Ever since then I refused to install native versions of apps that could be used in a browser. I don't use Facebook or Instagram so I don't know if that works anymore, and I recall testing that they were intentionally crippling Facebook Messenger at one point.
Then the past decade of native apps requesting tons of permissions and users just clicking agree. Why should Facebook be able to read my Wi-Fi network or Bluetooth? Of course there is something shady going on. Beacons tracking people walking around brick and mortar stores. https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
Such a shame because native apps are so much more pleasant and performant to use than web apps.
This system was designed and implemented by engineers who committed code in a source control system with their name attached, and the changes were requested by product managers in tickets in the ticketing system with their name attached. Those engineers and product managers should be personally liable for an equivalent % of their annual salary as Facebook is liable for a % of its annual revenue.
Very impressive but not surprising coming from Meta. They have an history of doing this kind of things.
Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
At this point, I think the race for Zuckerberg is, can Meta survive long enough for the next platform shift (AR or VR) where they will own one of the major platforms and won't need to abide by any reasonable rules before their "internet tentacles" that sustain the Ad Machine are cut off.
My bet is they will make it. Though I don't wish it, they're on track.
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
Sounds like you're affected if you have either Facebook or Instagram app installed on an Android phone, you're signed into your account, and you don't have anything set up to block tracking pixels and the like (though that last part I'm not as sure of).
Getting through VPNs and incognito mode are the most egregious parts of this offense, though. I think some people are under the impression that's a way to act like you're in total privacy... but it's not. It's just an easy way to act like you're in a new browser session or coming from another location, mostly.
I'm just confused why Meta needed to do this. Isn't fingerprinting good enough to not risk building this? All I can think is they use something like this to prove out their other tracking tech is working (this is the test set effectively). It is obvious that they really have several of these types of tracking technologies so that if one gets found out/patched they can switch it off and say 'look we stopped' all while still tracking with impunity. It just seems dumb that they would keep something this blatant in use.
The real flaw here is in WebRTC. WebRTC should be disabled by default, and behind a permissions dialog at least. Still, facebook could just disable chat or some feature and claim they need WebRTC and 99% of users would opt-in to it.
> 1. The user opens the native Facebook or Instagram app, […]
I'm not going full "it's your own fault for having those apps installed" — it really isn't — but people need to learn they shouldn't trust apps made by these giant adzillas. (Which to be fair you could also argue for Android as a whole, and Chrome).
If Facebook and Instagram are "dominating the market" as the EU likes to say, maybe it's time to force allowing 3rd party frontend apps?
Tldr because this article has way too much fillers to my taste (but I'm sure there are people out there that enjoy reading that kind of thing):
The native Instagram and meta apps start a server listening on predefined ports when you launch said apps, they eventually run on the background as well. When you are on your browser, whether in private more, not logged, refused or disabled cookies, or anything else that might make you feel like you are not being explicitly tracked, the browser will connect to the locally running servers through webrtc and send all tracking data to said servers from the browser.
The android sandboxing thing is basically about how Android isolates each app and should only allow communication through android intents that inform the user of such inter app communication, such as sharing photos and the like. In this case, the browser is communicating with Instagram and Facebook apps without letting the user know.
The legal infregement here is that this happens even when you refuse to be tracked, which is a violation of GDPR and another law mentioned in the article.
The 32B figure is a theoretical maximum (but they also mentioned 100B+ in the article, which confuses me).
Serious question. I don't generally mind paying taxes and all that. But in this case I feel I am the person offended and I should get some kind of compensation. I'd say €1-2000 would make me feel somewhat compensated.
In 2014 / 2015 I was digging through the code of the iOS Facebook app and found that it was loading, by string name, a dylib. I think it was a system dylib for networking, or sound, or something. It seemed like the wrong way to access a system service.
That seemed unnecessarily sneaky and made me appreciate the sense of righteousness which I would have, if I were a SW dev @ FB at the time, to add such a technique to a world-tier app like FB.
This was 15+ years ago now but Verizon (and others?) used Flash (because browsers still shipped with support for that in the 2000s) to create an undeletable cookie. This was settled for low 7 figures.
Privacy legislation has advanced a lot since then and the EU doesn't play around with GDPR violations, particularly when it's so egregious. I don't expect a $32B fine or settlement but it won't surprise me if this costs Meta $1B+.
> What Meta did wasn’t just a violation of GDPR. It involved bypassing built-in technical protections with the intent to extract and link data — potentially personally identifiable information (PII) — to users without their knowledge or consent.
> That is the textbook definition of unauthorized access and data exfiltration.
My prediction, facebook gets fined something like ~12 million euros, eu bureaucrats shake their hands, facebook finds a different way to do the same thing.
