In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Web browsing should be private. That’s the assumption most of us make when we switch to incognito on our browsers or turn on a VPN.
But a new investigation suggests that for Android users with Meta apps installed, those protections may not hold up.
A team from Radboud University in the Netherlands has uncovered a tracking method that reportedly lets Meta monitor mobile web activity, even in private mode or when a VPN is running.
The method appears to exploit Android’s internal permissions to bypass privacy safeguards and harvest browsing data without user consent. That puts it at odds with data protection laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which are meant to limit exactly this kind of silent data collection.
This article explains how the tracking works, why it matters for privacy, and what it signals about data regulation.
Key Takeaways
- Researchers say Meta is tracking Android users’ web activity through a hidden “app-to-web port link.”
- The technique reportedly works even in incognito mode or when a VPN is active.
- According to the study, Meta apps use localhost ports to match browser activity with the identities of logged-in users.
- This alleged tracking could bypass browser protections, cookie settings, and standard consent mechanisms.
- Many suggest the method may raise legal concerns under laws like GDPR and CCPA.
Behind the Scenes: How the Tracking System Works
Meta has faced intense regulatory scrutiny in recent years. From a record €1.2 billion GDPR fine in 2023 to a $725 million settlement in the US, the Facebook owner is no stranger to penalties over user data. But the newest findings suggest those financial consequences may not be enough deterrent.
The issue came to light through a detailed investigation led by Professor Güneş Acar and his team at Radboud University in the Netherlands. While some developers had previously flagged Meta’s strange web tracking techniques in developer forums in September 2024, the research formalized what they suspected: Meta apps like Facebook and Instagram can communicate directly with the mobile browser on the same Android device, harvesting browsing data in the process.
The method uses a local channel referred to in the paper as an app-to-web “port link” to relay data between the browser and the app.
Here’s how it works:
According to the research, when a user visits a website embedded with Meta Pixel, which the company uses for analytics and ad tracking, the browser-side JavaScript initiates a WebRTC connection, a framework originally meant for video calls.
Instead of using it for legitimate communication, Meta modifies the Session Description Protocol (SDP) data to “smuggle” first-party cookies like _fbp, which identifies devices across browsing sessions. These cookies are then sent through localhost ports such as UDP 12580–12585 and TCP 12387–12388, which are silently monitored by the Instagram or Facebook app running in the background.
The researchers noted:
“This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode, and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.”
The most critical issue about Meta’s port linking technique is that communication occurs locally between two apps on the same device.
This means it totally bypasses traditional web privacy protections like browser sandboxing, cookie restrictions, private browsing sessions, or even IP masking via VPNs. Moreover, the user never sees a consent prompt or indication that their browsing data is being collected.
Meta and Russian Yandex engaged in unprecedented internet tracking practices, likely illegal with EU data protection law. Companies designed tracking systems that exploited Android’s localhost socket permissions to create covert communication channels between websites and native… pic.twitter.com/pxylwGCm9x
— Lukasz Olejnik (@lukOlejnik) June 5, 2025
The Broader Privacy Impact
The technique reportedly used by Meta makes this one of the most invasive mobile surveillance practices uncovered in recent years.
The implications go beyond technical curiosity. Meta Pixel is embedded in over six million websites worldwide, and Facebook and Instagram collectively have billions of Android installs. That creates an enormous footprint for potential tracking.
What makes the situation even more troubling is the degree to which it challenges core assumptions about online privacy. Many of us want to believe that incognito mode or a VPN can shield us from monitoring, at least on a session level. But the researchers say this is no longer the case when Meta’s method is in play.
Traditional browser protections are designed to block remote trackers and prevent cross-site tracking. But this approach bypasses those layers entirely by keeping the communication local to the device. It leaves no trace in the network traffic visible to users or browser extensions.
The researchers argue that this constitutes a breakdown in privacy-by-design principles, allowing Meta to stitch together data across sessions and apps, undermining both transparency and consent.
Another big concern here is what all of these say about platform accountability. As the research authors noted:
“Not only did Meta fail to inform website owners about this tracking method, it also ignored their complaints and questions. This kind of cross-platform tracking is unprecedented, and it’s especially surprising coming from two companies [Meta and Yandex] that serve billions of users worldwide.”
Regulatory Questions, Technical Gaps
European privacy law, as outlined in the GDPR, requires companies to seek explicit consent before processing personal data. It also mandates that data collection be proportionate and limited to what is necessary. Meta’s alleged port-linking approach raises questions on both counts.
Since the tracking happens locally, through Android’s internal systems, it may fall outside the typical scope of browser and server-based data protections.
To an extent, that leaves regulators in a difficult position. Enforcement becomes more complicated when the data never crosses a network in a way that’s easily observable or auditable.
While Meta may likely dodge penalties or punishments, some browser vendors like DuckDuckGo and Brave are reportedly blocking Meta’s port linking behavior. Others, including Google and Mozilla, also reportedly placed restrictions on apps using localhost and STUN servers in dubious ways.
But the fact that no meaningful response has come from Meta, even when many developers voiced out their concerns on Facebook developer forums as far back as September last year, raises serious questions about how seriously big tech takes accountability.
According to the research update as of June 3, 2025, Meta/Facebook Pixel script has no longer been sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice.
The Bottom Line
Online privacy is no longer just about what you share, but now about what your device shares without you knowing. Meta’s app-to-web port linking reveals how system-level tools can quietly collect data, even when users take steps to protect themselves.
Techniques like this operate beneath the surface, away from standard browser protections and beyond what users can see. They also fall outside the scope of many consent mechanisms that privacy laws are built on. This creates a growing gap between what users expect and what actually happens.
To close that gap, browser vendors, mobile platforms, and regulators need to step up their user privacy policies. If privacy controls are to carry any weight, they must work reliably and transparently across every layer of the system.
FAQs
Can Meta track me even if I’m using incognito mode or a VPN?
Is this app-to-web port link happening on iPhones?
Are regulators doing anything about Meta’s port linking technique?
References
- 1.2 billion euro fine for Facebook as a result of EDPB binding decision | European Data Protection Board (edpb)
- Facebook parent Meta agrees to pay $725 million to settle privacy lawsuit (CNBC)
- Disclosure: Covert Web-to-App Tracking via Localhost on Android (LocalMess)
- Facebook SDK config file making call to localhost (Developers.facebook)
- Websites using Facebook Pixel (Trends.BuiltWith)
- New research highlights privacy abuse involving Meta and Yandex (RU)
