What happened?

Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.

Next, we preview what may (and should) become the combined sanctioning smackdown of the century, and then we explain — in simple terms (because it’s complicated) — what Meta was doing.

It smells like record fine spirit

Meta faces simultaneous liability under the following regulations, listed from least to most severe: GDPR, DSA, and DMA (I’m not even including the ePrivacy Directive because it’s laughable).

GDPR, DMA, and DSA protect different legal interests, so the penalties under each can be imposed cumulatively.

The combined theoretical maximum risk amounts to approximately €32 billion** (4% + 6% + 10% of Meta’s global annual revenue, which surpassed €164 billion in 2024).

Maximum fines have never before been applied simultaneously, but some might say these scoundrels have earned it.

If you want to go straight to the breakdown of infractions and penalties, click here.

You’re reading ZERO PARTY DATA. The newsletter about the crazy crazy world news from a data protection perspective by Jorge García Herrero and Darío López Rincón.

In the spare time this newsletter leaves us, we like to solve complicated issues about GDPR & AI Act. If you’ve got one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

What is “localhost tracking”?

Below is a simplified explanation of a very technical process, rigorously detailed on the website set up by the researchers who uncovered Meta’s latest major blow to the GDPR specifically, and to other regulations more broadly, as we’ll see.

Credit where it’s due — it’s ingenious. Ingenious in the sense of breaking (yet again) the record for a privacy-related fine, but hey!... ingenious.

This is the process through which Meta (Facebook/Instagram) managed to link what you do in your browser (for example, visiting a news site or an online store) with your real identity (your Facebook or Instagram account), even if you never logged into your account through the browser or anything like that.

Meta accomplishes this through two invisible channels that exchange information:

(i) The Facebook or Instagram app running in the background on your phone, even when you’re not using it.

(ii) Meta’s tracking scripts (the now-pulled illegal brainchild uncovered last week), which operate inside your mobile web browser.

Thanks to the outstanding human beings who revealed this scandal: Tim Vlummens, Narseo Vallina-Rodriguez, Nipuna Weerasekara, Gunes Acar, and Aniketh Girish.

The entire flow of the _fbp cookie from web to native and the server is as follows:

1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be logged-in with their credentials on the apps.

2. The user opens their browser and visits a website integrating the Meta Pixel.

3. At this stage, websites may ask for consent depending on the website's and visitor's locations.

4. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.

5. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).

6. The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running on the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users' fbp ID (web visit) with their Facebook or Instagram account.

I'll explain it step by step, like you're five years old

If I understood it, you can too — trust me.

Step 1: The app installs a hidden "intercom"

“The user opens the native Facebook or Instagram app, which eventually goes into the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first free port between 12580 and 12585). Users must have logged in with their credentials in the apps.”

Translation:

You open the Facebook or Instagram app like normal.

Then you go do something else on your phone (the app remains running in the background).

Without telling you, the app keeps running and “listens” for traffic — like having a hidden microphone eavesdropping on internal calls.

Technically, it does this by opening local network “ports” (like little internal doors in your phone) through which it can receive messages.

It’s important to clarify that this only happens if you've already logged into those apps with your account.

Step 2: You think, “hmm, nice day to check out my guilty pleasure website in incognito mode.”

(Insert your favorite ultra-private vice here — let’s say mine is watching chick sexers doing their thing. Just saying.)

“The user opens their browser and visits a website that integrates Meta’s Pixel.”

You open Chrome, Firefox, or any browser on the same phone.

You turn on VPN and incognito mode and, confidently like a fool, head straight to that website — which, by coincidence, has a Meta Pixel embedded.

This pixel, with your consent, collects data about your actions (visits, clicks, purchases...) and sends it to Meta.

What has now been proven is that, before you even had the chance to give consent, the pixel starts the localhost tracking process we're explaining here.

Theoretically, this should have been explained when asking for cookie consent. Obviously, it wasn’t — because it was blatantly illegal.

I mean, even if you had clicked the “consent” button on the chick sexer website, that consent can’t cover something you were never informed about (note that this trick even caught Google off guard).

Step 3: The web pixel talks to the Facebook/Instagram app using WebRTC

“The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) using SDP modification (SDP Munging).”

Excuse me… what now?

The Pixel script in your browser tries to send information to the Facebook/Instagram app that’s “listening” in the background.

It uses a technique called WebRTC, normally used for voice or video calls (like Zoom or Google Meet), but here it’s being used to secretly transmit data between the browser and the app.

Additionally, a technical trick called “SDP Munging” allows the browser to insert data (like the _fbp cookie identifier) into the WebRTC “initial handshake” message.

In this way, the _fbp (a temporary cookie supposedly limited to your current web session) is sent directly to the native app that’s listening. In other words, the website you didn’t want anyone to know you visited just passed your identification cookie to your Facebook/Instagram app. It’s still just an alphanumeric string at this point.

But that alphanumeric sausage, my friend — is you.

