Amsterdam – Recent revelations have exposed that Meta and Yandex covertly tracked the web browsing activity of Android users, including those utilizing incognito mode or VPNs, bypassing standard privacy protections. This unauthorized data collection, identified by academics from Radboud University and IMDEA Networks, linked users' web histories to their app identities on platforms like Facebook and Instagram. Meta reportedly engaged in this practice since September 2024, while Yandex has been doing so since 2017.
The tracking method exploited a "localhost" loophole in Android, allowing Meta Pixel and Yandex Metrica scripts embedded on websites to communicate directly with the companies' native apps on the same device. This technique circumvented Android's sandboxing features and browser privacy settings, enabling the collection of detailed browsing metadata, cookies, and user actions. Researchers noted that Meta's apps would receive data like the _fbp cookie from the Meta Pixel script, linking web visits to logged-in Facebook or Instagram accounts.
Following the exposure, Meta announced it had paused the feature, with a spokesperson calling it a "miscommunication" and stating they were working with Google to clarify its policies. Conversely, Yandex denied the allegations, claiming they were "not collecting anything sensitive" and that the feature was solely for personalization. Google acknowledged that these practices violated their privacy principles and has begun patching its Chrome browser to address the exploited loophole, while other browsers like DuckDuckGo and Brave were largely unaffected.
The implications for user privacy are significant, as the tracking occurred without explicit consent or knowledge, undermining the expectation of privacy in incognito browsing. As stated in the original tweet, > "Your private browsing wasn’t private. Your app usage was silently tied to your web history." This behavioral data, collected without user control, can be leveraged for highly personalized advertising and potentially feed into tools used in SIM swap attacks, phishing scams, and social engineering tactics.
Experts emphasize that this incident highlights a systemic issue where technical mechanisms circumvent established privacy safeguards. While Google works on platform-level fixes, privacy advocates urge users to take control of their digital footprint by uninstalling implicated apps or using privacy-focused browsers. The controversy underscores the ongoing challenge of maintaining user trust when tech giants blur the lines between convenience and data exploitation.