Meta and Yandex's Controversial Tracking Method Uncovered

Meta and Yandex's Controversial Tracking Method Uncovered

Recent revelations by security researchers have unveiled alarming practices by Meta and Yandex, where native Android applications were allegedly used to listen on localhost ports. This clever maneuver allowed the companies to link web browsing data to user identities while circumventing conventional privacy protections.

Following the disclosure, researchers noted a significant change: Meta's Pixel script ceased sending data to localhost, and the associated tracking code has been significantly reduced. This shift might serve to shield Meta from scrutiny under Google Play policies that govern covert data collection within apps.

In response to the situation, a spokesperson from Meta remarked, "We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue." However, the spokesperson did not expand on the ongoing discourse with Google.

A research report published by scientists from prestigious institutions like IMDEA Networks, Radboud University, and KU Leuven details how the US-based social media titan and the Russian search engine leveraged native Android apps to illegally harvest web cookie data through the localhost—or loopback—interface of user devices.

The localhost is a network address enabling devices to make internal communications, commonly utilized by developers for testing software. The researchers pointed out that native apps such as Facebook, Instagram, Yandex Maps, and Yandex Browser were found quietly listening on fixed local ports for the purpose of tracking.

According to the researchers, these apps receive metadata, cookies, and commands from the Meta Pixel and Yandex Metrica scripts, which are embedded on countless websites. These JavaScript scripts load in users' mobile browsers and quietly connect to native applications on the same device through localhost sockets.

• This method allows Meta and Yandex to bypass standard privacy measures, enabling them to access device identifiers (like the Android Advertising ID) and link mobile browsing sessions along with web cookies to specific user identities.
• The researchers argue that this practice contradicts established assumptions about the limitations of first-party cookies, raising concerns about online privacy.

The tracking mechanism described involves various data transmission protocols such as WebSocket and WebRTC, which were observed in use by Meta to transmit data starting September 2024. However, as of June 3, the researchers confirmed that Meta has seemingly halted its local data transmissions, citing a complete removal of the code responsible for sending tracking cookies.

Yandex's tracking activities reportedly date back to 2017. Although inquiries were made to Yandex's media relations, they were met with no response due to spam filters.

In light of this report, several Android browser vendors have implemented measures against the identified tracking methods. Notably, Chrome 137 introduced countermeasures to block the notorious SDP Munging technique used by Meta Pixel, although these are currently being tested with a restricted user group. Meanwhile, a remedy for Mozilla Firefox is under development, and privacy-focused browsers like Brave are unaffected as they demand user consent for localhost access.

The concerns prompted the researchers to suggest developing a "local network access" permission aimed at mitigating localhost-based tracking in future revisions of Android’s framework. Although a previous proposal encountered technical challenges, the need for such measures is increasingly evident.

This tracking discovery raises significant questions regarding user privacy in an increasingly data-driven world. While Meta appears to have temporarily ceased its practices, the vulnerabilities remain. Users are advised to consider switching to more privacy-oriented browsers such as DuckDuckGo or Brave or uninstalling Yandex apps to ensure the highest degree of privacy.

In conclusion, ongoing scrutiny by security researchers is crucial as these revelations highlight a troubling intersection of technology and privacy that demands collective awareness and regulatory attention.