Ask HN: So what happened to Facebook "localhost" tracking?

Posted by juliusceasar 5 days ago

Counter106Comment102OpenOriginal

It was discussed a year ago. https://news.ycombinator.com/item?id=44235467

Comments

Comment by applfanboysbgon 5 days ago

> Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday.

> The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).

> Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.

May 12, 2026

Comment by Retr0id 5 days ago

Not at all to defend Meta but "a feature that allows software developers to test applications" is a dubious definition of localhost. I also can't come up with a better one.

Comment by furyofantares 5 days ago

It's not a definition, but it is an accurate statement.

Comment by Retr0id 5 days ago

It's a true statement but I'm not sure it gives a good impression of what localhost actually is.

Comment by rambojohnson 4 days ago

If the biggest issue you found in the article is the localhost gloss, Meta probably got off easy.

Comment by Retr0id 2 days ago

I never said that.

Comment by austin-cheney 4 days ago

Here is the explicit definition of localhost.

The term "localhost" refers to the default entry in all modern operating system host files. By default modern operating systems provide a hosts file that provides domain name resolution without reliance upon the Domain Name System (DNS) protocol. By default these host files typically ship with one entry, a domain named "localhost" that points to IPv4 loopback interface 127.0.0.1.

Comment by FuckButtons 4 days ago

Sure, but you lost the non technical audience by the end of the first sentence.

Comment by austin-cheney 4 days ago

Then what are we talking about? If this is only about comfort of people who don't give a shit anyways then just relate it to money or cartoons or whatever and walk away. It just doesn't matter.

Comment by cwmoore 4 days ago

The only audience qualified to make technical decisions.

Comment by 4 days ago

Comment by HNgarbagesite 4 days ago

[flagged]

Comment by iririririr 4 days ago

specially for this case, the localhost part is misleading.

what should have been the focus was "starting a shadow server on the use device, wide open for any application or webpage"

Comment by ChrisRR 4 days ago

Yes I was totally confused as that's not what I understood by localhost

Comment by istumbler 5 days ago

“A network interface which allows processes on the same internet host to communicate without the need for a network connection”

Comment by Retr0id 5 days ago

There's a lot of layperson-unfriendly words in there! Iterating on that:

"A feature that allows multiple programs on the same device to communicate without the need for an internet connection"

Comment by thewebguyd 5 days ago

Some concepts just can't (or shouldn't) be broken down to the level of lay person friendly though. There are just some technical concepts that have a complexity floor that if you drop below you are no longer explaining the actual concept but a fantasy.

For a judge trying to rule on a technical case, a poor layperson analogy and lead to a confidently wrong legal conclusion that has serious negative consequences. Thats why court appointed neutral experts are important.

Comment by d1sxeyes 5 days ago

A way for computer programs to talk to each other on the same device as though they were running on different devices connected over a network.

I agree with you by the way, I just don’t think this is one of those cases.

Comment by ryandrake 5 days ago

Computer talky no pluggy

Comment by FergusArgyll 5 days ago

a pty fits that definition though

Comment by dnnddidiej 5 days ago

It is like having a pool room at home instead of playing at the bar. Facebook want to snoop around your pool room.

Comment by Velocifyer 5 days ago

“A loopback network interface” or “A interface that refers to the same host”.

Comment by SturgeonsLaw 4 days ago

"on the device itself"

Comment by thephyber 4 days ago

Localhost is “on the device itself”, but so is an installed App and files and user settings.

This is also missing a lot of what localhost means in this context (networking, violation of the usually way similar apps and websites work on an Android device, etc).

Comment by Obscurity4340 4 days ago

> Judge RitaLin

Comment by htx80nerd 5 days ago

im failing to see the connection

>standard pixel tracking, linked to meta (js , web)

>Meta exploited Android's localhost (os level)

Comment by netsharc 5 days ago

- Instagram/Facebook app listening on localhost port X.

