[HN Gopher] "Localhost tracking" explained. It could cost Meta E...
___________________________________________________________________
"Localhost tracking" explained. It could cost Meta EUR32B
Author : donohoe
Score : 350 points
Date : 2025-06-10 11:29 UTC (11 hours ago)
(HTM) web link (www.zeropartydata.es)
(TXT) w3m dump (www.zeropartydata.es)
| ajsnigrutin wrote:
| My prediction, facebook gets fined something like ~12 million
| euros, eu bureaucrats shake their hands, facebook finds a
| different way to do the same thing.
|
| Definitely not even close to 32B
| ceejayoz wrote:
| The EU doesn't play around in this realm.
|
| 1.2 billion fine for an earlier incident:
| https://www.edpb.europa.eu/news/news/2023/12-billion-euro-fi...
| ryukoposting wrote:
| 1.2B is less than 1% of Meta's revenue in FY2024. Maximum
| fines for infractions like these should exist on a sliding
| scale, as some percentage of prior revenue.
| gloxkiqcza wrote:
| The point was it's two orders of magnitude more than the
| original comment stated. Also 1% of yearly revenue is not
| insignificant.
| birn559 wrote:
| Something that you can sensibly express as a fraction of
| the revenue of Meta is significant though.
|
| It must be low enough that Meta never seriously considers
| to pull out of Europe.
| ajsnigrutin wrote:
| > It must be low enough that Meta never seriously
| considers to pull out of Europe.
|
| Why? Threathening is one thing, actually leaving one of
| the largest markets is something different. Also, not
| much of value would be lost.
|
| > Something that you can sensibly express as a fraction
| of the revenue of Meta is significant though.
|
| Also, if the percentage is low, it just becomes the "cost
| of doing business" and not a fine that would actually
| make them rethink and not do stuff like that again.
| okanat wrote:
| Why do you think Zuck became a wannabe fascho out of
| nowhere? DMA and GDPR fines will hurt Meta a lot when
| they are due. Zuck is trying to leverage Trump and the
| war to nullify the fines.
| brookst wrote:
| Probably best indexed to profit rather than revenue. 10% of
| revenue would be a one quarter's profit for meta, but more
| than a year's profit for Amazon and about 9 years of profit
| for Otto. Higher margins / profits should mean higher
| fines.
| disgruntledphd2 wrote:
| The laws specify revenue, to avoid transfer pricing
| removing all fineable profits. Live by the sword, die by
| the sword I guess.
| rsynnott wrote:
| They actually do; max GDPR penalty is 4% global revenue,
| say.
|
| Of course the concern would be that even at that rate some
| companies might see it as a cost of doing business.
| Ray20 wrote:
| >The EU doesn't play around in this realm.
|
| Aren't they? In EU you can go to real prison for downloading
| piracy content. But when Meta download ALL the piracy books
| on the Internet - Meta has suffered zero liability in the EU.
| I guess because Zuc gives money to transgenders or something.
| The EU legal system is a joke.
| bendigedig wrote:
| > Meta has suffered zero liability in the EU. I guess
| because Zuc gives money to transgenders or something.
|
| I'm sorry, but are you a real person?
| ricardbejarano wrote:
| This is equal parts ingenious and dishonest.
| Waterluvian wrote:
| Every story like this has me thinking about two things:
|
| 1. Companies have no soul. They are, by design, just chasing
| revenue. Everything else is just a risk to be factored.
|
| 2. There are real humans at these companies who choose to take
| part in the business and design and engineering, etc.
|
| I don't think these humans have no soul (though some won't), and
| I don't think they're stupid (though some are). I think it's just
| very, very easy to create a system of people collectively doing
| evil things where no one person carries the burden of evil
| individually enough to really feel sick enough with what they're
| contributing to.
| jameskilton wrote:
| Never underestimate the evil a human can perpetuate in the name
| of a paycheck.
| bsenftner wrote:
| If that paycheck comes from religion, that salaryman will
| willfully incorporate evil into their everyday behavior,
| thinking they are doing evil for gawd. We've got a
| civilization of short sighted idiots.
| genocidicbunny wrote:
| > I think it's just very, very easy to create a system of
| people collectively doing evil things where no one person
| carries the burden of evil individually enough to really feel
| sick enough with what they're contributing to.
|
| Which is why I don't think punishing just the company itself is
| enough. The engineers, designers, PM's that implemented this
| should also receive punishment, sufficient enough to make
| anyone thinking of participating in the implementation of such
| systems has reason enough to feel sick, if only for their own
| skin. Make it clear that participating in such things carries
| the risk of losing your career, a lot of money, and potentially
| even your freedom.
| DrScientist wrote:
| I'd argue that the person running the company in this case is
| responsible.
|
| Now they may argue that they didn't know - but you can frame
| the law such that's it's their duty to know and ensure this
| sort of stuff doesn't happen.
|
| cf Sarbanes-Oxley
| brookst wrote:
| Definitely a good way to drive talent overseas. Get the low
| level people to assume all of the risk with none of the
| upsides; ask recent grades and junior people to do E2E
| ethical analysis on every project in addition to their 60
| hour/week job, give the truly evil people convenient, lower-
| level scapegoats.
| Waterluvian wrote:
| Completely agree.
|
| My feeling is that corporate officers should bear the
| burden that the corporation as a person currently bears. I
| can only imagine how much better things would be in past
| experiences if the C-levels felt a personal need to
| actually know how the sausage is being made.
| genocidicbunny wrote:
| I can't fully agree because the way I see it, that is in
| a way scapegoating the company executives. Are they
| responsible? Probably, yes, they set the direction of the
| company and give the orders at the highest level. But we
| the engineers and designers are the ones actually
| implementing what is probably a fairly nebulous order at
| the highest levels into something concrete. They deign
| that there should be evil created, but we're the ones who
| are actually making it happen.
|
| Some of the responsibility lies with us, and we need to
| not pretend that's not the case.
| DrScientist wrote:
| I'd agree at a personal/moral level there is equal
| responsibility. However that doesn't recognise both the
| power and risk/reward imbalance here.
|
| If you, as an employee did this - maybe you'd add a few
| dollars to your stock options over time. If your Zuck -
| that's potentially billions.
