1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
---
slug: uninstall-facebook
title: "Uninstall Facebook"
date: "2025-06-07T18:08:27-04:00"
---
You should immediately remove the Facebook and Instagram apps from
your Android devices:
> We disclose a novel tracking method by Meta and Yandex potentially
> affecting billions of Android users. We found that native Android
> apps—including Facebook, Instagram, and several Yandex apps including
> Maps and Browser—silently listen on fixed local ports for tracking
> purposes.
>
> ...
>
> This web-to-app ID sharing method **bypasses typical privacy
> protections such as clearing cookies, Incognito Mode and Android's
> permission controls. Worse, it opens the door for potentially
> malicious apps eavesdropping on users’ web activity.** (emphasis mine)
[Source][local mess]
[Ars Technica][] also has [an excellent summary][].
In English: If you have the Facebook app or Instagram app installed on
your Android device, then Meta may have secretly collected your identity
and your browsing history.
This is true even if you don't have a Facebook account. It's true even
if you don't use the Facebook app. It's true even if you took steps to
hide your browsing history like clearing cookies or using a private
browser window.
On June 3rd, Meta claimed that the code responsible had "been almost
complete removed"; this is [weasel wording][] which actually means "the
code has not been removed".
Even if Meta actually did remove the code from their apps, there are
still several problems:
1. Meta has an [atrocious privacy record][]. It would be foolish to
take Meta at their word and they have a strong incentive to try
this again or something similar in the future.
2. Removing code does not address the information Meta has already
collected. This information could be leaked in a data breach or
subpoenaed by law enforcement.
3. Malicious or [trojaned][] apps could listen on the same local ports
and collect the same information. The [Local Mess][] researchers
demonstrated this with a proof-of-concept app.
Additional privacy recommendations:
1. Prefer web sites over apps. Many services use [deceptive patterns][]
to trick you into using an app instead of a web site. They do this
because an app can collect more information about you than a web site.
2. Remove unused and rarely used apps.
3. Stop using Google Search. I recommend [DuckDuckGo][].
4. [Stop using Google Chrome][ditch-chrome]. I recommend [Firefox][]
with [uBlock Origin][] and some [configuration
changes][firefox-privacy]. Some folks swear by [DuckDuckGo Browser][],
but I haven't used it myself. See also: [The case for ditching
Chrome][vox-chrome]. If you really do need Chrome or Edge, then at
least install [uBlock Origin Lite][].
5. Switch from Microsoft Windows to [Linux][]. I recommend [Ubuntu][]
for new users. I use [Debian][debian]. If you really do need
Windows, then at least [disable Windows telemetry][].
6. Switch from text messaging and WhatsApp (owned by Meta) to [Signal][].
7. Set up [Pi-hole][] on your home network. It has an easy-to-use web
interface and can help block ads and tracking on mobile devices and
"smart" TVs.
8. Consider [Tor Browser][] or [Tails][] if the you need more protection
and are willing to accept some tradeoffs.
Further reading: [Surveilance Self Defense][ssd]
[local mess]: https://localmess.github.io/
"Local Mess: Tracking method used by Facebook, Instagram, and Yandex Android apps which bypasses privacy protection."
[atrocious privacy record]: https://en.wikipedia.org/wiki/Privacy_concerns_with_Facebook
"Privacy concerns with Facebook (Wikipedia)"
[ars technica]: https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
"Ars Technica"
[an excellent summary]: https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
"Ars Technica: Meta and Yandex are de-anonymizing Android users’ web browsing identifiers"
[weasel wording]: https://en.wikipedia.org/wiki/Weasel_word
"Weasel word: Word or phrase aimed at creating an impression that something specific and meaningful has been said, when in fact only a vague, ambiguous, or irrelevant claim has been communicated (Wikipedia)"
[fingerprint]: https://www.amiunique.org/fingerprint
"fingerprint"
[trojaned]: https://en.wikipedia.org/wiki/Trojan_horse_(computing)
"Trojan horse (Wikipedia)"
[firefox]: https://www.mozilla.org/en-US/firefox/new/
"Mozilla Firefox web browser"
[ublock origin]: https://en.wikipedia.org/wiki/UBlock_Origin
"uBlock Origin ad-blocker"
[ditch-chrome]: {{< relref "posts/2023-12-02-firefox-redux.md" >}}#why-ditch-chrome
"Why Ditch Chrome?"
[brave]: https://en.wikipedia.org/wiki/Brave_(web_browser)
"Brave web browser"
[duckduckgo browser]: https://duckduckgo.com/app/
"DuckDuckGo web browser"
[firefox-privacy]: https://cyberinsider.com/firefox-privacy/
"Firefox Privacy Checklist"
[duckduckgo]: https://duckduckgo.com/
"DuckDuckGo search engine"
[tor browser]: https://www.torproject.org/download/
"Tor Browser"
[tor network]: https://www.torproject.org/
"Tor network"
[linux]: https://en.wikipedia.org/wiki/Linux
"Linux operating system"
[debian]: https://debian.org/
"Debian Linux"
[ubuntu]: https://ubuntu.com/
"Ubuntu Linux"
[disable windows telemetry]: https://windowsreport.com/disable-windows-11-telemetry/
"Disable Windows 11 telemetry"
[pi-hole]: https://en.wikipedia.org/wiki/Pi-hole
"Pi-hole"
[raspberry pi]: https://en.wikipedia.org/wiki/Raspberry_Pi
"Small single-board computer."
[signal]: https://signal.org/
"Signal secure messenger"
[ssd]: https://ssd.eff.org/
"Surveilance Self Defense"
[tails]: https://tails.net/
"Tails: portable operating system that protects against surveillance and censorship"
[vox-chrome]: https://www.vox.com/technology/387375/google-chrome-antitrust-privacy-android
"The case for ditching Chrome (vox.com)"
[ublock origin lite]: https://en.wikipedia.org/wiki/UBlock_Origin#uBlock_Origin_Lite
"Manifest V3 version of uBlock Origin for Google Chrome, Microsoft Edge, and other Chromium-based browsers."
[deceptive patterns]: https://www.deceptive.design/types
"Types of deceptive patterns"
|