- A website running JS on the browser tries to connect to localhost port X. If it succeeds it's now talking to Zuck's app.

- The JS can report whatever it wants to the app, and the app knows the identity of the browsing user, because ~100% of the time it's the user also logged into the app(s).

Comment by frictasolver 4 days ago

[flagged]

Comment by KomoD 5 days ago

Looks like they stopped doing it

https://localmess.github.io

> UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.

Comment by hulitu 4 days ago

> almost

Comment by mozvalentin 5 days ago

Chrome and Firefox have deployed / are deploying local-network-access which prompts the user when apps try this.

Comment by pezgrande 5 days ago

I guess that's why I am getting so many "Allow to find devices on your network" alerts. Good feature overall.

Comment by SoftTalker 5 days ago

Only a good feature if users have a clue what that question means. Most will click "Yes" because they want to get on with whatever they want to do.

Change it to something like "This website is trying to spy on your local devices, do you want to allow this?"

Comment by SchemaLoad 5 days ago

Most of the time this prompt comes up it's actually for a genuine purpose, like spotify trying to find devices on the local network that can play audio, VLC looking for chromecasts, I saw my DJ app ask for local network and discovered it can discover my decks on the network and stream my library over the local network to it.

The problem is this prompt is new so the software doesn't show the user why it's just triggered the prompt and the user has no info to work with.

Comment by lukan 5 days ago

Since I can see legitimate use case (complex web apps, one sharing data with another) - I would not use the word spying.

But still make it clear what can happen.

"Attention! This website wants to get access to other web apps running on this device, do you want to allow this?"

And then a link explaining some more. But better words are surely possible.

Comment by 5 days ago

Comment by Aachen 5 days ago

I need to turn on location access for all software on my system globally to read the battery status of a device over Bluetooth. These "could be used for" warnings are nice and all, but usually goes beyond what makes sense. Proposing that we need to press "be spied upon" just to view photos stored on your NAS is way out there

I'm sorry if people don't know what "access local devices" means but actively lying to them about the mechanisms is not going to inform anyone

Comment by dpoloncsak 5 days ago

I honestly don't think the average Google Chrome user knows what a 'local' device is, and we should go something more ELI5 "This website wants to spy on every other device connected to your network" or something

Comment by outside1234 5 days ago

Ah, THAT's what that is. They really need to shift the message from the BROWSER is trying to find devices to the WEBSITE is trying to find devices.

Comment by RandomDistort 5 days ago

I get loads of them when I'm on a Netsweeper filtered network... pretty much any time any asset a page loads is from a blocked site (social media pixels normally).

Comment by lelandfe 5 days ago

I hate that there's no "stop asking me" button.

I get those regularly in Chrome

Comment by crtasm 5 days ago

I just discovered that MacOS was blocking Firefox from connecting to devices on my LAN - there's per-app toggle in system settings.

Access to my router's web interface was not blocked (understandably) but this left me rather confused for a while.

Comment by gh02t 3 days ago

This also got me on my partner's Macbook. For the longest time I couldn't figure out why I could access my local services on (Safari? I forget which one actually worked) but not on Firefox/Chrome.

Comment by shit_game 5 days ago

I was just about to say that my question in regards to this was "what are web browsers doing about it?"

Comment by Tade0 5 days ago

I've seen it and at least in Chrome it seems to be treating all URLs which are based on an IP address as "local", regardless of the class of the address.

Comment by kibwen 5 days ago

I'd be inherently suspicious of any website in the wild attempting to contact a bare IP address. Aside from localhost, my default assumption would be that such a website is either trying to circumvent my hosts file (or circumvent my other DNS configuration, e.g. pi-hole or DNS-over-HTTPS), malware trying to reach a command-and-control server, or malware trying to circumvent my adblocker.

Comment by apitman 5 days ago

Any idea if Safari is on board?

