Meta Busted Spying on Android Users In Extremely Creepy New Way, Then Lies About It
from the absolutely-zero-ethical-standards dept
Ah, the daily joys of living in a country that’s literally too corrupt to pass even a baseline privacy law for the internet-era.
Meta has once again been busted playing fast and loose with consumer privacy. Security researchers last week discovered that Meta and Russia’s Yandex have been embedding tracking code into millions of websites in a way that de-anonymizes visitors and abuses internet protocols, allowing them to spy on the internet behavior and browsing habits of any Android device with Meta and Yandex apps installed.
The changes have allowed both companies to link mobile browsing sessions and web cookies to user identities, de-anonymizing users’ who visit sites embedding their scripts. The sneaky modifications bypass anything vaguely resembling consumer consent, as well as standard privacy protections such as the clearing cookies, Incognito Mode or Android’s permission controls.
This is, the researchers were quick to note, a profound attack on consumer trust:
“One of the fundamental security principles that exists in the web, as well as the mobile system, is called sandboxing,” Narseo Vallina-Rodriguez, one of the researchers behind the discovery, said in an interview. “You run everything in a sandbox, and there is no interaction within different elements running on it. What this attack vector allows is to break the sandbox that exists between the mobile context and the web context. The channel that exists allowed the Android system to communicate what happens in the browser with the identity running in the mobile app.”
In a statement tries to bullshit its way around the obvious privacy abuses, pretending this was all some sort of “miscommunication” between itself and Google:
“We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”
Google, for its part, was very clear in statements that Meta and Yandex were “blatantly violating our security and privacy principles,” as well the terms of service for its Play marketplace. U.S. user privacy abuses on mobile devices are rampant in the data broker era, but this takes things even further.
Meta appears to have recognized the severity of the accusations and stopped doing it, for now.
This is, again, the kind of reckless hubris you get in a country that has very clearly decided to place making money over any sort of basic consumer privacy standards. Since there’s really zero corporate or executive accountability for these kinds of behaviors (worse now that Trump-stocked courts are mindlessly defanging consumer protection and regulatory independence), this sort of thing is only going to get worse, culminating in new, even worse privacy scandals that make past concerns seem quaint.
Filed Under: android, browsing data, consumers, mark zuckerberg, privacy, security
Companies: google, meta, yandex
Comments on “Meta Busted Spying on Android Users In Extremely Creepy New Way, Then Lies About It”
More reasons to despise sites steering users to use app instead of browsers
I don’t need an app for every website I visit and I have tons of apps on my homescreen. Now websites want us to use glorified spyware.
Re:
Use of “mobile apps” (or JS) is far more risky than most people are informed.
Re:
That’s a good point, but keep in mind that Google makes the most popular browser. When they’re not condemning privacy invasions by others, they’re trying hard to do such things themselves (see “Manifest V3“). Even Linux-distro builds of the open-source Chromium have occasionally been found to be communicating with Google without authorization (that is, when people are neither accessing Google sites nor sites that pull in Google resources themselves).
There’s just too much complexity for anyone to catch all this stuff, and it’s the browser makers adding this complexity. This isn’t even the first time WebRTC has been implicated in a privacy invasion; a very similar thing happened in January 2015. Actually, it looks like almost exactly the same “unfixable” flaw described there (the suggested “fix” being to disable WebRTC entirely, via one of several methods).
Thank God I decided to delete my Facebook account and get rid of the app when they first started going in a rightwards direction.
Re:
Assuming you then actually went ahead with asking Facebook to delete it, you’d better check with God whether the associated data is actually gone. Those of us who are not omniscient simply have to take Facebook’s word for it, which is… not convincing.
Re: Re:
Whether or not Facebook did delete all of AC’s data as they should, the fact that the app is (presumably) disabled on AC’s device should be enough to prevent Facebook being its usual creepy self in regard to them.
Re: Re: Re:
That the world “should” work that way is a fine opinion that, unfortunately, does not match reality. Removing the app will prevent the specific privacy invasion that this story is about, and various others, but some residual “creepiness” will always remain.
There are other ways to invade privacy, and Facebook seem to be the world’s foremost experts on finding them. Much has been written about the “like” buttons found online, and how they can be used to track people—by IP address and cookies, by Facebook account identifier if people are logged in on the same browser instance, and based on the information entered into web forms (they were receiving medical data this way).
In relation to the aforementioned story, the journalists apparently didn’t investigate whether Facebook was linking data to non-logged-in accounts, building “shadow” profiles or using “deleted” data, or other such “creepy” possibilities. But, come on, it’s fucking Facebook. Feel good about deleting the app and (maybe) deleting the account, but don’t assume you’ve completely escaped them.