|
| And in terms of downside - if you are Zuck and stop it in
| the company - there is no comeback - if you are an
| engineer blowing the whistle - you may find it hard to
| work in the industry ever again - and only one of those
| two actually needs to work.
| Ray20 wrote:
| Sounds like a typical blurring of responsibility through
| bureaucracy. "If Zak is a billionaire, then he is
| responsible, but since he essentially did nothing wrong,
| then no one will be held accountable." Total nonsense.
|
| There are specific crimes, and there are specific people
| who planned this crimes, specific peoples who ordered
| them to be carried out, and who carried them out. And
| these people should be held accountable for these crimes.
| Even if they work 60 hours a week for minimum wage and
| would have been fired if they hadn't committed them. They
| should have quit in such cases, not committed crimes.
|
| And on the other hand, if your employees, without your
| knowledge, somehow decided that the only way they could
| reach their targets was to commit a crime, why should you
| be held responsible for that? Even if you have 20
| megayachts and your employees work 60 hours a week for
| minimum wage.
| SoftTalker wrote:
| > if your employees, without your knowledge, somehow
| decided that the only way they could reach their targets
| was to commit a crime, why should you be held responsible
| for that?
|
| Thats where "known _or should have known_ " becomes
| relevant. It's your company, it's your responsiblity to
| know what they are doing.
| wapeoifjaweofji wrote:
| > I can't fully agree because the way I see it, that is
| in a way scapegoating the company executives.
|
| Frankly, that's what the money's for.
| brookst wrote:
| Do you also take personal responsibility for your
| company's hiring practices, investment strategy, and
| marketing content? None of that would exist without you.
|
| I think anyone would agree that there's a level of
| flagrantly where individuals should feel culpability and
| make the right choices ("write software to prescribe
| poison to groups we don't like").
|
| But something like this? Two apps establishing a comms
| channel? How many millions of times does this get done
| per year with no ill intent or effect? Is every engineer
| supposed to demand to know l of the use cases, and cross
| reference to other projects they're not working on?
|
| At some point it's only fair to say that individuals
| should exercise their conscience when they have enough
| information, but it is not incumbent on every engineer to
| demand justification for every project. That's where the
| decision makers who do have the time, resources, and
| chatter to know better should be taking at least legal
| responsibility.
| SoftTalker wrote:
| As a software developer no I don't feel responsible for
| those things, because I don't have any involvement with
| them as part of my job. But the people who work in HR,
| finance, and marketing are responsible for those things.
|
| I agree that the junior engineer implementing a localhost
| listener on Android might not understand what it is going
| to be used for and might not even think to ask. But
| somewhere, a senior engineer or PM or manager knows, and
| yes as you say that's the point where responsibility can
| be assigned, and increasingly up the line from there.
| throwawayqqq11 wrote:
| LLC - Limited liability company
|
| GmbH - Society with limited liability (german, translated)
|
| This liability shield is by design.
| genocidicbunny wrote:
| And yet, we still have the ability to pierce the liability
| veil. Heck, it's even in the name, "limited liability". Not
| "no liability".
| zufallsheld wrote:
| The ceo (Geschaftsfuhrer) is liable when they when they
| intentionally break the law so the limited liability is not
| applicable then.
| bnlxbnlx wrote:
| I think (haven't actually watched it, but on my watchlist) this
| is exactly what the movie "The Corporation" (2003) [1] lays
| out.
|
| [1] https://m.imdb.com/title/tt0379225
| aorth wrote:
| Yes you are right. I owned the DVD twenty years ago! It blew
| my mind at the time...
| DrScientist wrote:
| > Companies have no soul. They are, by design, just chasing
| revenue. Everything else is just a risk to be factored.
|
| I disagree - companies are set up/run by people, and those
| people define company culture/ company culture reflects those
| people.
|
| Not all companies, even big ones, are the same.
|
| To make that concrete - if Mark Zuckerberg found out about the
| above activity and was appalled and sacked everyone involved
| that would send out a very strong signal.
|
| Note this particular method can't be a rogue one man job - it
| requires coordination across multiple parts of the Meta stack -
| senior people had to know - which would point to a rotten
| culture at Meta emanating from the top.
| drweevil wrote:
| No, companies indeed have no soul. This is all about perverse
| incentives. While companies are setup/run by people, the
| (publicly owned) company as a whole only has one incentive:
| profit. If any person on the inside stands against that, they
| won't stand long. Investors, executives whose pay depend on
| it, etc. will make sure of that.
|
| So the problem here is to transform a moral incentive into a
| financial one. A strong outside regulator who will stand its
| ground can do this, by imposing a meaningful financial
| penalty to punish the legal/moral transgression. This is why
| regulations and regulators with teeth are vital in a
| capitalist system.
|
| I'm not holding my breath here. Regulatory capture is a
| thing. OTOH, Trump's undiplomatic approach to the EU may wind
| up costing Meta. We'll see.
| DrScientist wrote:
| > If any person on the inside stands against that, they
| won't stand long. Investors, executives whose pay depend on
| it, etc. will make sure of that.
|
| Not in my experience. Even investors are people too ( or
| the investment companies reflect the values of the people
| running it ).
|
| Sure there are people who believe the only role of a
| company is to make money ( eg Milton Friedman ). However
| that's an opinion - not a fact.
|
| Other people have different views and run their companies,
| or place their investments, accordingly.
|
| Even if you believe all that matters is the bottom line -
| you still might take the view that doing reputational
| damaging stuff like this is bad for the long term bottom
| line.
|
| That's not to say that I don't agree with you that
| companies will face pressure over the bottom line, and
| outside regulation is absolutely important. However you
| should realise that part of running a large public company
| is aligning your investors to how you want to operate. If
| you want to take a long term ethical stand then you attract
| those type of investors and try and get rid of the short
| term money men.
|
| Like, attracts like.
| Ray20 wrote:
| >This is why regulations and regulators with teeth are
| vital in a capitalist system.
|
| Why do you separate regulators from describing incentive
| system? The incentive system is also woven into them, and
| if anything, the incentives for regulators go in a much
| more sinister direction than for any capitalist company.
