Nijmegen researcher discovers Facebook’s hidden tracking system: ‘This is very invasive and impudent ’
-
Foto: Creative Commons/Yuri Samoilov
While preparing for a lecture, Gunes Acar discovered something that the tech guys at Google had overlooked. Facebook was concealing the fact that they were collecting information from Android users. Also from visitors to the Radboud University website.
While preparing his Online Tracking and Privacy course, Assistant Professor of Digital Security Gunes Acar became curious about what happens to the data of visitors to Radboud University’s site. He thought looking into this might provide a good example that he could share in his lectures.
Acar has the technical know-how needed to impersonate visitors to websites with various devices. ‘When I pretended to be a visitor with an Android device, I saw a mysterious request to send data to the localhost,’ says Acar in his office in the Mercator building. ‘The localhost is the device on which you visit the site. That data request was strange because as a rule no data from sites go to the localhost.’
Meta Pixel
The Meta Pixel on RU.nl
Facebook’s tracking came to light via what is known as the Meta Pixel on RU.nl. The pixel from Facebook or Instagram gives the Meta company permission to track visitors. Radboud University’s site also links to TikTok, Snapchat and YouTube. (Voxweb also uses the Meta Pixel; we are currently investigating whether it can be removed since we do not advertise on these platforms, Eds.).
What this means is that Radboud University exposes all visitors and certainly students who need to visit the site for their studies to tracking without properly informing them about it, Acar argues. The University may choose to no longer allow this. Bart Jacobs, professor of Computer Security, Privacy & Identity, also strongly opposes tracking on the University’s site. ‘Radboud University is handing its visitors over to these plundering companies, which only care about commercial and political manipulation.’ Year ago, Jacobs already asked for the webpage of his research institute (iHub) to be ‘spared from links to corrupt social media platforms’, but his request was turned down. Which is why iHub now runs its own website.
Through its spokesperson, the University has communicated that it is currently looking into discontinuing the pixel method on the site. ‘We always look critically at the use of tracking methods. However, we depend on these platforms for our marketing because our target audiences use them and we want to know how our campaigns are doing,’ the spokesperson said.
The request turned out to come from Facebook. Like many other sites, RU.nl uses bits of code that make it possible to link visitors’ browsing behaviour to campaigns on social media. By installing the relevant pixel (Meta Pixel, Snap Pixel, TikTok Pixel, and so on), the platforms get permission to collect information about the browsing behaviour of visitors to the site. For example, anyone searching for information about the Psychology study programme on RU.nl might see ads for the same study programme at Radboud University on Facebook and Instagram, the platforms of parent company Meta (see box).
By sending the information to the localhost (see here for a detailed technical explanation), Meta bypasses attempts by users to go online anonymously. Users wishing to protect their privacy online can use VPNs or their browser’s incognito mode, for example. However, with Meta’s method, this has no effect.
Invisible tracking
Acar chooses not to comment on Meta’s intentions. ‘As researchers, we do not speculate on the intentions of companies,’ he explains. ‘But in this particular case, I find it striking that this form of tracking had already been noticed by site developers, as I read on forums. Questions from these developers were not answered by Meta at the time. After a month, the tracking disappeared – or so they thought. However, Meta had simply switched to a less conspicuous tracking method. It does make you wonder, if this is legal, why they didn’t just offer an explanation instead of switching to a less visible method.’
‘I was also struck by how Meta’s script worked. Even if you were not using their applications, had them turned off, or did not give permission to track, the application continued to collect data in the background while you were using your phone.’
As they expanded their investigation, the group of researchers, which Acar had by now formed with colleagues from KU Leuven and Spain’s IMDEA Networks, found out that the Russian company Yandex, best known for their search engine, was also deploying this kind of hidden tracking on Android. While Facebook had started using this method in September 2024, Yandex had apparently been doing so since 2017. On the day the researchers announced the news of their discovery, both Meta and Yandex discontinued the technique.
The discovery by Acar’s research team was news even to Google, the company behind Android. ‘They reacted very angrily and called it a gross violation of their rules,’ Acar says. ‘We have to assume that Google, despite all the knowledge they have, was not aware that Meta was doing this on their equipment.’
‘Facebook recently had to submit data and private messages to the US Justice Department for the prosecution of women who had had abortions’
Acar himself was also surprised by the technique he discovered. ‘This way of collecting data is very invasive and impudent. I now take into account more extreme possibilities when it comes to data collection.’
For some computer users, it matters little what a company like Meta knows about them. Still, Acar warns against data collection. ‘Facebook recently had to submit data and private messages to the US Justice Department for the prosecution of women who had had abortions.’
Vidi
A Vidi grant from the Dutch Research Council (NWO) will allow Acar to continue his research on digital security for the next five years. With this money, he plans to launch the Web Security and Privacy Observatory (WeSPO). ‘We want to use the observatory to expose areas where digital security is at risk. For example, many data and credit card details of British Airways consumers were stolen after they started using a third-party application on their site.’
