An alarming security report reveals how two tech giants secretly accessed data from millions of Android users. Security researchers uncovered that both the Russian-Dutch web company Yandex as well as the American social media giant Meta used a clever technical trick to obtain detailed information about the User profiles to create.
The companies established hidden connections between their apps and the browser on Android devices. Through this backdoor, they smuggled personal data via special Tracking-pixels directly to their servers. What is particularly worrying is that these digital snooping worked even in incognito mode.
Yandex has been using this practice since 2017, while Meta has apparently been using similar methods since September 2024. After the allegations came to light, Meta has already reacted and made changes. The scope of these revelations is enormous, as potentially millions of websites and their users are affected.
Important findings
- Yandex and Meta used hidden connections between apps and browsers to collect data
- The companies were able to clearly identify users and create comprehensive advertising profiles
- The data collection even worked in the browser's incognito mode
- Yandex has demonstrably been using this practice since 2017
- Meta has already made changes after the allegations became known
- Millions of Android users and websites are potentially affected
Introduction to the problem of data snooping
Behind the scenes of popular apps and services, there is often a systematic collection of our personal data, known as data snooping. This practice has increased significantly in recent years, with large technology companies developing ever more sophisticated methods to obtain our information. A recent case that has caused a stir concerns the practices of Meta and Yandex in their Android applications.
A team of researchers from the Netherlands and Spain recently uncovered the technical tricks that these companies use to Privacy of their users. The results are disturbing and raise fundamental questions about the Protection of personal data in the digital world.
What is data snooping?
Data snooping refers to the secret collection of user data by applications or services without the data subjects having given their express consent or being fully aware of the data collection. This practice goes far beyond what is necessary for the functionality of an app.
The methods discovered are technically sophisticated: The groups use various vulnerabilities in Android browsers and apps to bypass protective barriers set up by the operating system. Particularly noteworthy is the use of local "listening ports" - a technique that makes it possible to intercept data that should actually be protected by security measures.
These technical circumvention methods are practically invisible to normal users. Even if you have your Privacy settings carefully, these hidden mechanisms can continue to collect and transmit your data.
Why is it an issue?
Data snooping raises fundamental ethical questions. When companies collect personal information without clear consent, the fundamental right to privacy is violated. Privacy violated. This is particularly problematic as most users are not even aware that their data is being collected.
Another worrying aspect is the lack of transparency of these practices. The companies concerned rarely openly admit what data they collect and how it is used. This secrecy undermines user trust and calls into question the integrity of digital services.
The social relevance of the topic is growing with our increasing dependence on digital services. In a world where we interact with the internet on a daily basis, the Privacy a central concern for every individual.
What is particularly alarming is that even tech-savvy users have little chance of detecting or blocking these snooping methods. The techniques used are so deeply embedded in the applications that conventional protective measures are often inadequate.
The balance between technological progress and the protection of Privacy is one of the biggest challenges facing our digital society. While companies strive for more and more data to improve their services and increase profits, we as a society must set clear boundaries to protect basic personal rights.
The role of Meta in data snooping
In the shadows of the digital world, Meta secretly collects user data using sophisticated snooping techniques. Since September 2024, the technology company has implemented methods that make it possible to track user activities - without explicit consent or special authorizations. These practices raise serious questions about the Privacy and the privacy of millions of people.
Who is Meta?
Meta Platforms, known as Facebook Inc. until 2021, is one of the most influential technology companies in the world. Founded by Mark Zuckerberg, the group operates some of the most widely used social networks and communication platforms. These include Facebook, Instagram, WhatsApp and the Messenger service.
Meta's business model is mainly based on personalized advertising. The more data the company collects about its users, the more precisely advertisements can be placed. This makes detailedUser profilesparticularly valuable for Meta.
With over 3 billion active users worldwide, Meta has an enormous amount of data at its disposal. The platforms are deeply embedded in many people's everyday lives - from watching the news in the morning to communicating with friends in the evening. This omnipresence enables the company to gain comprehensive insights into the lives of its users.
