-
@ Enki
2025-06-12 14:54:32
I'm just going to leave this quote here. This is a transcript from a podcast I listen to. They were talking about something that Facebook was discovered doing recently Facebook knew they fucked up and as soon as this got called out by researchers they immediately turned it off. I know most people here probably don't use Facebook and if you still do, here's a highly good reason not to because you're literally just a product to these people and they will do any underhanded thing to track you and sell your behavior to the highest bidder. Here's how the tracking thing worked, And in case it wasn't clear, this bypass is any user-expressed forms of privacy. :
"1. In their normal course of use, the user opens their native Facebook or Instagram app on
their device. The app is eventually switched away from, is sent to the background, and
creates a background service to listen for incoming traffic on a TCP port (12387 or 12388)
and a UDP port (the first unoccupied port in the range 12580-12585). Users must be
logged-in with their credentials on the apps.
2. The user opens their web browser and visits any one of 5.8 million websites integrating the
Meta Pixel.
3. Websites may ask for consent depending on the website's and visitor's locations.
4. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app using
WebRTC protocol.
5. The Meta Pixel script simultaneously sends the _fbp value in a request to
https://www dot facebook dot com/tr (gee, do you think “tr” might be short for “track”?). The URL’s
query tail contains other parameters such as page URL (dl), website and browser metadata,
and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).
6. The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript
running on the browser. The apps transmit _fbp to https://graph dot facebook dot com/graphql
along with other persistent user identifiers, linking users' fbp ID (web visit) with their
Facebook or Instagram account
According to Meta’s Cookies Policy, the _fbp cookie “identifies browsers for the purposes of
providing advertising and site analytics services and has a lifespan of 90 days.” The cookie is
present on approximately 25% of the top million websites, making it the 3rd most common
first-party cookie of the web, according to Web Almanac 2024.
A first-party cookie implies that it cannot be used to track users across websites, as it is set
under the website’s domain. That means the same user has different _fbp cookies on different
websites. However, the method we disclose allows the linking of the different _fbp cookies to
the same user, which bypasses existing protections and runs counter to user expectations.
So just to be clear, this entire surreptitious surveillance system was specifically designed to
explicitly and deliberately bypass not only all user-expressible anti-tracking wishes, but also to
circumvent all of the work the browser vendors have invested in to limit cross-site tracking. This
neatly circumvents all of the explicit 1st-party domain-tied cookie isolation and stovepiping that
our web browsers have added specifically to prevent the abuse of the original cookie system.
Let me be very clear about this: There can be no other reason for this. Based upon the behavior
of this system which these researchers have observed, there can be no other reason for this. It
is entirely indefensible."