While it’s not a surprise when Meta/Facebook is found to be a little “loose” with users’ privacy and data, a discovery early last month represented a new low for violating users expectations and their explicit attempts to preserve their privacy.
Meta is in “good” company with this clever trick, though. Another website that was discovered using a similar trick to violate users’ privacy was the Russian search provider Yandex.

The Technical Details

First, while I’m no fan of Meta (and all their properties) for a lot of reasons, credit where credit is due: this trick is a clever way to disregard users’ wishes for privacy. And Meta knows that this technique disregards those wishes.
Here is how this worked (greatly simplified):

• When an Android user opens and signs into the Facebook or Instagram app, the app creates a service that runs in the background that listens in on specific ports on the Android device.
• When a user visits a site that has the Meta Pixel embedded on it, a cookie (_fbp_cookie) is sent to the Facebook/Instagram app’s running background service.
• The Meta Pixel also sends the value of that cookie to a specific address on the Facebook website. This cookie also contains other information about the user’s visit (page URL, browser metadata, event type, etc.).
• The Facebook or Instagram app also receives the cookie, which links a specific Facebook or Instagram user to a specific web visit or action.

A more detailed look into the technical specifications of this can be found here: Covert Web-to-App Tracking via Localhost on Android.

While it is known that this targeted Android users, it is unknown if it impacted iOS. According to the discovery website, no evidence of this abuse was found in iOS, but it may have been technically possible.

The Illusion of a First-Party Cookie

The _fbp_cookie was identified in Meta’s own docs as a “first-party cookie”. The implication of a first-party cookie is that the cookie is both set and read by the same site. This prevents website A from known about a user’s visit to (or actions on) site B. Blocking cross-site tracking is one of the more important privacy advances from the past few years.

However, by tracking user’s activity on non-Meta-owned properties, the _fbp_cookie was clearly not functioning as a first-party cookie. It is instead working as a third-party cookie, which were commonly used to track users across the internet, until most major browsers began to block third-party cookies – either as an option or by default.

However, the way that theMeta Pixel functionality was implemented means that it avoid the restrictions commonly placed on first-party cookies. It can (and did) track users across websites that have the Meta Pixel, regardless of that user’s preferences.

Indeed, behavior allowed Meta to track Android users even if they are not logged-in to the Facebook or Instagram sites in their mobile browser, use incognito mode, clear cookies and other browsing data. It could also disregard a users cookie preference if the Meta Pixel is loaded before the cookie consent form appears.

Meta’s “Damage Control” Response

Maybe the clearest proof that Meta is aware of just how scummy this behavior is – the day the Covert Web-to-App Tracking via Localhost on Android discover was posted, Meta discontinued the behavior essentially immediately. No posts mentioning why this behavior was occurring, or why it was discontinued, just trying to sweep it under the rug as discreetly and quietly as possible.

It’s the behaviors like this that make it hard for me to consider Meta a legitimate company. More and more it seems to act like some sort of scammy app or service that simply exists to siphon as much of your information before you discover its behavior and uninstall it.

This is also why I always push back when people think apps like Facebook are “always listening” to them. They simply have such “good” ways to intercept your data without needing to resort to something as obvious as listening that it makes little sense for them to do something so obvious.