"Carlos E.R." <
robin_listas@es.invalid> wrote:
It is a very perverse method to steal user data, fooling regulators and
operating system designers. On Android phones only, if the facebook or
instagram app are installed and a session has been opened at some point
in time. Not clear about WhatsApp/Messenger
<https://www.zeropartydata.es/p/localhost-tracking-explained-it-could>
Zero Party Data (EN version)
*“Localhost tracking” explained. It could cost Meta 32 billion.*
You just can't finish off Zuckerberg.
Jorge García Herrero
jun 10, 2025
What happened?
Meta devised an ingenious system (“localhost tracking”) that
bypassed Android’s sandbox protections to identify you while browsing on
your mobile phone — even if you used a VPN, the browser’s incognito
mode, and refused or deleted cookies in every session.
Next, we preview what may (and should) become the combined
sanctioning smackdown of the century, and then we explain — in simple
terms (because it’s complicated) — what Meta was doing.
*It smells like record fine spirit*
Meta faces simultaneous liability under the following regulations,
listed from least to most severe: GDPR, DSA, and DMA (I’m not even
including the ePrivacy Directive because it’s laughable).
GDPR, DMA, and DSA protect different legal interests, so the
penalties under each can be imposed cumulatively.
The combined theoretical maximum risk amounts to approximately €32
billion** (4% + 6% + 10% of Meta’s global annual revenue, which
surpassed €164 billion in 2024).
Maximum fines have never before been applied simultaneously, but
some might say these scoundrels have earned it.
If you want to go straight to the breakdown of infractions and
penalties, click here.
... (continues on the link)
So, we're back to how WebRTC can be abused to identify you. While the
desktop web browsers let you disable WebRTC through settings, the
deliberately crippled mobile web browsers do not. Alas, even the
desktop web browsers are taking away the option to disable WebRTC, so
you need an add-on for them, too.
You can test by visiting:
https://webbrowsertools.com/test-webrtc-leak/https://ipleak.net/(look under "Your IP addresses - WebRTC detection")
IPleak will still show your WAN-side IP address since every endpoint in
a connection needs to know who is connecting to it if only to send back
an ACK after granting a connection. WebRTC, however, can divulge your
intranet IP addresses to, for example, map out your intranet.
While it is easy to install an add-on to desktop web browsers that
blocks the WebRTC API, you'll have to check if your choice of mobile web
browser has a similar add-on (assuming it even supports add-ons). Very
unlikely it will have a setting to disable the WebRTC API.
Be aware that disabling the WebRTC API can break some web sites.
Probably best on mobile platforms to use a task killer where Facebook,
Instagram, and other socially needy apps (e.g., WhatsApp) get unloaded
instead of left running in the background when you "exit" the app. Or,
you could wander into the OS app settings to each app to Stop them, and
repeat for each app, and each time you load the app. Android doesn't
unload apps when you exit them, but leave them running in the background
until the OS decides that app's memory is needed for a newly loaded app.
This catches unaware lots of Windows and Linux that expect a program or
app to exit and unload, not lurk in the background.
It's one reason why I use web browsers on Android that can actually
exit. Both Firefox and Edge have options to exit ... AND unload. Else,
if, for example, you configured them to purge all locally cached data on
their exit, well, they have not actually exited until you choose their
Quit option to really unload them. When left running in the background,
they have not exited, so purge-on-exit options don't get exercised. The
same reason I don't all desktop web browsers to continue running
background processes when you supposedly exit them. Or Edge's
performance startup option of preloading and leaving loaded some
msedge.exe processes on exit while only helps on really slow hosts when
next loading the web browser. The vast majority of apps do NOT unload
when you close their window thinking you exited them, but you didn't.
Android sucks in pretending it is faster reloading apps by not unloading
them in the first place.
Even if using a VPN, WebRTC could still expose your IP addresses, so you
should test and a leak test site while using your VPN.
“Localhost tracking” explained. It could cost Meta 32 billion.
Re: “Localhost tracking” explained. It could cost Meta 32 billion.