Meta Platforms has confirmed that it has halted its Pixel script, after researchers disclosed a tracking method allegedly used by Meta and Yandex that potentially impacted billions of Android users.
Researchers at Holland-based Radboud University and Spain’s IMDEA Networks on Tuesday had claimed they had “uncovered a potential privacy abuse involving Meta and the Russian tech giant Yandex”, that involved utilising native Android apps to listen on localhost ports.
This technique allegedly allowed Meta and Yandex to link web browsing data to user identities – essentially tracking Android user’s web browsing without their permission.
Tracking users
The researchers claimed they “found that native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymise users’ browsing habits without consent.”
“By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users’ browsing habits with their persistent identities (that is to say, with the account holder logged in),” they stated.
“This method bypasses privacy protections offered by Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers,” the researchers added.
“The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome’s mitigation is scheduled to go into effect very soon.”
The researchers also claimed that tracking firms have been doing this bypass for a long time: with Yandex doing it since 2017, and Meta since September 2024.
Meta, Yandex response
Meta Platforms confirmed to Sky News it was looking into the issue, and had paused the script in question.
“We are in discussions with Google to address a potential miscommunication regarding the application of their policies,” a Meta spokesperson was quoted as saying.
“Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue,” the spokesperson reportedly added.
Yandex however denied it was tracking Android users web browsing, telling Sky News it “strictly complies with data protection standards”.
“The feature in question does not collect any sensitive information and is solely intended to improve personalisation within our apps,” it reportedly said.
Alphabet’s Google in June 2020 was accused of a major privacy violation of millions of users, by tracking their internet use through Chrome browsers set in “private” or “incognito” mode, which resulted in a lawsuit.