|
| Profit-seeking companies are forced to satisfy customers
| that have their economic freedom. But what about
| regulators? Their primary incentive is to remain in a
| position of power, their primary tool for achieving their
| goals is forcing.
|
| The economic freedom of all agents is a powerful
| disincentive. And even with it, we see abuses by capitalist
| companies. But what about regulators, whose disincentives
| are much weaker, and whose main tool, moreover, allows them
| to destroy even this weak disincentives? Fixing
| capitalism's incentives with regulators is like curing a
| cold with cancer.
| benterix wrote:
| > To make that concrete - if Mark Zuckerberg found out about
| the above activity and was appalled and sacked everyone
| involved that would send out a very strong signal.
|
| We know from another case that the opposite culture is true:
| when told to break the law and use copyrighted material, the
| engineers feel uneasy - they were not stupid and understood
| what they were going to do, and for a similar-in-nature-but-
| a-few-orders-of-magnitude-smaller things Aaron Schwarz was
| facing prison time. So they expressed their concerns upwards
| but they were told to proceed anyway.
| DrScientist wrote:
| Exactly.
|
| _People_ made that decision.
| alt227 wrote:
| This is a grey area. Yes people are people, but when they
| work for corporations they are given a green light to do
| things that they normally morally wouldnt do. The ability
| to blame it on superiors, brush it under the carpet, or
| hide evidence amongst billions of pieces of normal data
| allow 'People' to make abhorrent decisions in the best
| interest of making the company money. These decisions may
| even be incentivised by bonuses etc.
|
| People are human beings, and we are all prone to bias and
| bribery nwhen big sums of cash are dangled in front of
| us.
| BlarfMcFlarf wrote:
| When an insurance company executive decided to start screwing
| consumers a bit less, a board member initiated a lawsuit
| against him and the company. The system corrects for errors,
| and individual choices to do better are exactly such an
| error.
| lazyeye wrote:
| Here's a senior ex-Facebook exec detailing how the company
| would betray users in the US to the CCP to help gain access
| to the Chinese market:-
|
| https://youtu.be/f3DAnORfgB8
|
| amongst other things...
| JimDabell wrote:
| Is this just a particular case of diffusion of responsibility?
| brookst wrote:
| I agree except perhaps an over generalization.
|
| Some companies do have soul, and some pockets within big
| companies do. Patagonia, of course but even some big companies
| like Unilever are surprisingly soulful. They're the exception
| maybe, but it's not like companies have to be amoral.
|
| In tech, there used to be a ton of borderline hippy companies,
| including Apple and Google. There are probably smaller ones
| now, but growth and pressure and wealth does seem to squeeze
| the soul out of places.
| grues-dinner wrote:
| There are multiple entire industries built around diluting and
| proxying accountability.
|
| I suppose since diluting accountability aligns well with making
| more money by allowing shadier activities it naturally happens
| "by accident", but I also think it's quite deliberate in many
| cases.
| rsync wrote:
| I think about this a lot ...
|
| I think the key aspect of a company with "soul" is humans
| directing the company rather than the company directing the
| humans.
|
| I think the biggest inflection point where this flips is when
| companies "pivot".
|
| The human founders of a company should have a well-defined
| philosophical Vision of what it is they are building and who it
| is for. If this doesn't work out, the business should be
| terminated.
|
| It is the zombie husks of corporate organizations that have
| been repurposed to other ends by finance that are dangerous.
| vjerancrnjak wrote:
| Look at atrocities of animal agriculture and all difficult
| engineering done to scale massive slaughter.
|
| For some its evil, for others its an interesting itch to
| scratch.
| dogleash wrote:
| > I don't think these humans have no soul
|
| They're sellouts and traitors.
|
| Then there are people who will take to pondering what it means
| to be a sellout in a disingenuous manner. They act like it
| takes a haughty philosophy club to stroke their beards,
| reinvent paid labor from first principals and through motivated
| reasoning discovered "sellout" isn't that all that bad. And it
| turns out everyone sells out one way or another, so it's a wash
| what line of work you go into anyway.
|
| Now _those_ are the people who have no souls.
| lom wrote:
| How long can Instagram keep the local port open before Android
| will kill it to save battery?
| davedx wrote:
| This is an incredibly scummy and devious implementation of user
| tracking. I think META shareholders should hold onto their hats
| with this one.
|
| @dang maybe add a $ to the 32B? I see B so often with AI Models
| that I think the currency symbol would be useful in this link
| title
| geerlingguy wrote:
| Ditto on the 32B, especially since that's IIRC one of the llama
| model sizes!
| ranguna wrote:
| It's 32BEUR
| jmyeet wrote:
| I'm reminded of zombie cookies [1].
|
| This was 15+ years ago now but Verizon (and others?) used Flash
| (because browsers still shipped with support for that in the
| 2000s) to create an undeletable cookie. This was settled for low
| 7 figures.
|
| Privacy legislation has advanced a lot since then and the EU
| doesn't play around with GDPR violations, particularly when it's
| so egregious. I don't expect a $32B fine or settlement but it
| won't surprise me if this costs Meta $1B+.
|
| [1]: https://www.propublica.org/article/verizon-to-
| pay-1.35-milli...
| greenchair wrote:
| This is one of the big reasons big tech wants h1bs -> for their
| shady/illegal/immoral projects.
| geerlingguy wrote:
| Sounds like you're affected if you have either Facebook or
| Instagram app installed on an Android phone, you're signed into
| your account, and you don't have anything set up to block
| tracking pixels and the like (though that last part I'm not as
| sure of).
|
| Getting through VPNs and incognito mode are the most egregious
| parts of this offense, though. I think some people are under the
| impression that's a way to act like you're in total privacy...
| but it's not. It's just an easy way to act like you're in a new
| browser session or coming from another location, mostly.
| joshstrange wrote:
| > I think some people are under the impression that's a way to
| act like you're in total privacy... but it's not.
|
| It should be for the average person. VPN and private browsing
| should be enough for what most people use it for. I don't think
| it's fair to expect people to think that the browser is
| secretly communicating with apps on their phone, tying all
| behavior to their identity.
| aspenmayer wrote:
| > I don't think it's fair to expect people to think that the
| browser is secretly communicating with apps on their phone,
| tying all behavior to their identity.