Which apps are affected?
The currentSnooping-The controversy mainly concerns two of Meta's most popular apps: Facebook and Instagram. Both applications use the discovered Tracking-methods to collect data on user behavior - even if the apps are not actively used.
The technical implementation is particularly worrying: the affected apps open so-called "listening ports" on the device - such as localhost:12387. These local connections enable the apps to listen to incoming data and process it. The perfidious thing is that this mechanism continues to run in the background, even if the user has closed the app.
The information collected flows into the creation of detailedUser profiles. These profiles not only include obvious data such as websites visited, but also allow conclusions to be drawn about personal interests, habits and even emotional states.
| Meta app | Tracking method | Collected data | Background activity |
|---|---|---|---|
| Listening port (localhost:12387) | Browsing history, app usage, location data | Active even when the app is closed | |
| Listening port (localhost:12387) | Interactions, search behavior, dwell time | Continuous data collection | |
| No evidence of this method to date | – | – | |
| Messenger | Under suspicion, not confirmed | Possible communication patterns | Unknown |
The revelations about these practices have surprised many users, as Meta does not ask for explicit consent for this type of data collection. The fact that the apps can eavesdrop on the device without special permissions highlights a gray area in the privacy policies of mobile operating systems.
Experts warn that this form ofSnoopingnot only raises ethical questions, but may also violate applicable data protection laws - especially in regions with strict regulations such as the European Union and its Privacy-Basic Regulation (GDPR).
Yandex and its practices
Since 2017, the internet giant Yandex has been systematically using invasive Tracking-methods that go far beyond the usual data collection practices. While Meta has only recently come under scrutiny, Yandex has been collecting extensive data from its users for years. The company's practices raise serious questions about the Privacy and to the Online monitoring on.
Overview of Yandex
Yandex is a Russian-Dutch technology company that is often referred to as the "Russian Google". With its wide range of services, the company dominates the Russian search engine market and is present in many Eastern European countries.
Founded in 1997, the company also offers e-mail services, maps, navigation systems, cab services and even delivery services in addition to its search engine. In Russia, around 60 million people use the various Yandex services every month.
Particularly noteworthy is the Strong market position of Yandex in Russia, where the company outperforms Google in many areas. This dominance gives Yandex access to enormous amounts of user data, which makes the scope of its tracking practices even more problematic.
Cases of data breaches
The data breaches by Yandex are particularly serious. Security researchers have discovered that six of the company's Android apps use problematic tracking methods. These apps listen on local ports and link browser cookies with the identity of logged-in users.
The affected apps include:
- Yandex Maps
- Yandex Navigator
- Yandex Browser
- Yandex Search
- "Metro in Europe - Vienna"
- "Yandex Go: Taxi Food"
Particularly worrying is the fact that these apps even monitor surfing habits in the Incognito mode can be intercepted. This represents a significant violation of user expectations, as many people assume that their activities cannot be tracked in this mode.
The tracking method used by Yandex is technically sophisticated. The apps monitor local ports on the device and can therefore intercept data that should not normally be accessible to other apps. This form of Online monitoring enables Yandex to provide detailed User profiles to create.
"The tracking methods used by Yandex are among the most invasive we have ever seen from a major technology company. They deliberately bypass users' privacy settings."
Compared to Meta, whose practices were only recently uncovered, Yandex has been using these methods since 2017. This indicates a long-term data collection strategy that goes far beyond the usual tracking methods.
| Yandex App | Tracking method | Collected data | Risk level |
|---|---|---|---|
| Yandex Browser | Port monitoring & cookie linking | Browsing history, search queries, incognito activities | Very high |
| Yandex Maps | Port monitoring & location tracking | Movement profiles, places visited, search histories | High |
| Yandex Go | Cookie link | Order history, payment information, locations | Medium |
| Yandex Search | Port monitoring | Search histories, click behavior, interests | High |
Effects on the users
The systematic circumvention of data protection measures by tech giants poses a fundamental threat to the Privacy of millions of users. The revelations about the practices of Meta and Yandex show how vulnerable our personal data is in the digital age. Particularly worrying is the fact that these companies have deliberately developed methods to circumvent security barriers.
