Tracking in Plain Sight: The Hidden Web-to-App Surveillance You Never Agreed To

As one of the first posts associated with the new rollout out of ZNS, the following topic is so blatantly wrong that it would be impossible for me to avoid writing about it. The scary thing about this as well is that it seems largely absent from mainstream media. If you are one to pay attention to the privacy settings on your phone, how would you feel if a company just found away around them? Intentionally avoiding settings you dictated to collect your browsing history and tie that directly to an account you have with them. Unfortunately, I believe until there is some sort of stronger legal accountability for these types of actions, efforts like this to collect private data will continue. Let’s dive in.

Meta and Yandex are covertly tracking users by exploiting legitimate browser capabilities

Meta is the overarching company associated with Facebook, Instagram, Messenger and WhatsApp. Yandex on the other hand, is a Russian company that provides services such as a web browser, search engine, and online shopping among others. Both of these companies are fairly significant from the perspective of technology companies. As of today’s writing, Meta is worth an approximate $1.84 trillion dollars. Yandex is a bit harder to nail down as it is a Russian company but I would wager the valuation is also fairly high. Both of these companies used a technical workaround that allows JavaScript on websites to silently communicate with native Android applications like Facebook and Instagram on the same device, bypassing standard security and privacy settings. It is definitely a novel – and inappropriate – way of obtaining user data.

Linking anonymous web activity to real-world identities

Many people might be familiar with the word cookie these days when it comes to Internet use. If you’re not though, a cookie is simply a small piece of data created by a web server that is stored onto your device. When you login to a website, and come back to visit it later and it remembers you so you don’t have to login again, that is a cookie in action. Cookies have plenty of good uses behind them.

In this instance however, both Meta and Yandex were using an ability to transmit identifiers like a cookie from a web browser to their native application on the device. By doing so, both Meta and Yandex de-anonymize users and link browsing history directly to their logged-in application accounts. According to an article published last month by Ars Technica, “This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users.” Meta Pixel and Yandex Matrica are the actual analytics programming scripts that help advertisers. These scripts that were passing off browsing data to applications installed on a device “are estimated to be installed on 5.8 million and 3 million sites, respectively” (ArsTechnica).

To summarize, Android users who visited any one of 5.8 million websites and had Facebook or Instagram on their phone had their browsing data pulled and provided to those applications even if they had strict application privacy settings. Based on the reading I have done so far on the topic, it does not look like iOS users were impacted but the capability to implement something like this is there even for those with an iPhone.

It’s a misuse of legitimate browser capabilities, not a fixable bug

The technique takes advantage of an intentional, system-supported mechanism used for valid development and application communication. This is an important note with all this. Neither Meta nor Yandex hacked anything. The capability they used for this purpose has valid uses. What they did, however, was take a capability that many applications need to function right, and turn it into a spying mechanism on customers.

The technique circumvents all conventional privacy protections

The tracking method bypasses cookie deletion, Incognito Mode, Android permission systems, and browser anti-tracking tools designed to silo cookies and prevent cross-site profiling. This even bypasses using a VPN. There is no way, using a devices settings or permissions, to prevent this from occurring. One option would have been to delete apps like Facebook from a user’s phone, but in order to do so, a user would need to know this was happening in the first place. Given the way this was occurring, it would have been impossible to know as there was no “option” on a device to turn it on or off. Fortunately there are security researchers who are looking into applications and how they work supporting the public’s best interest.

The scale and stealth of this system raise serious ethical concerns

With tracking scripts deployed on millions of websites that provide this capability to Meta and Yandex applications, and no user visibility or consent, this approach represented a widespread and deliberate violation of user privacy and trust—designed to sidestep all modern safeguards. Supposedly, Meta paused this action while it worked with Google claiming it misunderstood policies once this activity was disclosed. Google for its part in looking over the Play Store noted that Meta and Yandex’s actions violate its policies.

Time will tell what will happen in the future but I believe this highlights that the public needs continued information on these types of actions. That way individuals can make informed decisions about the devices and applications they can trust (if any).

A Fresh Start

There is something refreshing to a sort of “Spring cleaning” even if it is done in the middle of summer. This project was actually born back in 2023. Over the last two years, I have put some additional thought into the direction I want this whole idea to head toward. Not only that, but a branding update was necessary due to wanting something more original. With that in mind, this is my fresh start.

The end goal of ZNS is the same though even two years later. I want to help people see through the technical complications of both digital security and privacy. The story started long ago for me when I was in Best Buy and overheard some shoppers trying to pick a new home wireless router. Hearing the father talk to his son, it was clear this was not their area of expertise. The different WiFi versions, buzzwords of “gaming” and “lightning fast” across the various options, none of it helped them. They did not really know what they needed or even should buy, so a Best Buy representative stepped in to help narrow down their search.

Tech is here to stay.

In today’s world, technology is a fact of life. From the little computers we carry everyday in our pockets that doubles as a phone, to so many home devices now connecting to the Internet to provide convenience. Our connectivity is here to stay. In fact, many would argue it will only get more and more involved. This got me thinking, how should normal people protect themselves and their families from those that would do them digital harm? There is already a lot to keep up with just living, right?

Security concepts are increasingly difficult things to keep on top of, not to mention master – if at all. Many security posts and articles, whether it is a recent hacker exploit or another business losing their data, are written in such a way that only a computer science student or someone in the industry would even understand it. What about the ordinary person? What about someone’s mother or father, or even their grandparents? Shouldn’t they also have the ability to more easily understand computer and network security? Or, if the article is directly from a news source like CNN or Fox News, it will lack actionable information. Neither perspective, super detailed or general news, might be particularly helpful for understanding.

The road ahead.

It is with those ideas in mind that this website was born. I wanted to find a place where I could provide information so that it just might help someone’s family be better protected in the digital age we live in. Clearly, to fully understand some things you need knowledge and experience in that field. But I hope I can provide a bit of a translation layer between the really detailed things and a solid foundation that an ordinary person can understand. If only one person reads an article on ZNS and becomes more informed and educated about digital security and privacy, then my effort was worth it.