|
| If it was possible for this to happen in the past, we have
| reason to believe that the technical capability to link
| behavior with identity still exists. What's "unfair" about
| informing others about the limitations and risks of using a
| device online?
| SoftTalker wrote:
| I mean, I think that Google (or Apple) have full visiblity to
| everything on my Android (or iPhone). Why wouldn't they? Just
| because they say they don't?
| kccqzy wrote:
| And if you actually leave the Facebook or instagram apps
| running in the background.
|
| Some people hate apps running in the background and they
| terminate all apps as soon as they are done using them.
| extraduder_ire wrote:
| Android apps can continue running software in the background
| even if you dismiss them from the switcher. It's up to the OS
| to decide when to kill them, unless you go into the settings
| and press force stop.
| ranguna wrote:
| Tldr because this article has way too much fillers to my taste
| (but I'm sure there are people out there that enjoy reading that
| kind of thing):
|
| The native Instagram and meta apps start a server listening on
| predefined ports when you launch said apps, they eventually run
| on the background as well. When you are on your browser, whether
| in private more, not logged, refused or disabled cookies, or
| anything else that might make you feel like you are not being
| explicitly tracked, the browser will connect to the locally
| running servers through webrtc and send all tracking data to said
| servers from the browser.
|
| The android sandboxing thing is basically about how Android
| isolates each app and should only allow communication through
| android intents that inform the user of such inter app
| communication, such as sharing photos and the like. In this case,
| the browser is communicating with Instagram and Facebook apps
| without letting the user know.
|
| The legal infregement here is that this happens even when you
| refuse to be tracked, which is a violation of GDPR and another
| law mentioned in the article.
|
| The 32B figure is a theoretical maximum (but they also mentioned
| 100B+ in the article, which confuses me).
| naniwaduni wrote:
| The technical details roughly boil down to "your browser lets
| internet sites talk to local services"; in this case if they
| cooperate they can identify each other, but cf.
| https://mrbruh.com/asusdriverhub/
|
| In practical terms this is a privacy leak a couple bits more
| informative but slightly less robust than "these requests are
| coming from the same IP address."
| bsimpson wrote:
| And according to the article, they're using RTC because Android
| is meant to be hardened against backdooring localhost, but Meta
| found a loophole that allowed it if over RTC.
| theginger wrote:
| Does anyone know how long was this going on, are we talking
| weeks, months or years?
| throwawayffffas wrote:
| So I am seeing two issues here.
|
| 1. Android allows apps to open ports without permissions. And
| apps to communicate with each other without permissions.
|
| 2. The browsers allow random domains to access services on the
| localhost. Without notifying the user. We have seen
| vulnerabilities in the past accessing dev services running on
| localhost. Something should be done there.
| WhyNotHugo wrote:
| I'd split that first list into two:
|
| 1a. Arbitrary apps can listen on ports without permissions.
|
| 1b. Arbitrary apps can access local ports without permissions.
|
| I've recently been experimenting with running the browser (on
| my desktop) in a network namespace precisely because of these
| reasons. Random websites shouldn't be able to access services
| running on localhost.
| throwawayffffas wrote:
| > I've recently been experimenting with running the browser
| (on my desktop) in a network namespace precisely because of
| these reasons.
|
| Let me introduce you to https://www.qubes-os.org/.
| alchemist1e9 wrote:
| For the ultra paranoid is there anything that can do this
| on a smartphone?
| const_cast wrote:
| I believe GrapheneOS has true sandboxing.
| advisedwang wrote:
| Those are two technical issues, yes.
|
| But even with those technical issues present, Facebook
| shouldn't have done this.
| moebrowne wrote:
| There is a proposal to restrict sites from accessing a users'
| local network without permission:
| https://github.com/explainers-by-googlers/local-network-acce...
| david_allison wrote:
| > Android allows apps to open ports without permissions.
|
| Just to clarify: you need `android.permission.INTERNET`. This
| is a default permission (granted by default at install time
| with no user interaction).
|
| GrapheneOS allows this permission to be disabled.
|
| As far as I'm aware, you can't lock this down to 'allow only
| intra-app communications via localhost', please let me know if
| I'm mistaken.
| frenchmajesty wrote:
| Very impressive but not surprising coming from Meta. They have an
| history of doing this kind of things.
|
| Back in the early 2010s, they found a way to spy on HTTPS traffic
| on the iOS App Store to monitor which apps were getting popular.
| That's what allowed them to know WhatsApp and Instagram were good
| acquisition targets.
|
| At this point, I think the race for Zuckerberg is, can Meta
| survive long enough for the next platform shift (AR or VR) where
| they will own one of the major platforms and won't need to abide
| by any reasonable rules before their "internet tentacles" that
| sustain the Ad Machine are cut off.
|
| My bet is they will make it. Though I don't wish it, they're on
| track.
| joshstrange wrote:
| > Back in the early 2010s, they found a way to spy on HTTPS
| traffic on the iOS App Store to monitor which apps were getting
| popular.
|
| They had people install a VPN app using enterprise certificate
| so it was never in the App Store and they monitored all the
| traffic that the VPN sent.
|
| Unlike this case, it required users to jump through a number of
| hoops/scary iOS warnings. Many still did, for a gift card or
| less.
| disgruntledphd2 wrote:
| > Back in the early 2010s, they found a way to spy on HTTPS
| traffic on the iOS App Store to monitor which apps were
| getting popular. That's what allowed them to know WhatsApp
| and Instagram were good acquisition targets.
|
| Incorrect. An Israeli startup (Onavo) had pivoted into
| selling data acquired from their VPN got acquired by
| Facebook. Importantly, they used statistics to estimate
| population prevalence which is how FB knew that Whatsapp
| (specifically, this was all post IG acquisition) was super
| popular outside the US.
|
| > They had people install a VPN app using enterprise
| certificate so it was never in the App Store and they
| monitored all the traffic that the VPN sent.
|
| This was (sadly) an _entirely_ different scandal.
|
| Honestly, I generally defend Meta/targeted advertising in
| these threads, but this one is such incredible, total,
| absolute bullshit that I can't even begin to comprehend how
| one could defend this.
