Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.
This is the process through which Meta (Facebook/Instagram) managed to link what you do in your browser (for example, visiting a news site or an online store) with your real identity (your Facebook or Instagram account), even if you never logged into your account through the browser or anything like that.
Meta accomplishes this through two invisible channels that exchange information:
(i) The Facebook or Instagram app running in the background on your phone, even when you’re not using it.
(ii) Meta’s tracking scripts (the now-pulled illegal brainchild uncovered last week), which operate inside your mobile web browser.
I am so happy that I deleted my account on Fecesbook back in 2019. Plus, I am blocking Meta through RethinkDNS. Can’t be more happy!
I have my own company that helps companies websites. There is a company called 6sense that scares the crap out of me. They are able to use Facebook, insta, and reddit. They are able to assign an id to you, even in incog.
They have some crazy algorithm that can eventually match you to the real you. Then stick you in a cohort to sell to you.
Even if you use brave or Firefox. Doesn’t matter.
It’s actually kind of amusing and pathetic to me that they’re doing all this malignant privacy breaching, and putting such massive effort into it, but then only using it to serve you advertising, which I largely ignore anyway.
Very clever!
Are we finally going to jail suckerberg now?
As someone who used to work in the spying on people on the internet game years ago, I gotta respect how clever this is. Evil, but very clever.
I did a ‘download all your data’ on Facebook a while back and there wasn’t anything about my tracked browser history. Does this mean they’ve also violated the “users should be able to see the data you have on them” article of the GDPR as well?
I’m guessing they’re trying to hide behind weasel shit about the ids being anonymized or something as though it wasn’t trivially easy for them to deanonymize…
I can’t remember which one of my phones, probably a Samsung that had Facebook installed and couldn’t get rid of it. People were like, you can just not open it or something. There’s a good reason I don’t want it on my device.
I had one of theirs like that. You could disable it instead of uninstall, and this wouldn’t happen, but you couldn’t uninstall it.
The real fun started with Android 12. Google introduced the ability for some preloaded apps to avoid being disabled and prevent ADB shell disable.
yup. some samsungs also have a hidden “meta services” app thats not uninstallable too.
I have a Samsung phone. I checked app cleaner to see if there are any meta services and there weren’t any so I suppose I’m good.
I block Meta via NextDNS, living that Zuck free life is good.
Can they do this on iPhone
Also they can only do this if you got fb installed right? Cause I uninstalled insta a while ago
Any meta service no just FB
Whatscrap, Instaspam, Messenger, MetaAI…
I’m asking if they can still do this if u uninstalled the app on iPhone, the post talks abt android
Who says any of my
stalkingOSInt accounts is my real identity?Edit: /s ofc. Who would use those crappy apps on phone anyway.
Yeah, but I saw it this time. And thus, got to learn.
These were all cross posts. Use a different client.
Yes, by different users at different times, thats my point.
But the conversation is unique in each community. And each community may not have federated to every instance. This is the Fediverse, not a single site with sub communities.
I do think it would be nice if a client/backend could:
- Take any cross-post link from the main post
- Query any description/comments for cross posts
- Add to the currently displayed comments
- Tack on descriptions as comment blocks with an @ to the cross posting OP to the displayed description
- Mark cross-posts as read when main is read
This would be easier in Lemmy, but could be done with a client, Thunder might be interested.
It was posted 3x to the Privacy@lemmy.ml community. Or at least it looks to me like 3 different accounts posted the same thing to this very community.
I don’t really care about how it works, I’m just tired of the chan-esque experience where I have to question my sanity because I see the same posts every day.
Just because people that don’t actually participate in a given community, thus not seeing the older posts, share the same article because they look for a community that fits and dump it there.
Some subreddits had bots that detected and removed reposts and guided OP to the original post for them to add their discussion points.
So iOS was safe?
Yes
Score one for the “walled garden”
So would using Firefox and group containers protect against this?
Nah, the script connects to a server run by the Instagram or Facebook app and feeds it info, bypassing isolation mechanisms entirely. I think ublock or other script-blocking add-ons might work though.