Comment by apitman 5 days ago

I've recently been exploring options for allowing web apps to access LAN services. For example, a WebDAV server so you can watch local videos in the app without streaming them through a server.

You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to `http://service.local`, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains.

Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console.

It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad.

[0]: https://developer.chrome.com/blog/local-network-access

Comment by 0john 4 days ago

This actually inspired me recently to create Pal Pipe for Android- https://gitlab.com/not_john/palpipe

Comment by 1vuio0pswjnm7 5 days ago

A timely question. Hopefully someone will share the recent Order and Third Amended Complaint

Since that discussion in 2025

Rose v Meta was consolidated with some other privacy cases against Meta

A first amended complaint was filed,^1 Google was added as a defendant

Defendants motion to dismiss was denied

A third amended complaint was filed on Monday

Here are the PDFs

1.

1st amended complaint

https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...

Meta motion to dismiss

https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...

Google motion to dismiss

https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...

Plaintiffs response

https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...

Meta reply

https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...

Google reply

https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...

Order

(Payment required)

https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...

2nd amended complaint

(Payment required)

https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...

Comment by throwa356262 5 days ago

Off topic: I wonder how hard it is to poison this type of data gathering?

Comment by 5 days ago

Comment by vorticalbox 4 days ago

Not hard, one could build an application that listens on common software ports and simply returns 200 for every request it gets.

Not sure how it would benefit you telling some website you run all the software.

Comment by Aachen 5 days ago

Is that a question?

Comment by woodrowbarlow 5 days ago

i would love to have a software engineer's union, not so much to get better working conditions but to be able to say stuff like "i can't implement that unethical feature, it's against union rules and i'd lose my membership".

Comment by grayhatter 5 days ago

To be fair; you don't need a union... you can just say no. Context; I told them they couldn't ship this exact feature as designed. (It worked until I left.)

Comment by woodrowbarlow 5 days ago

yes, true sometimes (not always). but if more people have access to a way to confidently say "no" (with protection behind them), then i think saying "no" would happen more often, by people who might've otherwise complied.

Comment by Trasmatta 5 days ago

Without the protection of a union, "just saying no" is a good way to get fired

Comment by aforwardslash 5 days ago

Why not just ask for context and approval of the legal team? That would generate enough trail so some shady requirements get dropped almost immediately; having your superior explicitly sign off in writing a feature you deemed unethical and/or potentially illegal is a great way of actually removing them from the pipeline. You can even frame it as "a good guy" just alerting him/her that there may be a fallback, so make sure it has all necessary elements. Compliance decisions are often above a developers paygrade, and one should squarely document the culprit on any shady decision - and boy, this is very easy in big organizations where no single decision-maker wants to be accountable.

Comment by toast0 5 days ago

You could join the Order of the Engineer and refuse to do things that would not be compatible with your understanding of the Obligation of an Engineer [1]. Of course, that doesn't stop your employer from asking someone else to do it and asking you to find other employment.

There's a few other orders or societies or what have you that you could join. Personally, I don't drive a train or even wear a stripey hat, so I haven't considered joining an organization for Engineers.

[1] https://order-of-the-engineer.org/about-the-order/obligation...

Comment by volkercraig 5 days ago

Start one. Unions are worker owned. You could also join the IWW.

Comment by woodrowbarlow 5 days ago

are there examples of unions that have started around a focus on the ethics of the services they provide? unions traditionally start locally, around issues for which the locality is a hotspot, which is why they usually focus on pay and working conditions. it's also easier to get a large group to agree on a set of improvements to working conditions vs a set of ethical boundaries.

Comment by woodrowbarlow 3 days ago

actually, it looks like this is happening inside Google right now. DeepMind workers are unionizing, and most of their demands revolve around ethical boundaries and the right to refuse to contribute based on ethical grounds.

Comment by actionfromafar 5 days ago

Unions in the US are nerfed, by law.