|
| I do remember when I joined FB in 2013, how surprised I was
| that most of the company didn't care about ads/making money
| (apart from the sales org). That ship has clearly sailed.
| joshstrange wrote:
| Ahh, I knew about the Onavo acquisition history but I had
| had "context crunched" it down and skipped over the time
| when it was on the App Store before they rebranded it as
| (internally) "Project Atlas" and externally Facebook
| Research which was distributed through enterprise
| distribution. Thank you for the clarification.
| disgruntledphd2 wrote:
| Yeah, they were different and happened at different
| times. I can kinda justify Onavo (personally I think that
| they could've been the Neilsen of mobile if they hadn't
| gotten acquired) but the whole enterprise cert thing was
| super, super shady.
| naikrovek wrote:
| > Honestly, I generally defend Meta/targeted advertising in
| these threads
|
| These kinds of things now point me in a direction where I
| consider advertising alone to be immoral and want it
| banned. I should have to request information when I want
| it, rather than being exposed to it at all times on every
| available surface.
|
| There are only three ways this can go: 1) more frequent and
| more spookily relevant ads, increasing the number of people
| who feel that ads should be illegal because of the law
| breaking required to make it happen. 2) ads don't change
| and everyone quickly learns to ignore them. 3) ads go away,
| replaced by an easy to use marketing information delivery
| system where only adults can request information
| unsupervised.
|
| Meta do #1 because #2 and #3 mean the capitalist line
| doesn't go up and the end of Meta, respectively. Meta view
| both of those as the same thing: the end of Meta.
|
| "What about all the businesses which need advertising to
| survive?"
|
| If they need advertising to survive they've been on
| borrowed time long enough already.
|
| Advertisements encourage the shit Meta is doing. What kinds
| of similar things are they doing that we haven't
| discovered, yet?
| philistine wrote:
| I disagree that they're on track to make it. Their platform,
| Quest VR, has sold around 20 million headsets. Any company
| would be over the moon but we're talking Facebook here. They
| need way more users than that, which can only be achieved with
| explosive growth.
|
| So maybe they're growing fast? Nope. Their better selling
| product, at 14 million of those 20 million is the Quest 2 which
| has been discontinued for 9 months. Doesn't sound like
| explosive growth to me when your best selling product is not
| your current product.
| extraduder_ire wrote:
| The quest 2 was considerably cheaper, I believe it sold at a
| loss initially, and most of its sales lifetime was during a
| pandemic. It's hard to directly compare the two.
| bobthepanda wrote:
| Companies have been trying to make AR/VR the next platform
| shift but I'm not super convinced that people actually want or
| desire this outside of a few niche games. To me it feels like
| it has about as much staying power as 3D glasses in movies.
| MrDarcy wrote:
| The window of opportunity already closed for AR/VR. AI dealt
| the death blow.
| LoganDark wrote:
| What do you mean? AI will enable better AR/VR experiences,
| or AI will obsolete them?
| Miraste wrote:
| Simpler than that: AI co-opted the hype machine and the
| buzzword gurus, and therefore the investor money.
| gpderetta wrote:
| wait for AI generated virtual worlds. On a blockchain.
| hoppp wrote:
| I cant wait for the rug pull
| isk517 wrote:
| Pretty much, and it's a shame because AR has so much
| potential. Our company has started using a AR product in
| our quality control. It really doesn't take using it for
| long to realize the potential, being able to overlay a
| CAD model over the physical finished project is
| incredible and offers a lot of time savings.
| Unfortunately the most advanced AR device on the market
| is over 5 years old so you can really feel the software
| brush up against the hardware limitations.
| packetlost wrote:
| idk, I would absolutely jump on AR glasses that offered
| reasonable hands free interaction (even via a smartwatch or
| something) and didn't look awful. AI _might_ enable that,
| actually, but we 'll see.
| dvngnt_ wrote:
| For gaming and media consumption, VR is here to stay. The
| meta raybans have also been successful.
|
| As far as replacing your smartphone with AR glasses that
| remains to be seen
| hoppp wrote:
| I think the world is progressing away from headsets or
| screens.
|
| We will just have an AI that will do everything, we just
| ask. "Book a flight, order a pizza and reply to my emails"
| boom, done.
| jgalt212 wrote:
| > They have an history of doing this kind of things.
|
| They have a history because the punishment has never dissuaded
| anyone from being repeat offender.
| throwawayffffas wrote:
| What about the whatsapp app?
| bsimpson wrote:
| ...and FB Messenger
| throwawayffffas wrote:
| I did a quick check with adb, it looks like whatsapp is not
| opening any ports.
| fidotron wrote:
| The same European intellegentsia that is progressively forcing
| Apple to tear down the walled garden simultaneously fails to
| understand that this is exactly why they had it in the first
| place:
|
| > You're not affected if (and only if) . . . > You browse on
| desktop computers or use iOS (iPhones)
|
| At the very least they should step back and allow companies to
| enforce safeguards because they clearly lack the understanding or
| foresight to do so effectively.
|
| The simple way for the EU to beat Meta is to stop being so cheap:
| break the WhatsApp dependency by actually paying properly for
| something that has a decent UX and doesn't track you. If you
| aren't willing to do this you will be exploited over and over
| again. TANSTAAFL
| brookst wrote:
| It is kind of funny that EU may well require these kinds of
| vulns to be present, while reacting with outrage when used.
| sidcool wrote:
| This is quite an interesting read. But if Android does not allow
| listening to local host ports, how did meta achieve it?
| graftak wrote:
| It's allowed over RTC
| Thorrez wrote:
| >You're not affected if (and only if)
|
| ...
|
| >You always used the Brave browser or the DuckDuckGo search
| engine on mobile
|
| How does choice of search engine protect from this?
| yegg wrote:
| I think they meant our browser.
| joshstrange wrote:
| > How does choice of search engine protect from this?
|
| I don't use android or either of those browsers but my guess is
| that either block the tracking pixel from loading in the first
| place or they're more locked down on what they allow websites
| to reach out to (aka no Localhost access).