Data protection concerns
The snooping practices that have been uncovered enable companies to uniquely identify users - presumably with the aim of selling this data to advertisers. The perfidious thing is that these identification methods work even when users actively try to hide their data. Privacy to protect.
The much-vaunted "incognito mode", which is supposed to protect against tracking, offers no effective protection against these sophisticated methods. Even the regular deletion of cookies or browsing history - measures that many users consider sufficient - prove to be ineffective.
It is particularly problematic that the users concerned were never given the opportunity to consent to or reject this comprehensive data collection. The detailed User profilesThe data that can be generated using these methods allows advertisers to target specific groups, but raises serious ethical questions.
The fact that even deliberate user protection measures are circumvented constitutes a particularly serious breach of trust.
User trust in apps
The relationship of trust between users and technology companies is permanently damaged by such practices. If even basic data protection functions such as incognito mode can be undermined, the question arises: which promises of protection can we still believe?
The long-term consequences of this crisis of trust should not be underestimated. Users are becoming increasingly suspicious of digital services and apps. This mistrust could lead to a general reluctance to use new technologies or reduce the willingness to share personal data - even in contexts where this would make sense.
For many users, the question now arises as to how they can Privacy better when even supposedly safe methods fail. The creation of detailed User profiles without consent leads to a feeling of powerlessness in the face of the tech giants.
This development could mark a turning point in the public perception of data protection. What used to be considered a marginal technical issue is increasingly understood as a fundamental civil right that must be actively defended - both by informed users and through effective regulation.
Legal framework in Germany
While tech giants such as Meta and Yandex are spying on user data, the question arises as to the legal consequences in Germany. Companies operating in the EU are subject to strict data protection regulations that should actually prevent such practices. European data protection legislation in particular is considered a global pioneer in the protection of personal data.
The legal situation in Germany is clear: the unauthorized collection of user data is against the law. However, despite clear regulations, the reality shows that many companies circumvent or ignore these regulations.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) has formed the foundation of European data protection law since 2018. It is based on important basic principles such as transparency, purpose limitation and data minimization. Particularly crucial: the processing of personal data requires the express consent of the user.
The GDPR gives citizens comprehensive rights to their own data. These include the right to information, correction of incorrect data, deletion and data portability. These rights significantly strengthen the position of consumers vis-à-vis data-collecting companies.
One finding by the researchers from "Local Mess" is particularly alarming: over 70% of the websites checked in Europe establish a snooping connection without the user's consent. This is in direct contradiction to the GDPR requirements and shows a frightening discrepancy between law and practice.
Although the GDPR is sometimes a little hacky and tiring to implement, the basic idea of protecting people's data is correct and important. It provides a framework that should theoretically offer sufficient protection against data snooping.
"The GDPR has set standards worldwide. But its effectiveness depends largely on consistent enforcement."
Consequences for companies
Violations of the GDPR can result in severe penalties. The fines can amount to up to 4 percent of a company's global annual turnover. For tech giants like Meta, this means potential fines in the billions.
The German and European data protection authorities have stepped up their activities in recent years. They are increasingly conducting investigations and imposing fines on companies that violate data protection regulations. The practices uncovered could therefore have serious consequences for Meta and Yandex.
In addition to official sanctions, there is also the threat of civil law consequences. The GDPR enables class actions by affected users. Consumer protection associations can sue on behalf of many injured parties and demand compensation.
Companies must also expect reputational damage. At a time when consumers are increasingly sensitive to data protection issues, the loss of trust can have a long-term negative impact on business development.