Comment by greyface- 5 days ago

Collective bargaining is nerfed. Other structures remain viable and legal.

Comment by lesuorac 4 days ago

Naw unions are nerfed.

ex. Secondary (Sympathy) Strikes are illegal [1].

[1]: https://en.wikipedia.org/wiki/Solidarity_action#United_State...

Comment by actionfromafar 5 days ago

Exactly. Nerfed. Unions without collective bargaining is more like a social club.

Comment by mmmlinux 4 days ago

unless your union involves being the law, then they can do literally anything.

Comment by askl 5 days ago

Are you not allowed to leave the US?

Comment by kube-system 5 days ago

I'd wonder how you'd get into that arrangement to begin with when the entire job is based on unethical tracking

Comment by theodorejb 5 days ago

You don't need to join a union to push back against unethical feature requests.

Comment by jakubadamw 5 days ago

The collective leverage of a union gives you significantly more power to do something like this.

Comment by theodorejb 5 days ago

Only if the union is against the unethical request. In some cases the union may be for it, which makes it even harder to push back.

Comment by jackb4040 5 days ago

Fellow software engineers aren't incentivized to destroy their company's reputation in the same way that boards of directors have proven to be time and time again.

Comment by chrncirurp 5 days ago

> You don't need to join a union to push back against unethical feature requests.

If you push back against unethical feature requests:

No union: you get fired

Union: you still get fired

Comment by woodrowbarlow 5 days ago

maybe, but the union could provide a lot of services to someone who loses their job this way (like income insurance and legal services) and could leverage collective power over companies that demonstrate a pattern of behavior.

Comment by dylan604 5 days ago

This is something that has just never sat well with me. How exactly will the union provide this insurance? That insurance isn't free, so paid for by member dues? How many members are required to be able to afford the payout for just one member? How about the other services unions are touted as being able to provide? They all come from the same dues? I know that unions will put money into investment funds to attempt to grow the coffers, but that just means the money isn't liquid.

Unions are always touted as a panacea, but logically, it doesn't compute for me. They feel more like ponzi schemes than anything else.

Comment by woodrowbarlow 5 days ago

that's definitely a big question and i don't pretend to have enough expertise to answer fully; however, i will point to the Ontario Teacher's Pension Plan which is (per Wikipedia[1]) "one of the world's largest institutional investors [...] over $266 billion in net assets, with a one-year total-fund net return of 9.4%, and a 7.4% 10-year total-fund net return". the union runs their own investment fund; it's an extension of collective power into the financial realm.

https://en.wikipedia.org/wiki/Ontario_Teachers%27_Pension_Pl...

Comment by hluska 5 days ago

That is only a pension plan. It provides no insurance to teachers who are still employed.

Comment by woodrowbarlow 4 days ago

it's an example of how a union can use collective financial power to fund the services they offer to their members. a software engineer's union could prioritize income insurance over retirement.

Comment by askl 5 days ago

> That insurance isn't free, so paid for by member dues?

Yes, obviously. That's how every insurance works.

Comment by dylan604 5 days ago

Yes, obviously. A question not asked as assumed a natural part of the thinking process is how many members does it take to get to the center of a tootsie pop? Just because other unions exists does not mean that the one that techBro Norma Rae starts is going to remain viable. How many claims can be paid out before the insurance no longer pays out? Lots of conversation left after your trite yes obviously unhelpful comment

Comment by prmoustache 5 days ago

> This is something that has just never sat well with me. How exactly will the union provide this insurance? That insurance isn't free, so paid for by member dues?

That is how all unions were born.

Comment by wahern 4 days ago

Providing insurance was one reason for the emergence and popularity of friendly societies, fraternal organizations, and trade unions in the 19th century. But out of that emerged the modern insurance industry, so you can now just buy those products directly. Unemployment insurance may be an exception, but that's because employer-mandated unemployment insurance is now so ubiquitous.

