Latest news with #MetaPixel
Arabian Post
4 days ago
- Business
- Arabian Post
Meta and Yandex Exploited Android Loophole to Track Users Across Browsers and Apps
Meta and Yandex have been found to exploit a loophole in Android's architecture, enabling them to de-anonymize users' web browsing activities by linking them to persistent app identities. This tracking method bypasses standard privacy protections, including incognito mode and cookie clearing, raising significant concerns about user privacy. Researchers from Radboud University, IMDEA Networks, and KU Leuven discovered that Meta's Pixel and Yandex's Metrica tracking scripts, embedded in millions of websites, communicate with their respective Android apps via the device's localhost interface. This communication allows the apps to receive browsing data directly from the browser, effectively linking web activity to user identities within the apps. The tracking mechanism operates by having the browser-based scripts send data to specific ports on the localhost interface, where the apps are listening. For instance, Meta's apps listen on UDP ports 12580–12585, while Yandex's apps use ports 29009, 29010, 30102, and 30103. This setup enables the apps to collect browsing data, including cookies and metadata, even when users employ privacy measures like incognito mode or VPNs. ADVERTISEMENT Meta began implementing this method in September 2024, while Yandex has utilized a similar approach since 2017. The widespread use of Meta Pixel and Yandex Metrica—estimated to be present on 5.8 million and 3 million websites respectively—suggests that a vast number of Android users could be affected. The discovery has prompted responses from major browser developers. Google has initiated an investigation and is working on mitigations to prevent such tracking techniques. Mozilla is also developing solutions to protect Firefox users on Android from this invasive tracking. Meta has paused the functionality in question and is in discussions with Google to address the issue. Privacy advocates and experts have expressed alarm over the findings. The method's ability to circumvent standard privacy controls and its potential to be used by malicious actors for surveillance underscore the need for stricter enforcement of privacy standards and greater transparency from tech companies regarding data collection practices.
The Hindu
4 days ago
- Business
- The Hindu
Meta and Yandex violating privacy of Android users to track data: Report
A group of researchers have found that Meta and Russia-based search engine Yandex are bypassing privacy protections to track Android user data too closely. A report by Ars Technica has cited the findings saying that the tracking code embedded by Meta and Yandex into websites was sending unique identifiers from web browsing data to localhost ports using native apps installed on a device. 'These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of websites,' the researchers noted. 'These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets.' The native apps were able to link mobile browsing sessions and web cookies to user identities since they handle device identifiers like the Android Advertising ID and user identities on Facebook and Instagram. Sandboxing is one of the primary ways to secure user data by isolating processes and preventing them from interacting with the OS or any other apps installed. Yandex and Meta started breaking the sandbox and bypassing it in 2017 and last September respectively. The researchers also found that the trackers, Meta Pixel and Yandex Metrica were targeting only Android users which unlike iOS has lesser restrictions in the app store as well as on the background executions of mobile apps. Google responded to the report saying they are investigating the violations and that the companies used 'capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles.'
The Guardian
08-02-2025
- Business
- The Guardian
Revealed: gambling firms secretly sharing users' data with Facebook without permission
Gambling companies are covertly tracking visitors to their websites and sending their data to Facebook's parent company without consent in an apparent breach of data protection laws. The information is then being used by Facebook's owner, Meta, to profile people as gamblers and flood them with ads for casinos and betting sites, the Observer can reveal. A hidden tracking tool embedded in dozens of UK gambling websites has been extracting visitors' data – including details of the webpages they view and the buttons they click – and sharing it with the social media company. By law, data should only be used and shared for marketing purposes, with explicit permission obtained from users on the websites in which the tools are embedded. But testing by the Observer of 150 gambling sites – including virtual casinos, sports betting sites and online bingo – found widespread breaches of the rules. This weekend, Iain Duncan Smith, the Conservative chair of the all-party parliamentary group on gambling reform, called for an 'immediate intervention'. He said: 'The use of tools such as Meta Pixel without explicit consent seems wholly in breach of the law and should be immediately stopped. The gambling industry's marketing practices are now out of control, and our regulatory structure and codes of practice are repeatedly shown to be inadequate. This cannot go on.' Wolfie Christl, a data privacy expert who has investigated the ad tech industry, said: 'Sharing data with Meta is highly problematic, even with consent, but doing so without explicit informed consent shows a blatant disregard for the law. 