The covert method Meta uses to track mobile browsing without consent — even in incognito mode or with a VPN

Online privacy and tracking professor Günes Acar, from Radboud University in the Netherlands, wanted to have some fun with his master’s students, so he started looking for an unusual example of tracking on his university’s website: “I knew the page had several trackers, including Facebook’s. But suddenly I saw a connection to a local port — in other words, to my own computer. At first, I didn’t understand anything.”

Acar began searching online to see if anyone else had noticed the same thing. He found some Facebook developer forums where others were complaining about it. “But Facebook didn’t respond, and then someone added: ‘I don’t see it anymore.’ But it wasn’t that Facebook had stopped — they had just switched to an even more hidden method,” Acar says.

Acar discussed the case with Narseo Vallina-Rodríguez, a researcher at Imdea Networks and a specialist in mobile app security and privacy. “How the hell…,” was his first reaction. Could Meta be trying something new to bypass browser privacy permissions?

Just by reading the code, it couldn’t be determined. They had to test connections between websites and Facebook and Instagram, Meta’s apps, to see what was actually happening: Meta was linking information from its apps with each user’s web browsing — even in incognito mode or when using a VPN (software that allows users to hide their internet connection). The technical details are explained on a dedicated page created by the academics.

“What we saw is that the website communicates with the cell phone app to exchange information and identifiers,” says Vallina-Rodríguez. “That means it’s all part of a well-thought-out strategy to deanonymize web traffic from Android devices. And since this behavior only activates when the exact pieces of software are tested, both in the app and in the browser, it’s also much harder to detect.”

On Monday, Meta disabled the system, shortly after several global media outlets, including EL PAÍS, questioned the company about this dubious practice: “We are speaking with Google to clarify a potential misunderstanding about how its policies are applied. As soon as we learned of the concern, we decided to pause the feature while we work with Google to resolve the issue,” said a Meta spokesperson.

For its part, sources at Google confirm the seriousness of the case: “The developers mentioned in this report are unintentionally using functions present in many iOS and Android browsers, which blatantly violate our security and privacy principles. We have already implemented changes to mitigate these invasive techniques, launched our own investigation, and are in direct contact with the parties involved.”

Mozilla is also developing a solution to protect Firefox users on Android “from this new method of tracking.” “We consider these to be severe violations of our anti-tracking policies,” said a spokesperson from Mozilla Foundation. “Researchers have found that native Android apps — including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, Search — appear to misuse app-privileges in Android platform together with malicious online scripts to track people online.”

“This time they went too far”

Google is already patching its Chrome browser so that Meta cannot exploit this loophole. The vulnerability also affects other browsers running on Android, such as Firefox, Edge, and DuckDuckGo (after the article was published, a spokesperson for DuckDuckGo stated that Meta’s trackers did not affect their browser, but they should have specifically blocked Yandex trackers). “We investigate various areas like this, but this time they really went too far,” says Acar. “It’s something that has really surprised people with a lot of experience in the privacy sector.”

Meta had been using this method since September 2024. Could it have something to do with the cookie changes that Google has been trying to implement for years?

“It’s possible they launched this new method as a reaction to new initiatives trying to limit third-party tracking in browsers, such as Google’s Privacy Sandbox, but that’s just a hypothesis,” says Vallina-Rodríguez.

In addition to Meta, the researchers also discovered that the Russian platform Yandex had been doing the same since 2017 without anyone noticing. Was Meta’s system an adaptation of what Yandex was already doing? It’s hard to say: “The first version of Meta’s communication system was very similar to Yandex’s, because both used connections to the local port — that is, to the user’s own device. Later, Meta switched to other protocols that are a bit harder to detect,” explains Vallina-Rodríguez.

For this system to work, the user had to be logged into their Instagram or Facebook app on their Android device. It also required the websites to have the so-called Meta Pixel, a small piece of code that enables tracking. That pixel is installed on about 20% of the most visited websites, including some sensitive ones like adult content sites. When a user visited a particular website, that pixel would generate a cookie, which was sent to Meta. But now, in addition, that same pixel opened a connection with the cell phone app, which linked this cookie to the user’s identity and sent it back to Meta’s servers.

That cookie didn’t allow tracking as the user moved between websites. That’s why this method is so intrusive, novel, and potentially illegal. Normally, to link cookies to your identity, trackers collect your name or the hash of your email address through a registration form on websites where it’s provided.

“But in this case, these trackers don’t need to do that because users are already logged into the Facebook or Instagram app,” says Vallina-Rodríguez. “So, by making this connection to the local port of your own phone, they can bypass all browser privacy controls, including incognito mode, and link your cookies with your real identity.”

The information doesn’t just include the pages visited, but many of our actions on them: “They look at everything you do on the website in detail: if you search for a product, if you add it to your shopping cart, if you make a purchase, or if you register. There’s a ton of data. Basically, every time you do something, they send it to their server. It’s much more than just knowing that you visited the website,” Acar explains.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition