My Deep Disappointment: How Meta and Yandex Betrayed User Trust Through Android Privacy Violations

Let me be clear from the outset: while I'm not surprised that Yandex—a Russian company that is neither a friend to the West nor on any trajectory to become one—would engage in such privacy violations, I am utterly disgusted by Meta's behavior. Meta is a massive U.S. corporation that millions of Americans trust with their personal data every single day. This betrayal of user trust is so egregious that I sincerely hope the Department of Justice investigates this matter thoroughly. The American people deserve better from one of our own tech giants.

As someone who has spent decades advocating for ethical technology practices and helping businesses protect their digital assets, I find myself profoundly disappointed by the recent revelations about Meta and Yandex's deliberate circumvention of Android privacy protections.

According to research disclosed by academics primarily from a science institute in greater Madrid, both Meta and Yandex found methods to break through privacy protections enabled by Android users. This isn't just a technical oversight—it's a calculated betrayal of user trust that strikes at the heart of digital privacy.

The Sneaky Tactics Unveiled

What particularly troubles me is the sophistication and deliberateness of these tracking methods. The tracking systems use scripts embedded into mainstream websites for gathering visitor metrics: Meta Pixel and Yandex Metrica. These companies exploited Android permissions to create what researchers call a "web-to-app pipeline," funneling cookies from websites that contain tracking scripts onto Meta or Yandex apps, where web activity data can be consolidated and shipped to remote servers.

The scale of this operation is staggering. Roughly six million websites across the globe house Meta Pixel and close to 3 million websites contain Yandex Metrica, according to figures from BuiltWith cited by researchers. What's even more concerning is the timeline: Meta apparently turned on its tracking system in September, while Yandex has been doing it since February 2017.

Why This Is Ethically Unacceptable

As Günes Acar, an assistant professor at Radboud University in the Netherlands, told Spanish newspaper El País, the collected data is incredibly detailed. It includes whether users shop for a product online, whether they put product in a digital shopping cart, if the user completed the purchase or registered with the website. Acar's assessment is chilling: "There's a ton of data. Basically, every time you do something, they send it to their server. It's much more than simply knowing that you went to a webpage".

What makes this particularly egregious is how these methods circumvent user choices. Using native Android apps to collect web browsing data defeats privacy protections such as user permission settings, browsing the web in incognito mode and resetting the device's mobile advertising ID. Not even deleting cookies works against it. When users take active steps to protect their privacy, they have a reasonable expectation that their choices will be respected—not undermined through technical loopholes.

The Technical Deception

The technical implementation reveals the premeditated nature of this privacy violation. One technique Meta used to bridge online code to their Android apps is known as "SDP munging", which involves using JavaScript to modify SDP data by inserting - in Meta's case - the _fbp tracking cookie into a protocol message.

What's particularly damning is Meta's response when Google tried to close this loophole. When Google earlier this year modified the mobile Chrome browser to stop allowing that type of SDP munging, Meta responded within days with a workaround. This shows a deliberate intent to continue these practices despite clear signals that they were problematic.

The Hollow Response

Both companies' responses to being caught are equally disappointing. A Meta spokesperson in a prepared statement said it stopped the tracking "upon becoming aware of the concerns"—as if they weren't aware that circumventing privacy protections might raise concerns. Similarly, Yandex spokesperson emailed Information Security Media Group after publication with a statement that the Russian company also has decided to discontinue the tracking.

These reactive responses only after public exposure demonstrate a troubling pattern: exploit first, apologize later—but only if caught.

Our Commitment at ITECS

At ITECS, we find these practices not just disappointing but fundamentally at odds with the trust-based relationships that should exist between technology companies and their users. We're actively working with our partners to help clients who share our disgust at these privacy violations.

We believe in transparent, ethical technology practices that respect user choices and privacy. That's why we're committed to:

1. Educating our clients about these privacy threats
2. Implementing robust privacy protections that can't be circumvented
3. Advocating for stronger privacy regulations and enforcement
4. Supporting technologies and platforms that respect user privacy by design

The Threat Extends Beyond Android

What makes this even more concerning is that this isn't just an Android problem. Researchers noted that similar web-to-app techniques could theoretically work on iOS devices as well as smart TV platforms and desktops. While they stated that "no evidence of abuse has been observed in iOS browsers and apps that we tested," the fact that these techniques could potentially affect iPhone users as well demonstrates the breadth of the privacy threat we're facing.

This means millions of iPhone users could also be vulnerable to similar tracking methods, making this a universal privacy concern rather than a platform-specific issue.

Moving Forward

Researchers warned Monday that besides violating users' privacy, web-to-app tracking opens the door to a malicious third-party app that could intercept the cookie funneling. This isn't just about Meta and Yandex—it's about the precedent this sets for the entire tech industry.

I'm encouraged that Google shipped countermeasures in May 26 update for the Android Chrome browser with protections under trial that would block Meta and Yandex from using known web-to-app techniques. However, we need more than technical fixes—we need a fundamental shift in how tech companies view user privacy.

To Meta and Yandex: You've broken our trust. Your technologies touch billions of lives daily, and with that reach comes responsibility. Stop treating user privacy as an obstacle to overcome and start treating it as a fundamental right to protect.

To our clients and partners: Know that ITECS stands with you in demanding better. We're here to help you navigate these challenges and implement privacy solutions that actually work—not just on paper, but in practice.

The fact that researchers said they haven't seen any other company besides Meta and Yandex do so should be a wake-up call to these companies. Being uniquely unethical is not a distinction any company should want.