I think ublock or other script-blocking add-ons might work though.
presumably it would block entire thing at the loading of the pixel script. talking out of my ass
A robot told me: The Meta/Yandex exploit worked by having JavaScript running on a website (such as Meta Pixel) connect from the browser to a native app on the same device via the localhost (127.0.0.1) interface, using HTTP, WebSocket, or WebRTC. This communication occurs entirely within the device and does not traverse the network in a way that browser extensions like uBlock Origin can intercept or block. Browser extensions generally cannot block or even see requests made to localhost sockets, especially when those requests are initiated by scripts running in the browser and targeting native apps on the same device
Yeah but if the script which initiates the connection to the local server is blocked there’s no connection to intercept in the first place.
It says Firefox was also affected. They just mention Brave as not being affected
Meta is cancer for any platform.
I feel my mobile becomes dirty once I download any of that shit.
Same Unfortunately, I use Marketplace for some things and Meta made it damn near impossible to use a browser for posting marketplace listings and responding to DM’s
I live in a slightly less developed country where as far as 90% of the population are concerned, Facebook is the internet.
I hate it with a passion, but if I don’t have a login then there’s no way for me to find details of pretty much any business or event in the city.
Craiglist and eBay still exists
Yes, but Facebook has more people so the items I’m selling typically get picked up pretty fast.
This is the problem with the network effect, everybody using marketplace is saying the same thing. I’m not trying to shame you in particular for this or anything but I think it’s important to consider that at some point if we don’t just make the move off anyway, nobody ever will
That’s a ridiculous assertion. More items that EBay? Where’d you get that idea?
People are generally closer physically in Facebook marketplace compared to the global eBay market.
This is a big factor for me. Attracting local people means that I can meet up in person and not have to spend additional money for shipping ,or worry that the item arrived damaged or is lost during transit.
Since January Google has been using browser fingerprinting and IP triangulation to track across incognito windows.
Meta wants in the game as well. Nothing done on a phone with Meta apps is done in isolation.
Can anyone confirm if Waterfox or Ironfox mobile at least don’t tattle to Meta?
What is IP triangulation?
Let’s say you use a VPN, and all your internet traffic comes from an IP in London. 178.238.10.1.
It doesn’t matter if you have a VPN, if you log in to anything with any account tied to your real name (yourname@gmail.com), your email and anything done on that London IP are all linked. Google builds a profile on you based on the activity on that IP. AND your browser profile. Private/incognito window or not, if there’s a Google tracker on the site, they connect it all. Google doesn’t care about private windows. If you go to reddit in a private window on the same IP as your gmail, Google sees that and tracks every page you look at.
So let’s say that you log into your email from work. Google now has a treasure trove of new info about you and people you know. Same for FB, who uses the fact that you and someone else were logged on from the same IP range to suggest new friends.
Let’s pretend that you live in China and still have access to a VPN and want to learn about the Tienanmen Square Massacre. But the government can ask Google about you. What do you need?
- an IP never ever used with an account associated with an account with your real name.
- a no-log VPN that won’t tattle on you if asked what sites did you access on a specific date.
- a browser fingerprint never ever associated with an account tied to your real name.
Or you could just not use their toxic bullshit. I haven’t logged into Facebook in like 6 years.
Yeah, but they’ll still create a shadow profile on you and track your data anyway. Have a friend with an account? Your name and phone number is known to them. Even without a true identity attached, they will track you from your own devices, and then correlate that with everything else they can at every opportunity.
Also, Facebook is preinstalled as a system app (cannot be uninstalled without adb) on various manufacturer’s and carrier’s android builds.
friend
Lmao, y’all have friends? 🤣💀
IIRC Facebook was not installed by default on my Samsung A32, and there is no trace of it now so I don’t think I removed it. shrug Otherwise, use privacy features in your browser/on your device
Be brave, do it. I just did it a few months ago. Just push the trigger and delete it. Let it go. They will of course keep the data, but at least not legally anymore.
I haven’t deleted it because there are a couple of people I might theoretically need to get in touch with at some point that I don’t have contact with otherwise.
Fair enough.
I held on to this possibility for similar reasons for years, but after some honest self reflection I cannot say there would be anyone from my past life who is still important and I have no other means to contact, my Facebook bubble from 10 years ago and more is long dead, i.e. similarly inactive.
Maybe giving people an email address, phone number or username somewhere else via Facebook message before leaving for good could also be a solution.
You can still use a browser for that occasion. Meanwhile the app is doing things in the background.
I haven’t had the app installed since I got my phone. I don’t believe it was installed by default, or if it was I removed it immediately.