| Thorrez wrote:
| I'm not asking about browsers, I'm asking about a search
| engine. How could a search engine block a tracking pixel? You
| click a link in the search engine and go to a website. The
| search engine can't control the website after you go there,
| can it?
| joshstrange wrote:
| DuckDuckGo and Brave have browsers on Android
| mvdtnz wrote:
| Are you being intentionally obtuse? Read the quote again,
|
| >You're not affected if (and only if) ...
|
| >You always used the Brave browser or the DuckDuckGo
| search engine on mobile
| wewewedxfgdf wrote:
| Makes me think of the Simpson's episode where Bart gets away with
| anything by saying "I'm sorry", and looking contrite.
| JimDabell wrote:
| Previous discussion:
|
| Covert web-to-app tracking via localhost on Android (341
| comments):
|
| https://news.ycombinator.com/item?id=44169115
| 1vuio0pswjnm7 wrote:
| NB. Comment totals may still be increasing as discussion
| continues
|
| Washington Post's Privacy Tip: Stop Using Chrome, Delete Meta
| Apps (and Yandex) (328 comments)
|
| https://news.ycombinator.com/item?id=44210689
|
| Meta found 'covertly tracking' Android users through Instagram
| and Facebook (95 comments)
|
| https://news.ycombinator.com/item?id=44182204
|
| Meta pauses mobile port tracking tech on Android after
| researchers cry foul (28 comments)
|
| https://news.ycombinator.com/item?id=44175940
|
| Covert web-to-app tracking via localhost on Android (6
| comments)
|
| https://news.ycombinator.com/item?id=44169314
|
| Covert Web-to-App Tracking via Localhost on Android (6
| comments)
|
| https://news.ycombinator.com/item?id=44169314
|
| Meta and Yandex Spying on Your Android Web Browsing Activity
|
| https://news.ycombinator.com/item?id=44177637
|
| New research highlights privacy abuse involving Meta and Yandex
|
| https://news.ycombinator.com/item?id=44171535
|
| Meta and Yandex exfiltrating tracking data on Android via
| WebRTC (3 comments)
|
| https://news.ycombinator.com/item?id=44176697
| hurtuvac78 wrote:
| This story got kicked out of front page quite suddenly, not sure
| how/why. Lots of points and comments.
| N-Krause wrote:
| Yeah, would be interested to know why exactly
|
| EDIT: Ok probably because it basically is a repost. I just
| haven't seen it 6 days ago.
| ChrisMarshallNY wrote:
| Lots of second posts stick around for a long time.
|
| I have seen that if a company is called out by name, in an
| inflammatory manner, the posts tend to drop out quickly.
| Sometimes, they come back.
|
| Conspiracy theorists say that only happens with YC-backed
| companies, but that may be selection bias. I have seen
| stories that call out a number of companies, disappear
| quickly.
|
| It's hard to say if that's OK or not. I think some of these
| stories are really nothing more than "hit pieces," but some
| of them are really on the money.
| jmward01 wrote:
| I'm just confused why Meta needed to do this. Isn't
| fingerprinting good enough to not risk building this? All I can
| think is they use something like this to prove out their other
| tracking tech is working (this is the test set effectively). It
| is obvious that they really have several of these types of
| tracking technologies so that if one gets found out/patched they
| can switch it off and say 'look we stopped' all while still
| tracking with impunity. It just seems dumb that they would keep
| something this blatant in use.
| SoftTalker wrote:
| Sociopathic people are running the company. You tell them they
| can't do something, they take it as a challenge and try to do
| it without getting caught.
| sudahtigabulan wrote:
| Can this be avoided by running any Meta apps in Work Profile, and
| the browser in Main Profile?
| pupppet wrote:
| Once again those of us in NA have to leave it to the European
| government to look out for us.
| ghthor wrote:
| I mean, we can assume they are doing something bad and not
| install their software.
| icedchai wrote:
| Yes, I just love all those cookie banners. Thanks!
| teleforce wrote:
| "If you're not paying for the product, you are the product" -
| anonymous.
|
| Why is this very news is not in the HN front page for
| considerable amount of time is beyond me.
|
| It has the right recipe for top HN post namely users deception,
| sandbox bypass, privacy or lack thereof, web browser, Meta, etc.
| eviks wrote:
| "If you're paying, you're still the product", so apparently
| other factors anon didn't mention are involved
| _wire_ wrote:
| You've rented a device that connects to a worldwide
| communications network built on a principle of numerically exact
| message routing between every device and use it to run
| numerically exact programs from service providers to access
| services that host and consolidate the particulars of your
| identity within their servers rather than your device, and you
| are amazed that the device can persistently track everything you
| do with the device?
|
| What's the point of being Google or Apple except for precisely
| control of such central services?...
|
| Central Services, we do the work, you do the pleasure...
|
| "Have you considered your ducts?"
|
| ...And it just so happens that all the news you see is from the
| device and subject to this surveillance used to colonize your
| mind... Sounds democratic!
|
| The old Politburo could only dream of such tools for maintenance
| of a compliant, obedient proletariat.
|
| And with Central Services new "AI" you can get a brain implant to
| ensure your perfect conformity and access to the best paying jobs
| in the world, yours and your family's future will be secure. Be
| sure to invest in these securities, shop here, entertain and
| vacation there-- leave the driving to us! Do it your way.
|
| "A new life awaits you in the Offworld Colonies. A chance to
| begin again in a golden land of opportunity and adventure. So
| c'mon America..."
|
| "...Every leap of civilization was built off the back of a
| disposable work force..."
| jasonthorsness wrote:
| "The Meta Pixel script sends the _fbp cookie to the native
| Instagram or Facebook app via WebRTC (STUN) SDP Munging."
|
| Crazy to deploy a hack like this at the scale of Meta.
| jobs_throwaway wrote:
| yeah...how does this get approved?
| ls-a wrote:
| What's funny is that the engineers who implemented this are
| probably one of us here on HN. I don't think Zuck implemented
| this himself
| hbossy wrote:
| That's what they need AI for. It won't say no.
| aunetx wrote:
| The engineers did not say no either though.