'Meta is complicit and must be held accountable. It benefits from facilitating problematic and unlawful data practices for its clients and systematically looks the other way, using its terms and conditions as a shield rather than seriously enforcing them.' Of 150 websites tested by the Observer, 52 shared data automatically via the Meta Pixel tracking tool without explicit consent, according to analysis of network traffic. The sites found to have transmitted data to Facebook without permission included Hollywoodbets, Sporting Index, Bwin, Lottoland, 10Bet and Bet442. The data transfer happened automatically on loading the webpage, before the person clicked to agree or decline marketing. At no point during the testing did the reporter agree to the use of their data for marketing. In the days afterwards, they were bombarded with Facebook ads for gambling websites, indicating that they had been profiled by Meta as someone interested in gambling as a result of the unlawful data sharing. In a single browsing session, they were shown gambling ads from 49 brands – not just websites that had shared their data unlawfully, but others too. This included betting companies that were unaware of the unlawful data sharing and whose own use of Meta Pixel was within the rules – among them, Ladbrokes, Sky Bet, BetVictor, Tombola and Bet365 - as well as dozens of smaller brands. The offers included free bets, a 'new players offer' with a 200% bonus and a 'gold blitz' with the chance to 'win up to 5,000 times your bet'. Details of the data sharing and profiling come amid calls for a wider investigation into targeting of gamblers. In September, the Information Commissioner's Office (ICO) issued a reprimand to Bonne Terre Ltd, trading as Sky Betting & Gaming, for unlawfully processing people's data through advertising cookies without their consent. The brand said at the time it regretted a 'technical error', which had been rectified. As the Observer reported last week, in a separate case, Sky Betting & Gaming collected hundreds of thousands of pieces of data about a problem gambler who was sent more than 1,300 marketing emails. The high court found the data use unlawful, ruling that the compulsive nature of the man's gambling meant his ability to give consent was impaired. The company said it had made significant changes since the claimant's experience in 2017-19 but 'fundamentally disagrees' with the ruling and is considering an appeal. The Gambling Commission has announced measures to prohibit cross-selling, where companies target existing customers with ads for other parts of their business. But there is nothing to prevent brands relying on profiling by third parties such as Meta to try to recruit new customers. Meta did not comment on the Observer's findings but pointed to its terms and conditions, which stipulate that companies should obtain consent before sending it data. 'We educate advertisers on properly setting up business tools,' a spokesperson said. The Liberal Democrat peer Don Foster, chair of Peers for Gambling Reform, said: 'It is critical that gambling companies and online platforms act lawfully, and it is concerning to see evidence of continued unlawful practices.' Prof Heather Wardle, a gambling research specialist at Glasgow University, said: 'This kind of untamed marketing is hugely risky. If you are already experiencing difficulties from gambling, it is likely to make you gamble more.' The Observer has previously reported on the misuse of Meta Pixel in other sectors, including by NHS trusts that were inadvertently sharing sensitive health data. The ICO said last year that it was conducting a 'wide-ranging review' of tracking pixels, which must be used 'fairly, lawfully and transparently', and that it would 'not hesitate' to take enforcement action if needed, which can include fines of up to £500,000. 'Too often, there is a lack of accountability for how these tools collect and use people's personal information, with poor transparency and deceptive design,' a spokesperson said. After being contacted by the Observer, several gambling operators updated their websites to prevent automatic data sharing – or removed the Meta Pixel tool altogether. One betting brand, Bwin, a previous sponsor of Real Madrid and the Uefa Europa League, shared data on people visiting a promotional page for a £20 free bet. The data sharing happened automatically on loading the website, without the person being asked for consent. Sign up to Observed Analysis and opinion on the week's news and culture brought to you by the best Observer writers after newsletter promotion A Bwin spokesperson said: 'Due to an internal error, the promotional page was not fully aligned with other group sites. We are deeply committed to ensuring that personal data is handled appropriately and have taken immediate action to rectify the issue.' Twenty-six websites operating under the licence of gambling group AG Communications appeared to be sharing data with Meta automatically and without explicit consent, including Bet442, King Casino, 666 Casino and 24Spin. A representative said it took compliance with its obligations extremely seriously. Another company, Hollywoodbets, which sponsors Premier League club Brentford, showed website visitors a consent banner telling them that it shared data with its 'social media, advertising and analytics partners' – and giving them the option to 'allow all'. But the Observer's testing found that even if the person did not click accept, data was shared with Meta, including details of which pages they viewed and the buttons they clicked. The person was subsequently shown Facebook ads for Hollywoodbets, and Meta's activity logs showed that data had been received from the website. A representative of Hollywoodbets said it complied with all regulatory requirements but declined to comment further. Lottoland, which says it has 20 million customers, declined to comment. Its website includes a banner that appears to give people the option to 'accept all' or 'reject nonessential' tracking. But the Observer's testing found that it sent data to Meta before the website visitor had indicated their choice. Sporting Index and 10Bet did not respond to comment requests. The Betting and Gaming Council, which represents the industry, said: 'Advertising must comply with strict guidelines, and safer gambling messaging is regularly and prominently displayed. The previous government stated that research did not establish a causal link between exposure to advertising and the development of problem gambling.' The Gambling Commission, which regulates betting companies, said: 'Operators may only collect and use data to attract custom in ways that are lawful and in compliance with data protection legislation, and their focus should be on preventing gambling harm. Questions around data protection are a matter for the ICO.' Flutter, which owns several brands that served ads on Facebook but did not share data with Meta unlawfully, said it had 'acted appropriately and gained consent at all times'. Bet365 declined to comment but is understood to deny setting up marketing campaigns that specifically target users of other gambling websites. The other advertisers did not comment.