Re: Re: Re:2
How to tell when someone has a losing argument? They double down on it just like you did.
Re: Re: Re:2
If you want to argue AC didn’t delete all cookies associated with Facebook, you’re going to need to show evidence of that.
They’ll be forced to spy on you soon thanks to this anyway: https://www.eff.org/deeplinks/2025/06/oppose-stop-csam-protecting-kids-shouldnt-mean-breaking-tools-keep-us-safe
Re:
46% chance of passing, by the way.
That’s a largely meaningless statement, and I don’t see the point of quoting it. This is Meta, also called Facebook, as in “fool me 860 times, shame on you, fool me 861 times…”. They don’t care about anyone else’s “principles” or “privacy expectations”.
The more relevant statement is that Google considers Meta to have violated Google’s terms of service. Not “blatently”, I guess, and with nobody saying which term Google believe Meta violated—and Meta believe they didn’t—it’s hard to draw meaningful conclusions.
Does the policy of “a country” (presumably, the U.S.A.) even really matter here? There are foreign countries, such as those in Europe, that do have applicable laws—that were either violated or not, and we’ll see whether Meta gets meaningfully punished there. And what about Google? There’s no apparent accountability from their end, either, despite talk of it being a “blatent” violation of… “principles”, if not policies. They didn’t do anything to find the problem, didn’t technologically prevent such things (but claim they will now), and could punish Meta but apparently choose not to.
… That’s Spyware. Meta created Spyware that logs your activity in the browser. Were they key logging as well?
Where's the lie?
The headline claims they lied, but the closest thing to lying I see is an accusation of “bullshitting” (which is not the same thing). Did Meta make a statement that was untrue, that they should have known was untrue? Despite words like “clear” and “blatent”, I have yet to see anyone post the text of a policy that Meta was clearly and blatently violating.
The lack of anyone quoting such a policy makes me think there probably wasn’t one; or, at best, that some vague and subjective catch-all might apply.
Re:
Oh go fuck off.
I gave up on Meta and deleted my account when FB wouldn’t stop shoving confederate sisterfuckers in my face.
'How dare you force us to issue an empty statement for you!'
Google, for its part, was very clear in statements that Meta and Yandex were “blatantly violating our security and privacy principles,” as well the terms of service for its Play marketplace.
Which means Google imposed some sort of penalty and made clear that blatant violations of their TOS won’t be allowed even by major apps/companies, right?
Right?
Re:
Karl seems to have misrepresented that. According to the Ars article, Google claimed “The developers in this report are using capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles” (whatever those are; it’s unclear whether the quoted person is referencing principles that are publically documented). And the preceding paragraph had said “A representative for Google said the behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users”—note the lack of this being called “blatent”.
Actually, I’m starting to wonder whether Ars also misrepresented it; they never quote anyone saying it violates the Google terms of service. If it doesn’t, that would be an obvious explanation for the lack of punishment. Note also that Google had claimed to have “opened [their] own investigation”, which suggests that the maybe the claim of violation was subjective or subtle; if so, the investigation might recommend punishment, or might find that the terms of service don’t prohibit what Meta did and should be updated to do so.
Re: Re:
The TOS forbids the transfer of data from an app unless it is initiated by the user which means that if an app silently transfers data from another app it can’t be anything but a blatant violation.
And the quote about blatant violation comes from Google which is obvious from the context it is placed in.
Re: Re: Re:
That doesn’t apply here, because this is an app and a web site communicating; the site wouldn’t be subject to the app store terms of service.
If you’ve described the terms accurately, then the app transferring data (such as device identifiers) to the web site would still be a violation. But, again, this is Facebook; if there’s a loophole, they’ll find it, and if not, they’ll do whatever they want anyway, and probably get away with it (but maybe, in several years, you’ll get a $5 credit from some class action lawsuit).
“I am not now, nor have I ever been, a member of Facebook.”
The company has been far too obviously evil, from its early days. It wants to mediate all personal relationships. I can’t understand why people who understand this still use it.
Re:
A relative of mine understands there’s been a lot of criticism, but claims to have configured their privacy settings pretty tightly. So, I guess part of the answer is that Facebook manages to convince people they have more control than they actually do.
“Ah shit, we’ve been caught again, what do we do? You, yes you, Sycophant 23.”
“Um, we bring Markdroid 14 Apologising Android, program it with extra sincerity and promises, online and send it to Washington when required?”
“Good, that will sort things out for now. Here have a small bonus.”
“Thank you Dark Lord.”