| hkt wrote:
| They're hoping that in the long run AI won't say no and
| will be cheaper
| ryandrake wrote:
| AND, whenever you suggest here that engineers should consider
| the morals or ethics of what they are being asked to work on,
| you often get lots of push back in the comments. "I just want
| to work on cool tech! It's my company's problem what they use
| it for!" and "Hey, I'm just a code monkey, don't blame me! If
| my manager tells me to build the Torment Nexus, I build the
| Torment Nexus!"
| 7373737373 wrote:
| no https://en.wikipedia.org/wiki/Engineer%27s_Ring for
| programmers
| absurdo wrote:
| Some time later on HN front page:
|
| > Why I left FB,GOOG,Whatever
|
| >> Author describes seemingly abhorrently unethical and
| immoral practices they were completely ignorant of, occurring
| right in front of them that they were a key participant in.
|
| >> Accepted a massive salary to be ignorant.
|
| >> Shocked as all fuck about ethics and implications.
|
| >> Returned 0 money, cashed out.
|
| >> 100% ethical now.
| LadyCailin wrote:
| This is one of the main reasons I'm for licensing software
| engineers like civil engineers are. You know that without a
| license, you can't work in the civilized world. So when your
| license requires you to not build the torment nexus, and some
| manager comes and says "build the torment nexus" then you
| tell them no, knowing that they can't just fire you and hire
| someone else to do it. Yes, they might outsource it, but you
| can create regulations that say that companies that offer
| products in the civilized world anyways can't offer the
| torment nexus as a product, and then you get a super
| compelling argument for preventing the torment nexus.
|
| The plan isn't without flaws, but nobody ever even wants to
| discuss, they just cut off the conversation early.
| icedchai wrote:
| Yes, they'll just outsource it. Plus, it could be argued
| that localhost tracking is not actually illegal in the
| jurisdiction where it was developed (debatable, I know.)
| ATechGuy wrote:
| If it does not cost them everything, they will not stop.
| udev4096 wrote:
| This is one of the reason you need to segregate your whole LAN.
| At the bare minimum, use VLANs to knock off these ruthless
| scanners. And obviously, this wouldn't be possible if you used a
| strong adblock list on whatever DNS you're running. They cannot
| touch the people who take proper measures. I also do not believe
| people who use Facebook really care about privacy. I am well
| aware of how mean this sounds but they fully deserve to be
| tracked
| janalsncm wrote:
| > they fully deserve to be tracked
|
| Absolutely not. The law is still the law. The fact that Meta is
| able to break the law via technical means doesn't mean victims
| deserve to be victimized.
|
| Just because someone is able to pick your lock at night doesn't
| mean you deserve to be burglarized.
| udev4096 wrote:
| Get a better lock. If you don't care enough to _not_ get lock
| picked, whose fault is it? The bar to avoid this form of
| tracking is not high at all. It 's trivial for anyone who is
| willing to put some serious efforts in defending their
| privacy
| comrh wrote:
| You live in a tech bubble if you think it's trivial when
| most people don't even know what localhost is.
| finnh wrote:
| "trivial ... serious efforts"
|
| which is it? you contradict yourself in a single sentence.
| oceansky wrote:
| Absolutely no lock will prevent a sufficiently motivated
| thief.
|
| And the bar is high for the average person, who isn't much
| tech savvy at all.
| okanat wrote:
| This is why lawmakers don't take the opinion of "experts"
| like you.
|
| People: "Oh there is a poisonous substance in the water.
| Many people harmed" Your answer: "Yeah, why don't you have
| a degree in water safety, in the first place plebs? I take
| samples every week."
|
| GDPR doesn't work like your imaginary all-expert world.
| Facebook should and hopefully be fined to nonexistence.
| aorth wrote:
| Remember in 2014 when the Android Twitter app started sending a
| list of all your installed applications back to Twitter?
| https://news.bloomberglaw.com/privacy-and-data-security/twit...
|
| Ever since then I refused to install native versions of apps that
| could be used in a browser. I don't use Facebook or Instagram so
| I don't know if that works anymore, and I recall testing that
| they were intentionally crippling Facebook Messenger at one
| point.
|
| Then the past decade of native apps requesting tons of
| permissions and users just clicking agree. Why should Facebook be
| able to read my Wi-Fi network or Bluetooth? Of course there is
| something shady going on. Beacons tracking people walking around
| brick and mortar stores.
| https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
|
| Such a shame because native apps are so much more pleasant and
| performant to use than web apps.
| dcminter wrote:
| > they were intentionally crippling Facebook Messenger at one
| point [in a browser]
|
| They were/did. I was using Messenger Lite for a bit which was
| ok, but they killed that and the mobile browser mode.
|
| I still need FB for some events and contacts, but I refuse to
| have the fat messenger app installed so now I end up using the
| damn thing in desktop mode which is ... painful.
|
| All I seem to see in my feed these days is "suggested for you"
| so it's a lot less addictive than it was back in the day. Not
| sure why they're so determined to drive the user base away, but
| that does seem to be the plan.
| gausswho wrote:
| I felt a prude at the time but eschewed native apps for browser
| versions and haven't regretted. Didn't benefit from
| notification distraction anyway. Apple and Google just didn't
| get their houses in order to be taken seriously.
|
| If it ain't on F-Droid, I'll wait.
| const_cast wrote:
| Web apps have been sabotaged so severely for years now, and it
| really peeves me. Half the time they bombard the UI with "use
| the app!!1" popups and the other half of the time they just
| don't work.
|
| The worst part is that a lot of native apps these days are just
| web views. You can't even be bother to use the native UI
| toolkit and you expect _me_ to download your app? If this is
| just safari with extra steps then let me use safari!
| Saris wrote:
| I like using ublock origin since I can create filters for
| those popups.
| 1oooqooq wrote:
| this is still perfectly legal and allowed.
|
| every app can scan your apps and recently opened ones "for
| security".
|
| same for your contacts.
|
| whatsapp (only meta product i need to touch in our fleet) will
| do both at very fast intervals, and upload a contact list diff
| if it detect changes.
|
| the whole issue here was that meta bypassed the user matching
| on the web without paying google "cookie matching" price
| iamleppert wrote:
| The real flaw here is in WebRTC. WebRTC should be disabled by
| default, and behind a permissions dialog at least. Still,
| facebook could just disable chat or some feature and claim they
| need WebRTC and 99% of users would opt-in to it.
