"Localhost tracking" explained. It could cost Meta €32B

Original Article ↗ Hacker News Discussion ↗

Scale and impact of potential fines

  • Commenters dispute the headline €32B number; many expect something closer to past GDPR fines (e.g., ~€1.2B), though others note 4% of global revenue is legally possible.
  • Debate over whether 1% of Meta’s annual revenue is “significant”: some see it as a real hit to margins, dividends, and jobs; others as an absorbable cost of doing business.
  • Argument over whether fines should scale with revenue vs profit; law uses revenue to avoid profit‑shifting games, but that penalizes low‑margin firms more.
  • Several want much harsher penalties (tens of percent of revenue, or even 400%) and criminal liability for executives; others emphasize realistic EU behavior and the risk Meta might threaten to exit Europe.

Technical mechanism and platform flaws

  • Summary: Facebook/Instagram Android apps start a local service (via WebRTC/SDP munging) listening on predefined ports; mobile websites with Meta Pixel send tracking data to localhost, bypassing cookies, VPNs, and private browsing, then it’s exfiltrated via the app.
  • Android is supposed to prevent apps from listening on localhost via normal sockets, but WebRTC provides a loophole.
  • Browsers allowing arbitrary sites to access localhost is identified as a core problem; proposals include permission‑gating local network access and using uBlock’s LAN‑blocking filters.
  • Some see this as an impressive but “scummy” exploitation of both Android’s and browsers’ models, not a zero‑day but a design failure.

User exposure and mitigations

  • Affected: Android users with Facebook/Instagram installed and logged in; unaffected: iOS users and those who only use web versions without the apps (per article).
  • Questions remain about how long apps can keep the local port open in background; Android can kill them, but background services and push can relaunch them.
  • Mitigations discussed: avoid native apps; use privacy‑focused browsers; strong DNS/adblocking; LAN/VLAN isolation; hardened OSes like GrapheneOS or Qubes‑style isolation. Many note these are unrealistic for average users, so law must protect them.

Corporate incentives, ethics, and responsibility

  • Strong sentiment that this is “ingenious and dishonest” and fits Meta’s history of aggressive tracking workarounds.
  • Debate over whether companies are inherently soulless profit machines vs culture and leadership genuinely matter; some argue only regulators with real teeth can align profit with ethics.
  • Long thread on who should be punished:
    • One camp: penalties must hit corporate officers and boards; rank‑and‑file are under power and information asymmetry.
    • Another camp: engineers/PMs implementing clearly deceptive tracking also bear moral and possibly legal responsibility.
  • Some call for professional licensing or stronger individual liability; others warn this would just create scapegoats and drive talent away without changing executive behavior.

Broader implications (ads, regulation, platforms)

  • For some, this reinforces that surveillance advertising is inherently abusive and should be banned; others say targeted ads are vital for small businesses but must be tightly regulated.
  • Several point to weak US privacy law, noting that meaningful enforcement is again coming from the EU (GDPR/DSA/DMA and also existing US wiretap class actions).
  • There’s irony noted that Android and browser openness enabled this, while iOS’s stricter background limits and “walled garden” likely blocked it—yet EU policy is simultaneously dismantling that walled garden.