At Radboud University in the Netherlands, privacy and online tracking professor Günes Acar embarked on an intriguing project with his master's students. He aimed to uncover a peculiar tracking case on the university's website: "I was aware that the page had multiple trackers, including Facebook's. Suddenly, I noticed a connection to a local port, essentially my own computer. Initially, I was puzzled," Acar recalls. Searching online for others who might have noticed, he found Facebook developers complaining about the same issue. "Facebook didn't respond, and then someone commented, 'I don't see it anymore.' But it wasn't that Facebook stopped; they switched to an even more covert method," says Acar.

Acar consulted Narseo Vallina-Rodríguez, a security and privacy expert from Imdea Networks. "What on earth...," was Vallina-Rodríguez's first reaction. Was Meta scheming to bypass browser privacy permissions? Merely reading the code offered no answers. They conducted tests connecting websites with Meta's apps, Facebook and Instagram, to reveal that Meta linked app data with user browsing activity, even in incognito mode or when using a VPN. The technical specifics are detailed on a page created by the academics.

"We observed that the web interacted with the mobile app to exchange information and identifiers," Vallina-Rodríguez explains. "This indicates a well-crafted strategy to de-anonymize web traffic on Android devices. Since this behavior activates only with exact software components within the app and browser, it's much harder to detect," he adds.

Shortly after global media, including EL PAÍS, questioned the practice, Meta disabled this system on Monday: "We are engaging with Google to clarify a potential misunderstanding regarding their policy application. Upon learning of the concerns, we chose to pause the feature while collaborating with Google to address the issue," a Meta spokesperson states.

This time, they went too far. Google is already patching its Chrome browser to prevent Meta from exploiting this vulnerability. The issue affects other Android browsers like Firefox, Edge, or DuckDuckGo. "We explore various areas like this, but this time they've gone overboard," Acar comments. "It's something that has genuinely surprised seasoned privacy sector professionals."

Meta employed this method since September 2024. Could it relate to Google's ongoing cookie changes? "It's possible they launched this new method in response to initiatives like Google's Privacy Sandbox to limit third-party tracking in browsers, but that's just speculation," Vallina-Rodríguez indicates.

Besides Meta, researchers found that Russian platform Yandex had been doing the same since 2017 unnoticed. Was Meta's system an adaptation of Yandex's setup? It's hard to say: "The initial version of Meta's communication system closely resembled Yandex's, as both used connections to the local port, namely the user's device. Later, Meta shifted to protocols slightly harder to detect," Vallina-Rodríguez explains.

This system required users to be logged into their Instagram or Facebook app on an Android device. Websites also needed to install the Meta Pixel, a small code fragment enabling tracking. This pixel is present on roughly 20% of the most visited pages, including sensitive ones like adult content sites. When a user visited a specific webpage, the pixel generated a cookie sent to Meta. Now, this pixel also opened a connection with the mobile app, linking the cookie to the user's identity and sending it back to Meta's servers.

This cookie allowed tracking as users navigated between websites. Hence, this method is so intrusive, innovative, and potentially illegal. To link cookies with identity, trackers typically gather names or email hashes via web registration forms. "But in this instance, these trackers don't need that, as users are already logged into the Facebook or Instagram app," Vallina-Rodríguez notes. "Thus, by connecting with the local port of your mobile, they can bypass all browser privacy controls, even incognito mode, and associate your cookies with your real identity," he adds.

The information encompasses not only visited pages but also numerous actions taken on them: "They scrutinize all your web activities: if you search for a product, add it to the cart, make a purchase, or register. There's a wealth of data. Essentially, each action gets sent to their server. It's far more than merely knowing you visited a webpage," Acar explains.