Auto-generated description: A diagram illustrates the interaction between Meta and Yandex systems, detailing data tracking, user identity handling, and potential risks through mobile browsers and apps.

Technical things don’t interest most people. I’m definitely at the edges of my understanding with this one, but the implications are pretty huge. Essentially, Meta (the organisation behind Facebook, Instagram, and WhatsApp) and Yandex have been caught covertly tracking users on Android devices via a novel method.

On the day that this disclosure was made public, Meta “mysteriously” stopped using this technique. But, by that point, they’d been using it for well over six months, and it appears that Yandex (a Russian tech company) has been using it for EIGHT YEARS.

The website dedicated to the disclosure is, as you’d expect, pretty technical. But it does say this:

This novel tracking method exploits unrestricted access to localhost sockets on the Android platforms, including most Android browsers. As we show, these trackers perform this practice without user awareness, as current privacy controls (e.g., sandboxing approaches, mobile platform and browser permissions, web consent models, incognito modes, resetting mobile advertising IDs, or clearing cookies) are insufficient to control and mitigate it.

We note that localhost communications may be used for legitimate purposes such as web development. However, the research community has raised concerns about localhost sockets becoming a potential vector for data leakage and persistent tracking. To the best of our knowledge, however, no evidence of real-world abuse for persistent user tracking across platforms has been reported until our disclosure.

A Spanish site called Zero Party Data, which also posts in English explains what’s going in an easier-to-understand way:

Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.

[…]

Meta faces simultaneous liability under the following regulations, listed from least to most severe: GDPR, DSA, and DMA (I’m not even including the ePrivacy Directive because it’s laughable).

GDPR, DMA, and DSA protect different legal interests, so the penalties under each can be imposed cumulatively.

The combined theoretical maximum risk amounts to approximately €32 billion** (4% + 6% + 10% of Meta’s global annual revenue, which surpassed €164 billion in 2024).

Maximum fines have never before been applied simultaneously, but some might say these scoundrels have earned it.

Briefly, here’s how it works (according to the above website):

  • Step 1: The app installs a hidden “intercom”
  • Step 2: You think, “hmm, nice day to check out my guilty pleasure website in incognito mode.”
  • Step 3: The web pixel talks to the Facebook/Instagram app using WebRTC
  • Step 4: The same pixel on your favorite website, without hesitation, sends your alphanumeric sausage over the internet to Meta’s servers
  • Step 5: The app receives the message and links it to your real identity

This is why I don’t use apps from Meta and use a security-hardened version of Android called GrapheneOS

Sources: Local Mess / Zero Party Data

Image: Local Mess