If you visited adult sites on your Android device via incognito browsing sessions or a VPN while also logged into Facebook and Instagram, Meta might know about it. Not only that, Meta might know what you watched, what you clicked, and what you bought.
Regardless of what you were doing on your device, if you did it on an Android phone while logged into Meta’s social networks, Meta was likely tracking it.
What will Meta do with all that extra data it collects about you? It’ll use the data to serve personalized ads that match your most recent interests.
The method Meta used is incredibly abusive, as the company did it without obtaining consent from the user. Instead, Meta used Android browsers to link browsing history to Facebook and Instagram profiles. Even Google, which has its own history of tracking users without consent, called the procedure a “blatant violation” of its security principles.
Tech. Entertainment. Science. Your inbox.
Sign up for the most interesting tech & entertainment news out there.
By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.
Meta stopped the tracking this week, but even if it were to continue, Google is already patching Chrome. I wouldn’t be surprised to see regulators investigate Meta’s behavior next, especially in jurisdictions like the EU, which have stronger privacy protections for users.
Meta’s abuse was discovered accidentally by professor Günes Acar from Radboud University in the Netherlands (here’s his research). He observed an unexpected connection between a page containing trackers, including Facebook, and his computer.
After a while, Acar realized that Facebook had hidden its tracking method so that it would be more difficult to spot. Meta found a way to link the Meta Pixel tracker that’s present on around 20% of the most popular websites, including those featuring adult content, to the Facebook and Instagram apps installed on an Android phone.
Normally, the Meta Pixel tracker would send information to Meta. But Meta found a way to connect Meta Pixel to the cell phone app. This linked the web traffic it recorded to the user’s identity, as registered in Facebook and Instagram.
This allowed Meta to collect browsing information from someone’s session without asking for consent. The method also bypassed the privacy protections you might have enabled on your Android phone, like incognito mode or VPN. These are means to anonymize internet traffic and prevent anyone from tracking you. We’ve known for quite a while that incognito mode isn’t truly anonymous, but VPN protections can offer stronger privacy.
The method Meta devised ignores these protections, allowing Meta to capture all your actions on a web page and link it to your Facebook and Instagram profiles. Meta would know what products you looked at and what you bought. In turn, this will let it serve more personalized ads based on these recent activities.
Google had a stark response when asked about the new security research, providing El País with the following statement:
The developers mentioned in this report are unintentionally using functions present in many iOS and Android browsers, which blatantly violate our security and privacy principles. We have already implemented changes to mitigate these invasive techniques, launched our own investigation, and are in direct contact with the parties involved.
These remarks are especially notable considering where they’re coming from. Google recently settled a user tracking lawsuit for nearly $1.4 billion. It knows a thing or two about tracking users without consent.
Meta didn’t exactly claim responsibility. It’s referring to the incident as “an issue” that it’s working with Google to resolve. Here’s Meta’s statement on the matter:
We are speaking with Google to clarify a potential misunderstanding about how its policies are applied. As soon as we learned of the concern, we decided to pause the feature while we work with Google to resolve the issue.
Meta didn’t explain why it’s been tracking web browsing without consent. One possibility is that Google’s initiative to limit third-party tracking in browsers, which has been abandoned, motivated Meta to find other ways to track users.
Even if Meta decides not to discontinue this sort of tracking, Google is patching Chrome. Similarly, Mozilla is developing a fix to prevent such tracking. Separately, DuckDuckGo said Meta’s trackers did not affect its users.
But Meta isn’t alone in using such shady tactics. Russian company Yandex employed similar tools to track users online. Meta has only been taking this approach since September 2024, while Yandex started doing it in 2017.
Meta did protest Apple vehemently when the latter introduced strong privacy protections on the iPhone. Those features, which help users prevent tracking on apps like Facebook and Instagram, cost Meta billions in lost advertising as soon as Apple introduced them.
More recently, Meta asked Apple for unprecedented access to iPhone data under the Digital Markets Act (DMA) law in Europe. Apple has already raised alarms about Meta’s intentions:
As we strive to comply with the DMA, we carefully review each interoperability request we receive. As an example of our concerns, Meta has made 15 requests (and counting) for potentially far-reaching access to Apple’s technology stack that, if granted as sought, would reduce the protections around personal data that our users have come to expect from their devices.
If Apple were to have to grant all of these requests, Facebook, Instagram, and WhatsApp could enable Meta to read on a user’s device all of their messages and emails, see every phone call they make or receive, track every app that they use, scan all of their photos, look at their files and calendar events, log all of their passwords, and more. This is data that Apple itself has chosen not to access to provide the strongest possible protection to users.
You’ll find El Pais’ coverage at this link. Also, this website explains in great detail how Meta might have tracked your web browsing on Android.
