Meta pauses mobile port tracking tech on Android after researchers cry foul Security researchers say Meta and Yandex used native Android apps to listen on localhost ports, allowing them to link web browsing data to user identities and bypass typical privacy protections. Following the disclosure, researchers observed that Meta's Pixel script stopped sending data to localhost and that the tracking code …
Just amazing how fast they cut the crap out when this was published on Arstechnica this morning.
I block over 1K IP addresses for farcefuckbook and yet they have whys of getting around the means that people use to stop their shit.
This cat and mouse stuff needs to end. User's should have a positive means of blocking any and all access from any web service if they so desire.
I know it will never happen, but, one can dream!
Maybe, but it would be risky.
The thing is, if they're only doing this on Android and haven't attempted to sneak it into the iOS client, that's a tacit admission that they know they're pushing it and that it's in breach of policy. It would be politically difficult if they reintroduce it on Android without getting a similar feature into iOS. And they're not going to manage to get that past the Apple app store security, so they'b leave themselves open to pretty notable criticism if they tried to slip it back in...
"User's should have a positive means of blocking any and all access from any web service if they so desire."
Delete any Meta or other offending app. Better still, never install it. You know their entire purpose is to abuse you for monetisation even if they're stopped from using one particular channel so why go there? The only way to win is to not play.
If we wrote a program that did that, being bannes by Google is the least of our problems. We'd probably be jailed for trojanised privicy violations.
Yet Meta et al. can just put it down to a "miscommunication" and get away with it. They need to be fined SERIOUS money under GDPR and the people responsible be held personally liable.
And now my browser rant. I'm fed up of all these things added to browsers to do non browsing stuff. If I'm forced to enable javascript, I don't want RTC and all sorts of shite open. I don't want to be fingerprinted by revealing my window and screen resolutions, installed fonts etc.
If any web site "legitimately" wants my window resolution, it's doing it wrong.
I've never used rtc in a browser.
I don't want the browser playing God with my DNS config.
Just render the webpage damnit!
"I don't want the browser playing God with my DNS config."
THIS. it pisses me off *so* much how some browsers enforce their own DNS settings. I have a pi-hole i access over LAN or VPN, i don't neet DoH, stop forcing the google DNS on me because it provides "more security and privacy". Same on Android, you have to disable secure DNS or it will ignore your custom DNS settings.
I don't really have an issue with enabling DoH by default (other than Google defaulting to it's own DNS), but i do have a problem with them silently overriding my DNS settings.
There are ways around this, although they are "not for the average user" (sadly).
I've got piHole, linked to OpenDNS - and WireGuard on my LAN which my phone accesses remotely - and you can route "0.0.0.0/0" (everything) back over it - and then just block 853 (DoT) and any unknown port 53 sites. DoH is harder but you can at least "block known hosts".
I've only seen a couple of apps try to force their own DNS - normally easy to spot as various icons break due to not loading :)
I guess this is also a huge GDPR infrigement, but I'm sure the leprechauns at the Irish DPC are getting new Zuck gold for their pots, and will soon tell us the Meta promised to be fully GDPR compliant so everything is fine, move on.
It's a bit disconcerting that Meta fears more Google - because it can ban Meta apps immediately and easily - than EU laws.
No, it's not a differenet matter. Everybody plays the game: we fine you a shitload of money, people are happy we do something about it, you challenge the fine, people forget about it, we silently let the matter pass, you don't pay anything. Rinse and repeat.
If they would be serious about it they would modify the law so the fuckers would have to first pay the fine and then challenge it.
I would really advise against using potentially xenophobic criticism ("leprechauns"...?) when criticising the actions of a government, as it is too easily dismissed as just starting and ending with xenophobia, but there are real concerns that Ireland are letting tech companies away with things on taxes and GDPR that other countries wouldn't dream of.
Harmonisation of laws and taxes across the EU have the express purpose of trying to stop countries competing on trying to draw foreign companies in, and ending up on a race to the bottom -- the old line was "if you don't give us tax breaks, we'll go somewhere that will, so you will get more tax if you dont charge us tax, because you'll be able to charge income tax to all the people we will employ."I'm concerned that Ireland is bringing the EU back that way.
(And I really should get myself an Irish passport soon, too....)
This post has been deleted by its author
Incidentally, see this page to see all the information JavaScript allows sites to retrieve about your system:
Battery / charging status, keyboard layout, GL renderer etc. FFS
"We are in discussions with Google to address a potential miscommunication regarding the application of their policies," a Meta spokesperson told The Register. "Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue."
In other words, "whoops, we got caught out trying to violate the spirit if not the letter of Google's policies".
Can there have been any thought-process behind this mechanism other than "how can we continue to ID users within Google's constraints"?
Hands up anyone who will believe Meta next time they claim to take users' privacy seriously.
And duckduckgo which blocks Meta Malware is not supported by many apps. Such as X. Go figure. US companies just dislike anything that stops them spying on you. Why all these apps are not categorized as malware is a big question.
Charge Meta 29 billion and give everyone in the EU a €100 voucher.
It's so scummy it's incredible. Sort of underhand behaviour you'd expect of authoritarian governments not a social media company! There should be laws (maybe there are) about data collection and notifying users, breaking them should incur serious personal fines of the company board members and major shareholders. That would stop it.
