You simply cannot trust these people (and should stop using their products)
It's scary that Facebook's latest privacy scandal has barely broken through
This is gabestein.com: the newsletter!, which is a completely irregular note primarily focused on the intersection of culture, media, politics, and technology written by me, vitalist technologist Gabriel Stein. Sometimes there’s random silly stuff. If you’re not yet a subscriber, you can sign up here. See the archives here, and polished blog versions of the best hits at, you guessed it, gabestein.com.
I know the last few weeks have been full of news, but I cannot for the life of me figure out why this scandal hasn’t broken through. Tell me if you’ve heard this one already:
Meta (which is Facebook/Instagram/WhatsApp) and Yandex (basically Russia’s Google) were recently caught using a feature of the Android operating system to systematically spy on users’ browser activity without their knowledge, consent, or ability to opt out. The method worked even in incognito mode, even if users cleared cookies, and did not show up on common developer tools, making it very difficult for security researchers to find. It allowed Meta/Yandex to track users’ activity on any website with a Meta/Yandex pixel installed (of which there are millions, including many of the most-visited sites in the world), even on third-party browsers, even if they were logged out of Meta/Yandex’s services on those browsers.
In other words, if you had the Facebook or Instagram app installed on an Android device in the last 6 months or so, a significant percentage of your web browsing data was likely collected and linked to your Facebook/Instagram account, whether or not you were logged into those services or using an Incognito window. So if you used an incognito window to visit, say, one of the tens of thousands of porn sites that use Facebook’s trackers, Meta likely knows about it and were able to link it to your personal Facebook or Instagram account.
Researchers reported the spying two full weeks ago (by which point Meta had “paused” the “feature”), but as far as I can tell, it’s barely been covered at all outside of cybersecurity trade press. I found out on LinkedIn! LinkedIn!
Yes, I know that we all assume that they’re doing stuff like this all the time, but this one is so audacious I’m kind of shocked they had the guts to do it. In fact, if it wasn’t so horribly abusive, I’d actually be impressed at how clever it was.
Basically, they secretly used their ad tracking pixel to send information over the device’s built-in local network stack from the browser app to the native Facebook and Instagram apps, which had been configured to listen for these specific local network pings. This allowed them to bypass Android’s normal security protections and user opt-out settings, which aren’t applied to local network requests. Not only that, they used WebRTC, a protocol normally meant for real-time applications like audio and video calls, and they sent the stolen browsing information by manually overwriting data normally used by the protocol to establish unique real-time connections. This made the traffic invisible to Chrome’s developer tools, which don’t include detailed information about these types of typically-automated requests.
Meta’s not even claiming to have made a mistake or been led astray by a rogue employee, because they can’t. The technique was too obviously and systematically designed to steal user data. Instead, their statement was: “we are in discussions with Google to address a potential miscommunication regarding the application of their policies.” Translated: “we did it because it was technically possible and we thought we’d get away with it.”
I know Facebook scandal fatigue set in around 2017. What’s different this time around is that we’re not even hearing much about it from the mainstream media, and Meta’s not even pretending to deny it. The only thing that seems to have stopped them this time is fear of running afoul of Google’s app store policies.
That’s scary, because it means that a company that has been abusing you almost from the beginning seems to no longer care about getting caught abusing you, and broad swathes of the media no longer seem to care to report it. So from now on, you should assume that if you use any of their services, anywhere, they are doing anything they technically can to spy on you, on every app on every device, no matter how abusive or illegal, no matter what you do to try to avoid it, and the only thing that will stop them is other big tech companies policing their abuse — if they get caught at all.
Really, you should stop using Meta’s services (and Yandex’s, but unless you’re Russian-speaking, you probably aren’t). I know it’s hard, but I promise you’ll be fine. I’ve been off Facebook and Instagram for a long time now and let me tell you I still have lots of friends, as evidenced by how much more time I have to blog to nobody.