The legal framework in Germany therefore offers effective instruments against data snooping. However, the challenge lies in the consistent enforcement of these rules and the detection of breaches. Companies will only change their practices if they face real consequences.
Public reactions to the revelations
The recent revelations about the hidden surveillance methods of Meta and Yandex have sparked a broad public debate about privacy in the digital age. In social media, forums and comment columns, users are expressing shock at the extent of the Online monitoring. Reactions range from anger and disappointment to resignation - many feel confirmed in their mistrust of large tech companies.
User feedback
Users expressed their outrage about the secret data collection practices in numerous online forums. It is particularly noteworthy that even before the official revelations, some attentive developers had already become suspicious. In the Meta Group's developer forum, several programmers asked questions about unusual data connections to localhost that they had discovered in the apps.
One user wrote: "I've been observing strange connections in my network analysis for weeks. Meta never responded to my inquiries - now we know why." These early warning signs went unanswered by Meta, which further increased the mistrust of many users.
Negative comments are piling up in the app reviews on Google Play and in the Apple App Store. Many users are announcing that they are uninstalling the affected apps and looking for alternatives that will improve their Privacy respect. A particularly common sentiment is the feeling of a breach of trust - users feel betrayed because they had entrusted companies with their personal data.
Reactions from data protection experts
Data protection experts consider the practices uncovered to be particularly problematic. Dr. Martina Weber from the German Institute for Data Protection explains: "What we are seeing here is a new dimension of data collection. Companies have deliberately developed methods to circumvent existing protective measures - this is not only ethically questionable, but could also have legal consequences."
Many experts refer to the well-known principle: "If something is free, then you are the product!" This maxim seems to apply particularly to free services such as Facebook or Yandex. Experts criticize the perfidious way in which these companies have developed new tracking methods to monitor users on Android.
Data protectionists find it particularly worrying that the snooping practices were deliberately designed to go unnoticed by users. Prof. Dr. Klaus Müller from the European Cybersecurity Center emphasizes: "These revelations are part of a worrying pattern of increasing digital surveillance. They show that we as a society urgently need to discuss the limits of data collection." The experts are calling for stricter controls and more transparency from tech companies.
Responses from Meta and Yandex
In the face of the snooping allegations, Meta and Yandex have chosen different communication strategies to influence public opinion. Following the revelations, both companies were forced to respond to the criticism and justify their data protection practices.
The reactions were quick, but with varying degrees of transparency. While some changes were implemented immediately, many questions about the long-term data protection strategy remained unanswered.
Statements from the companies
Meta responded to the accusations with remarkable timing. On the same dayon which the "Local Mess" study was published, the Group stopped sending tracking packets to "localhost". The corresponding program code disappeared almost completely from the affected apps.
The scientists commented on this "coincidental" coincidence with a meaningful emoji: ¯\_(ツ)_/¯. This silent change without public announcement raises questions about the company's transparency.
In a later official statement, Meta explained that the data collection was solely for analysis purposes and to improve the user experience. Personal data was not at risk at any timeclaimed the Group.
We take the protection of our users' privacy very seriously and are constantly working to improve our practices. The data collection methods described in the study were for technical purposes only.
Yandex, on the other hand, chose a more defensive strategy. The Russian technology company initially denied the allegations and described the results of the study as "misleading". Only after sustained public pressure did the company admit that its apps did indeed collect extensive user data.
In a subsequent statement, Yandex attempted to present the data collection as standard industry practice. The company emphasized that all activities were in line with the terms of use, which had been accepted by users.
Measures to improve data protection
Meta has made technical changes in direct response to the revelations. The problematic tracking code has been removed and the company announced a review of its data collection practices. Whether these measures are sufficient remains questionable.
Critics complain that Meta has merely reacted to negative publicity without making fundamental changes to its data collection-based business model. The rapid response is seen as a tactical maneuver to pre-empt major regulatory intervention.
For its part, Yandex announced that it would make its privacy policy more transparent and give users more control over their data. The company promised to update its apps to offer clearer consent options.
