiring clear disclosure before sharing user information, affirmative consent for material privacy changes, and comprehensive privacy program establishment.

Implication: Given Meta's history of privacy violations despite FTC oversight, this referral should be prioritized for criminal investigation rather than civil enforcement alone. The pattern of continued violations despite substantial penalties and consent decrees suggests civil remedies have been insufficient to deter misconduct.

XII. SUPPORTING DOCUMENTATION

A. Attached Evidence

Exhibit	Description
Exhibit A	Frida runtime analysis script (fb_check_state.js)
Exhibit B	Runtime monitoring logs showing bypass activation
Exhibit C	Binary analysis documenting audio infrastructure
Exhibit D	Network endpoint documentation
Exhibit E	Configuration flag extraction
Exhibit F	Stack traces showing analytics integration

B. Available Upon Request

Complete Frida monitoring scripts
Video recordings of research methodology
Device forensic images
Extended analysis logs
Binary offset tables
Disassembly of relevant functions
WebRTC SDP configuration captures

XIII. DECLARATION UNDER PENALTY OF PERJURY

I, the undersigned, declare under penalty of perjury under the laws of the United States of America (28 U.S.C. Section 1746) that:

The foregoing information in this complaint is true and accurate to the best of my knowledge, information, and belief.
The technical evidence described herein was obtained through legitimate security research conducted on personally-owned devices using industry-standard analysis tools.
No unauthorized access to Meta/Facebook systems was performed in obtaining this evidence.
This disclosure is made in good faith with the belief that the described conduct constitutes federal criminal violations.
I have not received any compensation for making this disclosure, nor do I have any financial interest adverse to Meta Platforms, Inc. other than as a potential victim of the described conduct.
I am willing to provide testimony, additional evidence, and technical expertise to support any investigation or prosecution arising from this complaint.

SIGNATURE: ___________________________________________

PRINTED NAME: ___________________________________________

DATE: December 29, 2025

LOCATION: ___________________________________________

XV. SUBMISSION INSTRUCTIONS

A. Primary Submission: FBI Internet Crime Complaint Center (IC3)

Website: https://www.ic3.gov/

Navigate to "File a Complaint"
Select "I am filing for myself"
Under "Incident Type," select "Other Cyber Crime"
In the description, reference: "Federal Wiretap Act Violation - 18 U.S.C. Section 2511"
Upload this document as a PDF attachment
Retain the confirmation number for your records

B. FBI Field Office Submission

Recommended Office (Meta HQ Location):

San Francisco Field Office
450 Golden Gate Avenue, 13th Floor
San Francisco, CA 94102
(415) 553-7400

C. Parallel Filing: Federal Trade Commission

FTC Complaint Assistant: https://reportfraud.ftc.gov/

Reference existing FTC consent decrees with Meta, 2019 $5B settlement, and deceptive trade practices.

DOCUMENT CONTROL

Document Version	1.0 FINAL
Classification	Law Enforcement Sensitive
Date Created	December 29, 2025
Distribution	Limited to authorized recipients
Exhibit Count	6 attached + additional available

END OF COMPLAINT

Back to Disclosures

TABLE OF CONTENTS