(C) Daily Kos
This story was originally published by Daily Kos and is unaltered.
. . . . . . . . . .



Want Meta to stop spying on you? Getting off Facebook is NOT enough. [1]

['This Content Is Not Subject To Review Daily Kos Staff Prior To Publication.']

Date: 2025-07-04

From www.eff.org/…

More than a decade ago, Meta created the “Meta pixel”. The Meta pixel exists for one reason, to spy on you. It has been installed on about 20% of the most heavily trafficked websites, including tax filing and hospital websites, where it can access information about your finances and medical conditions. In addition, it can track you through your journeys across the web, recording how you use them and how and which ads you respond to, all in service to the corporate system of surveillance advertising.

What changed?

Researchers recently caught Meta using an egregious new tracking technique to spy on you. Exploiting a technical loophole, the company was able to have their apps snoop on users’ web browsing. This tracking technique stands out for its flagrant disregard of core security protections built into phones and browsers.

While these types of pixels have been around for a while, researchers recently discovered another way these pixels are used by Meta to track and record your web browsing activities. It does so by secretly communicating with Meta’s apps on Android phones and violating a core security feature, built into the mobile phones operating system, called “sandboxing”. Sandboxing was designed to prevent mobile apps from communicating with each other. Meta was able to defeat this security design by exploiting ‘localhost’, a feature designed to allow app developer testing of their apps. This allowed Meta to create a back channel between the web browser on your phone and any of Meta’s apps. (If you want the nitty gritty technical details, they can be found here)

This workaround helped Meta bypass user privacy protections and attempts at anonymity. Typically, Meta tries to link data from “anonymous” website visitors to individual Meta accounts using signals like IP addresses and cookies. But Meta made re-identification trivial with this new tracking technique by sending information directly from its pixel to Meta's apps, where users are already logged in. Even users who blocked or cleared cookies, hid their IP address with a VPN, or browsed in incognito mode could be identified with this tracking technique.

Meta didn’t only hide this technique from its users. Developers who had installed the tracking pixel on their own websites were also kept ignorant. After the developers noticed their own websites contacting ‘localhost’, they raised concerns to Meta (here and here), but got explanation from Meta. When their scheme was exposed publicly, Meta claimed that they were in talks with Google, about “a potential miscommunication regarding the application of their policies.”

Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities. The bypass—which Yandex began in 2017 and Meta started last September—allows the companies to pass cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The companies can then tie that vast browsing history to the account holder logged into the app.

The scheme has only been discovered on Android phones, but similar exploits may be possible on iPhones, as well.

localmess.github.io/… Are end-users aware? It is plausible that users browsing the Internet and visiting sites integrating Yandex and Meta’s ID bridging between web and native apps, may not be fully aware of this behavior. In fact, the novel tracking method works even if the user: Is not logged in to Facebook, Instagram or Yandex on their mobile browsers Uses Incognito Mode Clears their cookies or other browsing data This tracking method defeats Android's inter-process isolation and tracking protections based on partitioning, sandboxing, or clearing client-side state. Preliminary results suggest that these practices may be implemented in websites without explicit and appropriate cookie consent forms. If a site loads the Facebook or Yandex scripts before a user has given consent to the appropriate cookies, this behaviour will still be triggered.

Although Meta has stopped using this technique, for now, anyway, there are steps Android users can employ to thwart this, or similar, activity in the future.

1) Use a Privacy-Focused Browser

Choose a browser with better default privacy protections than Chrome. For example, Brave and DuckDuckGo protected users from this tracking technique because they block Meta’s tracking pixel by default. Firefox only partially blocked the new tracking technique with its default settings, but fully blocked it for users with “Enhanced Tracking Protection” set to “Strict.” It’s also a good idea to avoid using in-app browsers. When you open links inside the Facebook or Instagram apps, Meta can track you more easily than if you opened the same links in an external browser.

2) Delete Unnecessary Apps

Reduce the number of ways your information can leak by deleting apps you don’t trust or don’t regularly use. Try opting for websites over apps when possible. In this case, and many similar cases, using the Facebook and Instagram website instead of the apps would have limited data collection. Even though both can contain tracking code, apps can access information that websites generally can’t, like a persistent “advertising ID” that companies use to track you (follow EFF’s instructions to turn it off if you haven’t already).

3) Limit Meta’s Use of Your Data

Meta’s business model creates an incentive to collect as much information as possible about people to sell targeted ads. Short of deleting your accounts, you have a number of options to limit tracking and how the company uses your data.

Have a happy day!

[END]
---
[1] Url: https://www.dailykos.com/story/2025/7/4/2331483/-Want-Meta-to-stop-spying-on-you-Getting-off-Facebook-is-NOT-enough

Published and (C) by Daily Kos
Content appears here under this condition or license: Site content may be used for any purpose without permission unless otherwise specified.

via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/dailykos/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.