Researchers recently caught Meta using an egregious new tracking technique to spy on you. Exploiting a technical loophole, the company was able to have their apps snoop on users’ web browsing. This tracking technique stands out for its flagrant disregard of core security protections built into phones and browsers. The episode is yet another reason to distrust Meta, block web tracking, and end surveillance advertising.
Fortunately, there are steps that you, your browser, and your government can take to fight online tracking.
What Makes Meta’s New Tracking Technique So Problematic?
More than 10 years ago, Meta introduced a snippet of code called the “Meta pixel,” which has since been embedded on about 20% of the most trafficked websites. This pixel exists to spy on you, recording how visitors use a website and respond to ads, and siphoning potentially sensitive info like financial information from tax filing websites and medical information from hospital websites, all in service of the company’s creepy system of surveillance-based advertising.
While these pixels are well-known, and can be blocked by tools like EFF’s Privacy Badger, researchers discovered another way these pixels were being used to track you.
Even users who blocked or cleared cookies, hid their IP address with a VPN, or browsed in incognito mode could be identified
Meta’s tracking pixel was secretly communicating with Meta’s apps on Android devices. This violates a fundamental security feature (“sandboxing”) of mobile operating systems that prevents apps from communicating with each other. Meta got around this restriction by exploiting localhost, a feature meant for developer testing. This allowed Meta to create a hidden channel between mobile browser apps and its own apps. You can read more about the technical details here.
This workaround helped Meta bypass user privacy protections and attempts at anonymity. Typically, Meta tries to link data from “anonymous” website visitors to individual Meta accounts using signals like IP addresses and cookies. But Meta made re-identification trivial with this new tracking technique by sending information directly from its pixel to Meta's apps, where users are already logged in. Even users who blocked or cleared cookies, hid their IP address with a VPN, or browsed in incognito mode could be identified with this tracking technique.
Meta didn’t just hide this tracking technique from users. Developers who embedded Meta’s tracking pixels on their websites were also kept in the dark. Some developers noticed the pixel contacting localhost from their websites, but got no explanation when they raised concerns to Meta. Once publicly exposed, Meta immediately paused this tracking technique. They claimed they were in discussions with Google about “a potential miscommunication regarding the application of their policies.”
While the researchers only observed the practice on Android devices, similar exploits may be possible on iPhones as well.
This exploit underscores the unique privacy risks we face when Big Tech can leverage out of control online tracking to profit from our personal data.
How Can You Protect Yourself?
Meta seems to have stopped using this technique for now, but that doesn’t mean they’re done inventing new ways to track you. Here are a few steps you can take to protect yourself:
Use a Privacy-Focused Browser
Choose a browser with better default privacy protections than Chrome. For example, Brave and DuckDuckGo protected users from this tracking technique because they block Meta’s tracking pixel by default. Firefox only partially blocked the new tracking technique with its default settings, but fully blocked it for users with “Enhanced Tracking Protection” set to “Strict.”
It’s also a good idea to avoid using in-app browsers. When you open links inside the Facebook or Instagram apps, Meta can track you more easily than if you opened the same links in an external browser.
Delete Unnecessary Apps
Reduce the number of ways your information can leak by deleting apps you don’t trust or don’t regularly use. Try opting for websites over apps when possible. In this case, and many similar cases, using the Facebook and Instagram website instead of the apps would have limited data collection. Even though both can contain tracking code, apps can access information that websites generally can’t, like a persistent “advertising ID” that companies use to track you (follow EFF’s instructions to turn it off if you haven’t already).
Install Privacy Badger
EFF’s free browser extension blocks trackers to stop companies from spying on you online. Although Privacy Badger would’ve stopped Meta’s latest tracking technique by blocking their pixel, Firefox for Android is the only mobile browser it currently supports. You can install Privacy Badger on Chrome, Firefox, and Edge on your desktop computer.
Limit Meta’s Use of Your Data
Meta’s business model creates an incentive to collect as much information as possible about people to sell targeted ads. Short of deleting your accounts, you have a number of options to limit tracking and how the company uses your data.
How Should Google Chrome Respond?
After learning about Meta’s latest tracking technique, Chrome and Firefox released fixes for the technical loopholes that Meta exploited. That’s an important step, but Meta’s deliberate attempt to bypass browsers’ privacy protections shows why browsers should do more to protect users from online trackers.
Unfortunately, the most popular browser, Google Chrome, is also the worst for your privacy. Privacy Badger can help by blocking trackers on desktop Chrome, but Chrome for Android doesn’t support browser extensions. That seems to be Google’s choice, rather than a technical limitation. Given the lack of privacy protections they offer, Chrome should support extensions on Android to let users protect themselves.
Although Chrome addressed the latest Meta exploit after it was exposed, their refusal to block third-party cookies or known trackers leaves the door wide open for Meta’s other creepy tracking techniques. Even when browsers block third-party cookies, allowing trackers to load at all gives them other ways to harvest and de-anonymize users’ data. Chrome should protect its users by blocking known trackers (including Google’s). Tracker-blocking features in Safari and Firefox show that similar protections are possible and long overdue in Chrome. It has yet to be approved to ship in Chrome, but a Google proposal to block fingerprinting scripts in Incognito Mode is a promising start.
Yet Another Reason to Ban Online Behavioral Advertising
Meta’s business model relies on collecting as much information as possible about people in order to sell highly-targeted ads. Even if this method has been paused, as long as they have the incentive to do so Meta will keep finding ways to bypass your privacy protections.
The best way to stop this cycle of invasive tracking techniques and patchwork fixes is to ban online behavioral advertising. This would end the practice of targeting ads based on your online activity, removing the primary incentive for companies to track and share your personal data. We need strong federal privacy laws to ensure that you, not Meta, control what information you share online.