The modern "welfare state" also emerged out of those earlier grassroots movements. Now we take it for granted. One downside is that the state has largely displaced the incentive for those private societies.

And for the conspiratorial minded: that displacement was in part a deliberate attempt to limit the power of collective action and employees generally. In the early 20th century, jury awards for horrendous workplace accidents were often large and starting to threaten the bottom line. Employer-mandated workers' compensation insurance was promoted by companies as a way to limit their liability. This is why you typically cannot sue your employer for most workplace accidents if you're covered by workers' compensation. The same legislation that mandates workers' compensation insurance shields employers from liability for workplace accidents. Especially in the case of grievous injury or permanent disability, an employee likely would have gotten much greater compensation in a civil suit than what they'll get in workers' compensation. (OTOH, considering all workplace injuries and compensation together, maybe the bargain was worth it overall. Employee societies may never have achieved the degree of coverage the legal mandate did, and maybe those societies would never have been able to provide more compensation on average than employees get now.)

Comment by dylan604 5 days ago

That's great insight. Thanks for contributing.

Comment by soco 5 days ago

Simple idea: look how other unions work, and in other countries as well. The wheel has already been invented.

Comment by dylan604 5 days ago

You can say that about a lot of things. The car was already invented, but so many new car companies struggle. Just because a thing exists does not mean someone else can come along to immediately become successful with thing.

Comment by soco 5 days ago

The question as I took it was "I can't imagine how this can work". Interpreting it as anything else is defeatism and I won't entertain that.

Comment by dylan604 5 days ago

It's not defeatism. It's doing the research to avoid unnecessary failure from over ambitiousness getting in the way of doing something the right way. This isn't a Show HN situation where you go and get some VC funding and yolo your way through it. This is something that if it's not done right it could have a greater blast radius than some VC funded startup shutting down with a "What we've learned" blog post.

Comment by soco 5 days ago

Makes sense, but I haven't seen in the comments the signs of research having been done. Or maybe you were hoping that I am doing the research for you, while you brainstorm how it can't work? I am an union member, albeit not in the US, and for me it looks fine. Sample size of 1, but a sample which says it does work. Take this information as you wish.

Comment by jeffgreco 5 days ago

Still a better outcome than tossing your ethics overboard.

Comment by garciasn 5 days ago

Why bother to join a union, pay dues, potentially have your career limited, and have another layer to deal with?

Just leave or be fired without the song and dance.

Comment by Henchman21 5 days ago

Because you’re a person who cares about your fellow citizens and realize that collectively bargaining helps to lift all boats, not just yours

Comment by HWR_14 5 days ago

How would your career be limited?

Comment by josefritzishere 5 days ago

union strong, bro.

Comment by dzikimarian 5 days ago

Maybe don't apply to Meta in the first place? With their track record it's pretty obvious that you'll be part of building something morally dubious.

Comment by grayhatter 5 days ago

I didn't get fired.

Comment by absqueued 5 days ago

Take a lead, let me sign up :)

Comment by SoftTalker 5 days ago

And this is why we don't have one. Someone else is expected to do the hard part.

Comment by hasahmed 5 days ago

same

Comment by 5 days ago

Comment by LadyCailin 5 days ago

That’s what licensing is for, not unions.

Comment by woodrowbarlow 5 days ago

i don't believe that software development should require a license. imagine having to get board-licensed to download gcc; therein lies the death of free software and owning your devices.

Comment by iamnothere 5 days ago

> therein lies the death of free software and owning your devices

(That’s what these people want)

Comment by hluska 5 days ago

A union could absolutely get involved in something like this.

Comment by dzikimarian 5 days ago

Honestly - shouldn't one assume that train already departed when they decided to work for company that is basically data mining operation with no ethics?

Comment by ethagnawl 5 days ago

> not so much to get better working conditions but

... why not both?

Comment by chris_explicare 5 days ago

[dead]