Reading though this, is it correct to say that they could've done a fetch("http://localhost:<port>/id=<id>"), but then it would show up very conspicuously in the logs, and you couldn't talk to UDP ports with it?
Every story like this has me thinking about two things:
1. Companies have no soul. They are, by design, just chasing revenue. Everything else is just a risk to be factored.
2. There are real humans at these companies who choose to take part in the business and design and engineering, etc.
I don’t think these humans have no soul (though some won’t), and I don’t think they’re stupid (though some are). I think it’s just very, very easy to create a system of people collectively doing evil things where no one person carries the burden of evil individually enough to really feel sick enough with what they’re contributing to.
I'm guessing I'll get down-voted for this, but what's to stop any browser/executable from trolling through /proc on Linux and knowing about what every process running as you is doing?
Oh, this is bigger than just Android.
SDP munging can cause all sorts of havoc on desktop clients as well.
Bit of a blind spot in WebRTC implementations.
"Meta faces simultaneous liability under the following regulations, listed from least to most severe: GDPR, DSA, and DMA (I'm not even including the ePrivacy Directive because it's laughable)."
You've rented a device that connects to a worldwide communications network built on a principle of numerically exact message routing between every device and use it to run numerically exact programs from service providers to access services that host and consolidate the particulars of your identity within their servers rather than your device, and you are amazed that the device can persistently track everything you do with the device?
What's the point of being Google or Apple except for precisely control of such central services?...
♪ Central Services, we do the work, you do the pleasure... ♪
"Have you considered your ducts?"
...And it just so happens that all the news you see is from the device and subject to this surveillance used to colonize your mind... Sounds democratic!
The old Politburo could only dream of such tools for maintenance of a compliant, obedient proletariat.
And with Central Services new "AI" you can get a brain implant to ensure your perfect conformity and access to the best paying jobs in the world, yours and your family's future will be secure. Be sure to invest in these securities, shop here, entertain and vacation there— leave the driving to us! Do it your way.
"A new life awaits you in the Offworld Colonies. A chance to begin again in a golden land of opportunity and adventure. So c'mon America..."
"...Every leap of civilization was built off the back of a disposable work force..."
This is one of the reason you need to segregate your whole LAN. At the bare minimum, use VLANs to knock off these ruthless scanners. And obviously, this wouldn't be possible if you used a strong adblock list on whatever DNS you're running. They cannot touch the people who take proper measures. I also do not believe people who use Facebook really care about privacy. I am well aware of how mean this sounds but they fully deserve to be tracked
The same European intellegentsia that is progressively forcing Apple to tear down the walled garden simultaneously fails to understand that this is exactly why they had it in the first place:
> You’re not affected if (and only if) . . .
> You browse on desktop computers or use iOS (iPhones)
At the very least they should step back and allow companies to enforce safeguards because they clearly lack the understanding or foresight to do so effectively.
The simple way for the EU to beat Meta is to stop being so cheap: break the WhatsApp dependency by actually paying properly for something that has a decent UX and doesn't track you. If you aren't willing to do this you will be exploited over and over again. TANSTAAFL
"Localhost tracking" explained. It could cost Meta €32B
(zeropartydata.es)562 points by donohoe 10 June 2025 | 268 comments
Comments
Covert web-to-app tracking via localhost on Android (341 comments):
https://news.ycombinator.com/item?id=44169115
Ever since then I refused to install native versions of apps that could be used in a browser. I don't use Facebook or Instagram so I don't know if that works anymore, and I recall testing that they were intentionally crippling Facebook Messenger at one point.
Then the past decade of native apps requesting tons of permissions and users just clicking agree. Why should Facebook be able to read my Wi-Fi network or Bluetooth? Of course there is something shady going on. Beacons tracking people walking around brick and mortar stores. https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
Such a shame because native apps are so much more pleasant and performant to use than web apps.
Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
At this point, I think the race for Zuckerberg is, can Meta survive long enough for the next platform shift (AR or VR) where they will own one of the major platforms and won't need to abide by any reasonable rules before their "internet tentacles" that sustain the Ad Machine are cut off.
My bet is they will make it. Though I don't wish it, they're on track.
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
Getting through VPNs and incognito mode are the most egregious parts of this offense, though. I think some people are under the impression that's a way to act like you're in total privacy... but it's not. It's just an easy way to act like you're in a new browser session or coming from another location, mostly.
Crazy to deploy a hack like this at the scale of Meta.
I'm not going full "it's your own fault for having those apps installed" — it really isn't — but people need to learn they shouldn't trust apps made by these giant adzillas. (Which to be fair you could also argue for Android as a whole, and Chrome).
