Meta and Yandex’s Magic Trick: “Now You See Your Privacy, Now You Don’t"

In this article, technology and data lawyers Josh Day and Jack Edwards explore how social media giant Meta, and search engine company Yandex, have been accused of covertly tracking Android users through their apps, the legal implications, and what this means for future data privacy enforcement.

Spoiler alert: incognito mode doesn’t mean invisible

Recent investigations by experts at IMDEA Networks, Radboud University and KU Leuven have uncovered that Meta and Yandex have been secretly tracking Android users' web activity by exploiting embedded JavaScript libraries - such as Meta Pixel, a tracking script present on approximately 5.8 million websites.

These scripts enabled the collection of detailed browsing data which were then linked to an individual via their apps, bypassing standard privacy protections. If you enjoy horror stories told in JavaScript, the full technical exposé is available here.

A blatant violation of security and privacy principles

By abusing Android’s ability to communicate across apps, Meta and Yandex were able to receive browser metadata, cookies, and commands from tracking scripts embedded on thousands of websites via their apps such as Facebook, Instagram, and Yandex Maps.

This method enabled Meta and Yandex to track users even when they were in incognito mode or using VPNs, effectively de-anonymising users and invalidating existing privacy controls that they rely on. 

Google, which owns the Android operating system, confirmed that the companies had used Android’s capabilities “in unintended ways that blatantly violate [their] security and privacy principles”. That's Big Tech speak for “Whoops. Absolutely not what we meant that API to do...”

Following the exposure of these tracking techniques, Meta has announced that it has paused the feature while working with Google to resolve the issue. Yandex, on the other hand, has denied collecting sensitive information, stating that the feature was intended to improve personalisation within its apps (they have however, now stopped this practice altogether).

What about other tech giants?

Google has since implemented changes to mitigate these invasive techniques and has launched its own investigation. Browser vendors such as FireFox and DuckDuckGo have confirmed that internal engineers have taken steps to block any potential future covert tracking, and Brave has been blocking the activity since at least 2022.

SIDE NOTE:

It’s worth noting that although the same technique could theoretically work on iOS (which also permits localhost communication), Apple’s tighter app sandboxing makes it significantly harder to pull off. There’s currently no evidence it was used there.

This incident raises significant concerns regarding data protection and compliance with privacy laws, particularly under the UK’s Data Protection Act 2018 and the EU’s General Data Protection Regulation (“GDPR”).

The unauthorised collection of user data without consent could lead to (even more) regulatory scrutiny and potential legal consequences for Meta. It’s not a great look for Yandex either.

Given the increasing focus on privacy in an ever-changing digital landscape, these accusations highlight a need for stronger enforcement mechanisms and transparency in data collection practices.

Ensuring that data is collected and processed in a lawful manner, alongside having robust and transparent data policies must be at the top of the agenda for organisations looking to leverage data. For users, individuals must remain vigilant and take proactive steps to safeguard their online privacy.