| OptionOfT wrote:
| Reading though this, is it correct to say that they could've done
| a fetch("http://localhost:<port>/id=<id>"), but then it would
| show up very conspicuously in the logs, and you couldn't talk to
| UDP ports with it?
| brazzy wrote:
| I read this:
|
| > Android has many flaws, but in the relevant part here, it's
| specifically designed to prevent apps from doing this -- from
| listening to local ports like localhost.
|
| to mean that they could not do it via HTTP, and instead had to
| circumvent Android's privacy measures via WebRTC.
| fifilura wrote:
| If this fine is collected. Will I get the money?
|
| Serious question. I don't generally mind paying taxes and all
| that. But in this case I feel I am the person offended and I
| should get some kind of compensation. I'd say EUR1-2000 would
| make me feel somewhat compensated.
| BlarfMcFlarf wrote:
| Theoretically, fines replace tax revenue, so you get
| compensated by lower taxes. (Practically, spending and income
| are decoupled and taxes are mostly just an inflation management
| strategy.)
| fifilura wrote:
| I can understand it of course. But in this case I feel
| personally offended. I would like to see the money handed to
| me.
| globalise83 wrote:
| This system was designed and implemented by engineers who
| committed code in a source control system with their name
| attached, and the changes were requested by product managers in
| tickets in the ticketing system with their name attached. Those
| engineers and product managers should be personally liable for an
| equivalent % of their annual salary as Facebook is liable for a %
| of its annual revenue.
| ribosometronome wrote:
| How would the EU fine American engineers who live and are paid
| in America?
| joelfried wrote:
| They would fine them by having a court case and saying they
| are guilty and owe money. Collecting on it would be awfully
| difficult, but you know, people do like trips to Europe.
|
| That said, I think fining the company seems pretty plausible.
| They won't, but it'd be nice if they did.
| acatnamedjoe wrote:
| Can't America fine them? Surely this is illegal there too?
| pesus wrote:
| There is probably little to no chance of that happening in
| the current political climate.
| okanat wrote:
| Well some of them definitely has savings in Europe and like
| to travel destinations in Europe.
| taormina wrote:
| I like the idea, but I see no reason to shield the management
| that demanded this of the rank and file. Accountability should
| go all the way up the chain.
| kstrauser wrote:
| Yes, but it should include everyone involved, from top to
| bottom. We won't get those data theft misfeatures if
| engineers refused to work on them out of personal liability.
| haliskerbas wrote:
| [deleted]
| jayd16 wrote:
| How often you're asked has no bearing on the morality or
| criminality of the ask.
|
| Hitmen can't just say "but I keep getting hired to kill
| people."
| hooverd wrote:
| do what engineers in other fields do
| aduwah wrote:
| Yeah and let's take away the income from the PMs and Engineers
| and leave the people who actually call the shots unharmed.
|
| Once I worked at a place that actually made a calculation of
| how much an outage costed to the company and gave it to the
| engineers who resolved the issue to "think" about how bad they
| were.
|
| What you propose is equally confused and wrong
| hoppp wrote:
| Its unethical for sure, seems like some engineers will do
| anything for their salary, but if they don't do it somebody
| else will and it is an exciting technical challenge.
|
| Its better to blame the management and higher ups or zuck
| himself directly. Blame the people who finance it and profit
| from it, not the people who coded it. Follow the money
| ryandrake wrote:
| > Its unethical for sure, seems like some engineers will do
| anything for their salary, but if they don't do it somebody
| else will and it is an exciting technical challenge.
|
| I remember finding this out as a very junior engineer
| straight out of university. I was once asked to write code to
| cheat at a benchmark to make my company's product look better
| than it actually was. I had deep misgivings about this, but
| as a brand new junior developer, I was very hesitant to speak
| up. Eventually I told my manager I didn't feel comfortable
| with the ethics of working on that project, and he was
| totally cool with it! He said "No problem, we'll take that
| task out of your queue and give it to "Jim", he'll do it
| instead." Jim was thrilled and wrote the benchmarking
| cheating code himself.
|
| There's always someone willing to do it.
| tdiff wrote:
| What I don't get:
|
| - How come Yandex was doing it for years without being noticed.
|
| - Facebook must have known about this technique for years as
| well, why did they only enable it last year.
| kgwxd wrote:
| They knew who was going to be president this year.
| bloppe wrote:
| The American president doesn't really matter in this case.
| The EU is where they're going to get destroyed.
| camillomiller wrote:
| The craziest part is that they are not liable of anything
| apparently under the basically non existent American privacy
| laws.
| riddley wrote:
| I'm guessing I'll get down-voted for this, but what's to stop any
| browser/executable from trolling through /proc on Linux and
| knowing about what every process running as you is doing?
| hollerith wrote:
| File mode bits prevent processes not running as root from
| reading much of the info in /proc.
| mbreese wrote:
| I don't know... with a stock Linux, the information a user
| can get from top (via /proc, I assume), is pretty thorough.
| You can at least get a list of running programs, which by
| itself could be valuable.
| const_cast wrote:
| Nothing really. Desktop operating systems are basically
| grandfathered into the modern world. They have the old timey
| approach to application security. That being, applications can
| access everything on your computer, and there's no fine-grained
| permission systems.
|
| But, for OS that we've developed later, we kind of decided
| that's a problem, and applications are a vector for malware,
| and "trust" just isn't enough. So Android and iOS did the whole
| permissions thing.
|
| Now, we've gone back and added some stuff onto desktop
| operating systems. Of course Linux has containers these days on
| desktop. Like, I'm running Firefox right now - but Firefox can
| only access it's runtime folders and ~/Downloads. So, if
| there's a zero day sandbox breach, I won't get data stolen.
| There's also SELinux and Apparmor and stuff and you can really
| jump into the deep end with this.
|
| But, we largely view it as unnecessary because we're running
| open-source software from trusted repositories. We probably
| shouldn't view it that way.
| 12_throw_away wrote:
| I guess we don't call it a "0-day" if it's multinational
| corporation doing the illegal data exfiltration ...
___________________________________________________________________
(page generated 2025-06-10 23:01 UTC)