If Facebook and Instagram are "dominating the market" as the EU likes to say, maybe it's time to force allowing 3rd party frontend apps?
- How come Yandex was doing it for years without being noticed.
- Facebook must have known about this technique for years as well, why did they only enable it last year.
Why is this very news is not in the HN front page for considerable amount of time is beyond me.
It has the right recipe for top HN post namely users deception, sandbox bypass, privacy or lack thereof, web browser, Meta, etc.
The native Instagram and meta apps start a server listening on predefined ports when you launch said apps, they eventually run on the background as well. When you are on your browser, whether in private more, not logged, refused or disabled cookies, or anything else that might make you feel like you are not being explicitly tracked, the browser will connect to the locally running servers through webrtc and send all tracking data to said servers from the browser.
The android sandboxing thing is basically about how Android isolates each app and should only allow communication through android intents that inform the user of such inter app communication, such as sharing photos and the like. In this case, the browser is communicating with Instagram and Facebook apps without letting the user know.
The legal infregement here is that this happens even when you refuse to be tracked, which is a violation of GDPR and another law mentioned in the article.
The 32B figure is a theoretical maximum (but they also mentioned 100B+ in the article, which confuses me).
Serious question. I don't generally mind paying taxes and all that. But in this case I feel I am the person offended and I should get some kind of compensation. I'd say €1-2000 would make me feel somewhat compensated.
That seemed unnecessarily sneaky and made me appreciate the sense of righteousness which I would have, if I were a SW dev @ FB at the time, to add such a technique to a world-tier app like FB.
This was 15+ years ago now but Verizon (and others?) used Flash (because browsers still shipped with support for that in the 2000s) to create an undeletable cookie. This was settled for low 7 figures.
Privacy legislation has advanced a lot since then and the EU doesn't play around with GDPR violations, particularly when it's so egregious. I don't expect a $32B fine or settlement but it won't surprise me if this costs Meta $1B+.
[1]: https://www.propublica.org/article/verizon-to-pay-1.35-milli...
> What Meta did wasn’t just a violation of GDPR. It involved bypassing built-in technical protections with the intent to extract and link data — potentially personally identifiable information (PII) — to users without their knowledge or consent.
> That is the textbook definition of unauthorized access and data exfiltration.
Perhaps sanctions on those that buy and use the data would help?
Definitely not even close to 32B
1. Companies have no soul. They are, by design, just chasing revenue. Everything else is just a risk to be factored.
2. There are real humans at these companies who choose to take part in the business and design and engineering, etc.
I don’t think these humans have no soul (though some won’t), and I don’t think they’re stupid (though some are). I think it’s just very, very easy to create a system of people collectively doing evil things where no one person carries the burden of evil individually enough to really feel sick enough with what they’re contributing to.
As relevant as ever.
https://news.ycombinator.com/item?id=19966959
@dang maybe add a $ to the 32B? I see B so often with AI Models that I think the currency symbol would be useful in this link title
Also not included:
https://www.courtlistener.com/docket/70448987/1/rose-v-meta-...
The wiretapping claims carry damages of $5,000 per violation.
It could be he thinks this is laughable like the ePrivacy Directive.
https://www.reuters.com/technology/metas-facebook-pay-90-mil...
https://dicellolevitt.com/case-study/facebook-agrees-to-pay-...
...
>You always used the Brave browser or the DuckDuckGo search engine on mobile
How does choice of search engine protect from this?
What's the point of being Google or Apple except for precisely control of such central services?...
♪ Central Services, we do the work, you do the pleasure... ♪
"Have you considered your ducts?"
...And it just so happens that all the news you see is from the device and subject to this surveillance used to colonize your mind... Sounds democratic!
The old Politburo could only dream of such tools for maintenance of a compliant, obedient proletariat.
And with Central Services new "AI" you can get a brain implant to ensure your perfect conformity and access to the best paying jobs in the world, yours and your family's future will be secure. Be sure to invest in these securities, shop here, entertain and vacation there— leave the driving to us! Do it your way.
"A new life awaits you in the Offworld Colonies. A chance to begin again in a golden land of opportunity and adventure. So c'mon America..."
"...Every leap of civilization was built off the back of a disposable work force..."
> You’re not affected if (and only if) . . . > You browse on desktop computers or use iOS (iPhones)
At the very least they should step back and allow companies to enforce safeguards because they clearly lack the understanding or foresight to do so effectively.
The simple way for the EU to beat Meta is to stop being so cheap: break the WhatsApp dependency by actually paying properly for something that has a decent UX and doesn't track you. If you aren't willing to do this you will be exploited over and over again. TANSTAAFL