A team of researchers has uncovered a scheme they’ve dubbed “Local Mess” — used by Meta since September 2024, and Russian search engine Yandex since 2017 (!) — to de-anonymize Android users’ web browsing across millions of websites that include Meta’s and Yandex’s respective tracking scripts. From their extensively detailed report:

These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity. [...]

The entire flow of the _fbp cookie from web to native and the server is as follows:

1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be logged-in with their credentials on the apps.
2. The user opens their browser and visits a website integrating the Meta Pixel.
3. At this stage, websites may ask for consent depending on the website’s and visitor’s locations.
4. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
5. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).
6. The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running on the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users’ fbp ID (web visit) with their Facebook or Instagram account.

The same day the researchers published this report, Meta stopped doing it.

I’ve said it before but not in a while: Meta is a criminal enterprise. What they’ve done here may not have broken any laws, but there certainly should be laws against it. And in terms of simple common sense, the entire elaborate scheme only exists to circumvent features in Android meant to prevent native apps from tracking you while you use your web browser. Saying it’s not illegal doesn’t mean it isn’t theft. It’s like the privacy equivalent of Trump’s cryptocurrency grift, which might not violate any current laws, but clearly exists as a bribery scheme.

Emily Kennard and Margaret Manto, reporting last week for NOTUS (“News of The United States” — a seriously good up-and-coming national affairs publication):

Health Secretary Robert F. Kennedy Jr. says his “Make America Healthy Again” Commission report harnesses “gold-standard” science, citing more than 500 studies and other sources to back up its claims. Those citations, though, are rife with errors, from broken links to misstated conclusions.

Seven of the cited sources don’t appear to exist at all.

Shocking that these dipshits would generate their report with whatever came out of an LLM and not actually check — let alone, you know, read — the cited studies.

Hard not to see the invitation and this new animation as a hint that the much-rumored UI redesign/refresh is, indeed, going to be glassy.

Dyson:

Join James Dyson as he introduces the new Dyson PencilVac Fluffycones cleaner. Our latest, most advanced floorcare technology — now available in Japan.

Nine minutes, short and sweet. I watched the whole thing and loved it. If it had been pre-recorded, I bet I wouldn’t have gotten more than two or three minutes into it, even though the video would have been more polished. There’s just something compelling about a live demo, even when you’re watching on YouTube.

(The new PencilVac looks cool too, but it seems too good to be true. I’ll be interested to hear from reviewers whether it, uh, actually sucks or kinda sucks.)

Location: The California Theatre, San Jose
Showtime: Tuesday, 10 June 2025, 7pm PT (Doors open 6pm)
Special Guest(s): Definitely, but keep in mind what I announced last week
Price: $50

I’ll have more to announce about the show soon, but one week out, I just want to remind everyone that tickets are on sale now, and selling at about the same pace as the last two years. (In 2018 and 2019, when WWDC was a real in-person conference in San Jose, tickets sold out almost instantaneously.)

Also: at least one sponsorship slot is still available. If you’ve got a product or service you’d like to see me promote at the start of the show, shoot me an email.