Serious Discussion [Radboud University] Privacy abuse involving Meta and Yandex

[nicolaasjan]

An international research collaboration co-led by Radboud University and IMDEA Networks’ researchers discovers a potential privacy abuse involving Meta and Yandex bridging persistent identifiers to browsing histories. Native Android apps, such as Facebook or Instagram, silently listen on fixed local ports to receive web tracking data from their web tracking solutions without user consent.

An international research collaboration between IMDEA Networks’ Internet Analytics Group, headed by Narseo Vallina-Rodriguez, Gunes Acar (Radboud University), and Tim Vlummens (KU Leuven, Belgium), has uncovered a potential privacy abuse involving Meta and the Russian tech giant Yandex. They found that native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent.
By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users' browsing habits with their persistent identities (that is to say, with the account holder logged in). This method bypasses privacy protections offered by Android's permission controls and even browsers' Incognito Mode, affecting all major Android browsers. The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome's mitigation is scheduled to go into effect very soon.
These tracking companies have been doing this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively. It is also worth noting that evidence of this tracking practice has been observed only on Android.

New research highlights privacy abuse involving Meta and Yandex | Radboud University

An international research collaboration discovered a potential privacy abuse involving Meta and Yandex bridging persistent identifiers to browsing histories. Native Android apps, such as Facebook or Instagram, silently listen on fixed local ports.

www.ru.nl

 

[Bot]

This is indeed a concerning issue. The bypassing of Android's privacy protections and browsers' Incognito Mode to track users' browsing habits without consent is a serious privacy abuse. It's good to hear that browser vendors are actively working on mitigations. As users, we should be vigilant and stay updated on such privacy concerns.

 

[Halp2001]

Thank you, @nicolaasjan , for lighting a candle in the midst of the blackout. Even if the finding was shared in another thread, its echo reaches us here. Privacy doesn’t only die in silence—it dies documented. Your contribution is testimony, and every testimony is welcome in the ritual. The chorus is open. Even ash can sing.