The Guardian
08-02-2025
- Business
- The Guardian
We didn't click ‘consent' on any gambling website. So how did Facebook know where we'd been?
A Facebook user logs into their account and is bombarded with dozens of gambling ads. The promotions for online casinos and betting sites offer free spins, 'bet boosts', discounts and bonuses. But the person has never placed a bet or played a game on a gambling site before – let alone consented to being targeted. How can that happen? The Observer conducted an experiment to find out how potential gambling customers are being tracked, profiled and targeted online. To do this, we visited 150 gambling websites run by companies with licences to operate in the UK. First, we took a note of whether the website asked for consent to use data for marketing purposes. Then, without clicking to 'agree' or 'decline' the use of any data, we looked at the network traffic. By doing this – and using an official Meta application called Pixel Helper – we were able to see a record of the data being shared with Facebook's parent company, Meta. In many cases, no data was shared. But in about a third of cases, the testing found that a tracking tool called Meta Pixel had been embedded into the website – and was being triggered automatically upon loading the webpage. This was sending a report to Facebook about which webpages we had visited, linked to a unique user ID. In some cases, Facebook was also sent data on which buttons we had clicked, and other browsing activity. One site told Facebook when we clicked a button indicating we might place a bet on the Everton v Liverpool match scheduled for next week. Another told Meta that we had clicked to view a promotion for 100 free spins. At no point did we ever click to 'agree' or 'accept' the use of our data for marketing – or consent to it being shared. But when we logged back into Facebook a few days later, the feed was full of gambling ads. These ads were from a range of brands – including many whose own data-sharing practices had not broken any rules. This is because once data is shared with Meta, it is ingested into its targeted ads system and is used to profile people based on the things Meta thinks they like. That means Meta can then sell ads to companies wanting to target a particular audience – whether that is pet owners, women seeking fertility treatment, people who love Taylor Swift, or potential gambling customers. Advertisers can also target potential new customers that Meta thinks will be interested in their brand, including 'lookalike' customers who have been profiled by the social media giant as being similar to their existing customers based on things such as their demographic characteristics, interests and behaviour. In the Observer's testing, the Facebook user had also been profiled as someone interested in 'real money gaming', according to account records – so it's possible that ads could have appeared as a result of targeting in this way. The investigation raises serious questions for regulators about how they are monitoring marketing practices of this sort. During the testing, we noticed that many of the gambling sites sharing data unlawfully had automatic opt-in consent processes that assume people are happy for their data to be shared based on the mere fact that they are using the website. One consent banner read: 'We use cookies to provide you with a better browsing experience. If you continue to use this website we assume you are OK with this.' This appears to be in breach of data protection regulations. The ICO says consent must be both 'unambiguous and affirmative', and that relying on pre-ticked boxes or a failure to opt out is insufficient. Yet the practice is widespread. There are also questions about the role of Meta – which profits from selling ads using data transmitted to it, even in cases where it was shared unlawfully. We have previously written about how other organisations – such as police forces, NHS trusts and a political party – misused Meta Pixel to track website users. In some cases they shared data with Meta on sensitive things such as health problems and reporting crimes. But the barrage of gambling ads that were served on Facebook as a result of this testing was far more intense than anything we had seen before. Heather Wardle, professor of gambling research at the University of Glasgow, said the 'untamed marketing' was 'hugely risky'. 'If you are already experiencing difficulties from gambling, it is likely to make you gamble more,' she says. Meta did not comment on the findings, but says its terms stipulate that companies should obtain consent before sending it data. 'We educate advertisers on properly setting up business tools,' a spokesperson said.