I don't install fb or Instgram etc and this sort of thing is why. But can they track via browsers? I only use fb because some people and organisations lack the imagination to communicate via other methods. I wish someone would sneak spyware onto the likes of Zuckerberg's devices and start publishing everything, that would be reasonable given his behaviour.
"Sort of underhand behaviour you'd expect of authoritarian governments not a social media company!"
Test Question (100 points):
Name 1 (One) ethical principle where social media companies live by better standards than authoritarian governments.
Give examples (name, decade)
This is not hard. Social media platforms have traditionally allowed you to say basically whatever you want so long as it's not detrimental to other people's ability to use the platform (e.g. spam) and doesn't break certain basic laws (e.g. no actual threats, no CP) or community standards (varies by platform). For example, YouTube and Reddit have a history of defending the speech of their users to a fault, even getting into trouble with governments (and broad swaths of the public) for it. If you want a specific example, you can see the case of Anwar al-Awlaki, a terrorist that YouTube resisted taking down videos of until significant pressure mounted from the US and UK governments in 2010. Twitter pre-Musk also resisted Turkish censorship (2010s), leading to the site getting blocked rather than cave to Erdogan's demands.
I'll admit that western social media is no longer quite as rosy on this point as it once was (for many reasons, some good and some bad), but they're certainly miles better than authoritarian governments.
YouTube Videos, maybe. Not the comments. Try writing a comment continuing the words murder, gun, or shooting, or even mention Israel and Palestine in the same sentence, and your comment will be not be visible to anyone else but you.
That's just an example. If you write about anything other than your liking of fluffy kittens, there's a good chance of it happening.
So they got caught. What gets me is why anyone would want to do this to another person they're not at war with is beyond me. Why do developers go along with it. Why don't they grow a pair and just say "no, it's wrong". I know marketing types will be behind this, they'll all sell their first born for glue if means a move up the greasy pole or a commission. Pisses me off!
@Craig100
Plenty of devs will go along with it because of various reasons e.g..
They get well paid, wealth beats morals?
Meta can look good on their CV
Just because they are devs does not mean they care enough about user privacy* - (they may care but job matters more or they may just not care)
* Being a developer does not necessarily mean someone cares about data slurping or other "ethical" ** matters.
** I once left a role for ethical reasons, but not many people have the luxury of doing that (e.g. partner, kids, mortgage etc. may
override ethics) & when I look for roles they need to be a company I would happily work for (so many companies, including Meta, would obviously not be on my list of acceptable companies).
These pixel things are more than a decade old. Why is it that browsers don't simply ignore them ?
It's not like nobody knows what they're for, and a single pixel, in today's 4K environment, can't have the excuse of display or decoration.
Block them by default.
I'd suggest hanging the CEO who is responsible, but I know that will never happen.
The Facebook Pixel should have been made illegal years ago.
The Markup has done an excellent job of exposing Metas Pixel siphoning off users most private information as it has been found embedded in mental health sites tax related forms, mortgage sites apartments sites that tenants use to pay rent etc.
https://themarkup.org/series/pixel-hunt
''' We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.'''
Burn them.
Burn them all with fire.
Then burn the ashes.
There is a setting in the standard Android FB app, something like "open links in external browser" and it used to work once, but I noticed that it stopped using an external browser a while back. I assume it's all linked to this privacy breaching, GDPR violation? I doubt they will veer "fix" the bug.
Seeing this in a Reg article makes me sad. I mean, really? El Reg's readership need to have 127.0.0.1 explained to them?
Friends, let us now gather in solemn silence and fond memory for the death of a formerly noble techn website, written by techies, for techies.
Rosie
Relax there Rosie,
Not all the readers of this esteemed tech site went to uni and studied computer science.
Some of us are learning as we go and read articles and comments on this and other tech related websites to learn how to protect ourselves and loved ones from the likes of Facebook and others.
I have learned a lot from reading The Register over the years and have dramatically altered the way I use tech and browse the internet.
I’m writing this now with both cookies and JavaScript blocked but also use a Linux VM that uses my PiHole for DNS when I browse the internet.
Wait. I'm not sure I'm getting the technical side of this, or if I'm getting it, I don't believe it.
A website that is not served by localhost is allowed to open arbitrary ports on localhost now? Surely that's impossible, as it would result in every PC in the world being breached in about ten minutes?
The Facebook app is listening on those ports. Websites not served on localhost are indeed allowed to talk to localhost, and as a developer I am very thankful for it. They are not allowed to read data from localhost without appropriate CORS headers being set, but stuff like a port scan is indeed possible, and poorly written applications hosted locally can be vulnerable to CSRF attacks.
Why is this even possible? I can see the value of it in a dev environment. But it should only be a dev tool. That needs explicitly switching on
So, just to make sure I have this right, the web page (script) can only write to localhost? It can’t read? Is that right?
Also, is this “feature” (gaping hole) in most browsers?
Unfortunately, it's read/write, and available universally. Though it can theoretically only talk to a willing service, the problem as highlighted in this article is that the Facebook app client is a willing service.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