Android has many flaws, but in the relevant part here, it’s specifically designed to prevent apps from doing this — from listening to local ports like localhost.

Step 4: The same pixel on your favorite website, without hesitation, sends your alphanumeric sausage over the internet to Meta’s servers

“The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as the page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).”

WHAT?

At the same time, the Pixel sends the same information (the _fbp cookie) to Meta’s servers over the internet, along with:

• The URL you’re visiting

• Your browser and operating system

• The type of event performed (e.g., “page view,” “add to cart” or, in the case of chick sexer videos... better not know, trust me)

It’s like the Pixel is sending the same letter through two routes:
(a) directly to Facebook’s servers, and
(b) to the Facebook app inside your phone.

Step 5: The app receives the message and links it to your real identity

“The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running in the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking the user's fbp ID (web visit) with their Facebook or Instagram account.”

In plain English:

The app, upon receiving the _fbp identifier, bundles it together with your real account (the one you’re logged into in the app).

Then, it sends it all to Meta’s servers, where they can now say:

“Aha! This _fbp identifier (from that questionable website you just visited) belongs to Jorge García Herrero, Instagram user.”

“Chick sexers? Seriously, bald guy?”

And just like that, they link your web activity (browser) to your real identity (account) — even if you never logged into your account in that browser or gave any explicit consent for it.

Why is it so serious?

Meta has used a technical loophole that privacy protection systems didn’t anticipate — in fact, they were specifically designed to prevent it.

Meta managed to do this even when:

• You aren’t using the app (but have a session open in the background).

• You haven’t logged into your account in the browser.

• You’re browsing in incognito mode.

• You’re using a VPN.

• You delete cookies at the end of every session.

Once again, Meta has blatantly disregarded the requirement to obtain informed user consent before collecting and combining personal information from different sources.

The scale is massive

22% of the most visited websites in the world are affected. In the U.S., 17,223 sites with the Meta Pixel and 1,312 with Yandex Metrica initiated this tracking without user consent. Over 8 years (Yandex) and at least 9 months (Meta), billions of users were tracked without their knowledge.

The captured data includes:

• Complete browsing history with specific URLs

• Products added to cart and purchases made

• Registrations on websites and completed forms

• Temporal behavioral patterns across websites and apps

• Direct linking to real identities on social networks

You’re not affected if (and only if)

• You access Facebook and Instagram via the web, without having the apps installed on your phone

• You browse on desktop computers or use iOS (iPhones)

• You always used the Brave browser or the DuckDuckGo search engine on mobile

The Infringements

As stated at the beginning, Meta faces simultaneous liability under the following regulations, ranked from lesser to greater severity (not including the ePrivacy Directive — it’s a joke at this point):

• GDPR: Requires consent to process personal data for ad personalization. Meta also violated the principles of data minimization and privacy by design. (Up to 4% of global annual turnover)

• DSA (Art. 26): Explicitly prohibits personalized advertising based on profiles created from special categories of personal data (e.g., sexual orientation, political views, health data).

If such data could be inferred from users’ interactions on websites and apps (which is almost certain, given the scale of the violation — reaching 25% of the world’s most visited sites), the penalty could reach 10% of turnover.

CJEU has been clear about this one (“Fondas” C-184/20 and Bundeskartellamt).

Meta was declared a VLOP (Very Large Online Platform) in February 2024 and was already under investigation for violations involving content moderation transparency, child protection, and election integrity.

• DMA (Art. 5.2): The most damaging one: it specifically prohibits combining personal data between core platform services without the user’s explicit consent, as defined by GDPR. The localhost tracking technique combines data across at least Facebook and Instagram, and potentially WhatsApp and Messenger as well.

The DMA carries the highest financial risk — fines up to 10% of global turnover (€16.4 billion), increasing to 20% for repeat offenses.

Meta was designated a gatekeeper in September 2023 and received its first DMA fine in April 2025: €200 million for its “pay or consent” model.

Meta will undoubtedly claim it already had user consent to do this, but here’s the truth: it needed three specific consents to process the data (GDPR), access the device (ePrivacy), and combine profiles across services (DMA). It only requested one — and even that with a coercive “pay or okay” alternative.

Unfortunately, Meta’s most recent fine was precisely over its “pay or okay” approach.

The Penalties

GDPR, DMA, and DSA protect different legal rights, so the penalties under each can be imposed cumulatively.

The combined theoretical maximum risk amounts to approximately €32 billion (4% + 6% + 10% of Meta’s global annual revenue, which exceeds €164 billion).

Maximum fines have never before been applied simultaneously, but one could argue these bad guys have earned it.

Several factors favor setting that precedent: Meta’s long record of violations (it holds the record for GDPR fines in Europe), its lack of cooperation with regulatory investigations, the systemic impact of this scheme given its market dominance, and the clear intent to bypass all technical and legal protections established for users.

Jorge García Herrero

Data Protection Officer

Compartir Zero Party Data

Deja un comentario