Meta is facing scrutiny over user privacy. Researchers discovered that Meta tracked the browsing history of Android users with Instagram or Facebook apps installed, even with VPNs or incognito mode.
This tracking occurred without user permission. Meta has disabled the system, which had been active since September 2024. Yandex used a similar system since February 2017.
The vulnerability allowed linking browsing sessions to identity cookies. This bypassed Android's privacy protections, including incognito mode and cookie deletion. Google and Mozilla are working on security patches.
Websites used Meta Pixel for tracking. This code generated a cookie linked to the user's real identity when logged into Instagram or Facebook. The tracked data included visited pages and actions performed on them.
This information was sent to Meta's servers. After the issue surfaced, Meta paused the tracking system. They are in discussions with Google regarding policy application.