An international team of researchers has discovered that Facebook and Instagram managed to spy on the browsing history of Android users for months. Both Meta apps managed to capture a list of all the websites you visit. This history was then linked to your social network account. This is a blatant violation of privacy, especially since the collection occurred even if the user activated their browser's incognito mode.
How did Meta spy on your browsing history on Android?
The process relied on Meta Pixel, an analytics tool for advertisers that allows user actions to be tracked on a website after an ad has been displayed on Facebook or Instagram. If you visited a brand's website to compare laptops, you'd then see ads related to that brand appear in your news feeds.
The researchers discovered that Meta's apps remain active in the background to monitor certain local connections on the smartphone. Specifically, the apps were exploiting an Android feature intended for file sharing. It allows an app to run a small local server on the phone. Thanks to the Meta Pixel integrated on millions of websites, scripts were loaded into the user's browser and sent information, such as cookies, metadata, or personal data, to Meta's apps via this local server.
This mechanism made it possible to retrieve data from other smartphone apps and associate them with an Instagram or Facebook account. In other words, Meta kept track of the sites you visited on your browser, even if your Facebook or Instagram account wasn't open in it. The process, which violates Android rules, allowed Meta to display more targeted ads on its platforms.
Meta never communicated about this process, "neither to users nor to website owners with such a tracking program", regrets researcher Gunes Acar, who participated in the study. The researcher adds that "this happens in common browsers, but also in incognito mode or in apps that open a web page via an embedded browser". Meta could also retrieve all the data provided to a site through a form.
The researchers specify that only Facebook and Instagram are able to retrieve data from sites equipped with a Meta Pixel. In short, WhatsApp is not affected, and Meta cannot access data provided in a banking application, for example.
Google calls it a "flagrant violation"
The researchers' revelation angered Google. Indeed, Meta circumvents Android's privacy permissions by retrieving data from other applications. The Mountain View giant considers this to be "a blatant violation of our security and privacy policy". Google quickly deployed an update to Chrome to prevent this type of practice in the future. In theory, Meta risked seeing its apps ejected from the Play Store for violating Google's rules.
With its back to the wall, Meta ended up removing the code that caused the data exfiltration. Meta Pixel no longer communicates at all with the user's phone. The social media giant is claiming a "misunderstanding in the application of Google's policy." It took the researchers to publicly reveal the results of their investigation, and Google to bang its fist on the table, for Meta to correct the situation. Note that Meta isn't the only entity to have used this method to spy on browsing history on Android. Yandex, the Russian search giant, had been relying on a similar method for over eight years. The company used Yandex Pixel to achieve its goals. Mirroring Meta, Russian Google has "decided to abandon the feature." Source: Github
0 Comments