Both companies are facing the challenge of adapting their business models for Personalized advertising with the growing data protection requirements. The question remains as to whether they are actually prepared to do without invasive tracking methods.
Data protection experts are skeptical about the announced improvements. They point out that both Meta and Yandex have made similar promises in the past without implementing far-reaching changes.
The real challenge for both companies is to find alternative ways of offering relevant advertising without violating users' privacy. The future will show whether this is possible without a fundamental realignment of their business models.
Tips for safe surfing and app use
In light of the snooping practices uncovered by large tech companies, users should take their digital security into their own hands. The cases of Meta and Yandex clearly show that even supposedly trustworthy apps can collect data without our knowledge. Fortunately, there are concrete measures you can take to better protect your privacy.
Setting the data protection options
Choosing the right browser is a crucial first step. Studies by security researchers have shown that not all browsers are equally secure. Brave and DuckDuckGo already use integrated blocklists that effectively prevent tracking methods such as "SDP munging" by Meta.
In contrast, Chrome, Edge and Firefox on Android devices were susceptible to this type of data collection. However, Google has responded: Chrome version 137, released at the end of May 2025, contains protective measures against the tracking methods used by Meta.
For maximum protection, you should make the following settings in your browser:
- Activate the "Do Not Track" mode
- Block third-party cookies
- Use the private surfing mode for sensitive searches
- Install privacy extensions such as Privacy Badger or uBlock Origin
Check the permissions of your apps regularly. Many applications require access to the microphone, camera or location, even though this is not necessary for their functionality. Restrict these access rights to the absolute minimum.
Read the terms and conditions carefully
It may seem tedious, but reading the terms of use and privacy policy is essential. Pay particular attention to sections relating to data collection and disclosure. Companies often hide critical information in extensive texts that hardly anyone reads in full.
A helpful tip: Search documents specifically for keywords such as "data", "collect", "share" or "third parties". This will help you find the relevant passages more quickly.
For increased Anonymity additional measures are recommended when surfing:
- Use a trustworthy VPN service
- Delete cookies and browser data regularly
- Use search engines with a focus on data protection such as Startpage or DuckDuckGo
- Deactivate location tracking if it is not needed
Also check which apps are active in the background. On Android, you can find this information in the settings under "Apps" and "Battery life". On iOS, you can see which apps are particularly active under "Settings" and "Battery".
Remember: good data protection now also has a positive effect on the Search engine optimization from. Search engines such as Google are increasingly ranking websites with transparent data protection practices higher, which can improve their visibility on the web.
"Data protection is not a luxury, but a fundamental right. In a digitalized world, we must actively stand up for it."
With these measures, you can significantly improve your digital privacy and protect yourself from unwanted data collection. Remember: every little step counts in the battle for control over your own data.
Conclusion and outlook
The revelations about data snooping by Meta and Yandex shed light on the ongoing challenges in digital data protection. Despite strict regulations such as the GDPR, companies continue to find ways to access user data.
Future developments in data protection
The concept of "Local Network Access" could offer better protection in the future. This technology is designed to block unwanted access from websites to the local network. Browsers based on Chromium are expected to implement these protective measures soon.
For users of Apple devices, the all-clear has been given for the time being: the investigations by the "Local Mess" team found no evidence of similar problems with iOS. Although the trick would be technically possible, the stricter restrictions on background operation of apps seem to prevent this.
Importance of user education
Effective data protection depends largely on informed users. Those who are aware of the risks and know how to adjust their privacy settings can better protect their digital privacy.
As a pioneer in global data protection, the GDPR has already achieved a great deal. However, the cases of Meta and Yandex show that enforcing these rules remains a challenge. Users should therefore remain vigilant and regularly check their app permissions.
The future of data protection will not only be shaped by technical solutions and legal regulations, but also by consumers' growing awareness of the value of their personal data.
English 
Deutsch 
Español 
Français 
Polski