> Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday.
> The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).
> Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.
Not at all to defend Meta but "a feature that allows software developers to test applications" is a dubious definition of localhost. I also can't come up with a better one.
The term "localhost" refers to the default entry in all modern operating system host files. By default modern operating systems provide a hosts file that provides domain name resolution without reliance upon the Domain Name System (DNS) protocol. By default these host files typically ship with one entry, a domain named "localhost" that points to IPv4 loopback interface 127.0.0.1.
Then what are we talking about? If this is only about comfort of people who don't give a shit anyways then just relate it to money or cartoons or whatever and walk away. It just doesn't matter.
Some concepts just can't (or shouldn't) be broken down to the level of lay person friendly though. There are just some technical concepts that have a complexity floor that if you drop below you are no longer explaining the actual concept but a fantasy.
For a judge trying to rule on a technical case, a poor layperson analogy and lead to a confidently wrong legal conclusion that has serious negative consequences. Thats why court appointed neutral experts are important.
Localhost is “on the device itself”, but so is an installed App and files and user settings.
This is also missing a lot of what localhost means in this context (networking, violation of the usually way similar apps and websites work on an Android device, etc).
- Instagram/Facebook app listening on localhost port X.
- A website running JS on the browser tries to connect to localhost port X. If it succeeds it's now talking to Zuck's app.
- The JS can report whatever it wants to the app, and the app knows the identity of the browsing user, because ~100% of the time it's the user also logged into the app(s).
> UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.
Most of the time this prompt comes up it's actually for a genuine purpose, like spotify trying to find devices on the local network that can play audio, VLC looking for chromecasts, I saw my DJ app ask for local network and discovered it can discover my decks on the network and stream my library over the local network to it.
The problem is this prompt is new so the software doesn't show the user why it's just triggered the prompt and the user has no info to work with.
I need to turn on location access for all software on my system globally to read the battery status of a device over Bluetooth. These "could be used for" warnings are nice and all, but usually goes beyond what makes sense. Proposing that we need to press "be spied upon" just to view photos stored on your NAS is way out there
I'm sorry if people don't know what "access local devices" means but actively lying to them about the mechanisms is not going to inform anyone
I honestly don't think the average Google Chrome user knows what a 'local' device is, and we should go something more ELI5 "This website wants to spy on every other device connected to your network" or something
I get loads of them when I'm on a Netsweeper filtered network... pretty much any time any asset a page loads is from a blocked site (social media pixels normally).
This also got me on my partner's Macbook. For the longest time I couldn't figure out why I could access my local services on (Safari? I forget which one actually worked) but not on Firefox/Chrome.
I've seen it and at least in Chrome it seems to be treating all URLs which are based on an IP address as "local", regardless of the class of the address.
I'd be inherently suspicious of any website in the wild attempting to contact a bare IP address. Aside from localhost, my default assumption would be that such a website is either trying to circumvent my hosts file (or circumvent my other DNS configuration, e.g. pi-hole or DNS-over-HTTPS), malware trying to reach a command-and-control server, or malware trying to circumvent my adblocker.
I've recently been exploring options for allowing web apps to access LAN services. For example, a WebDAV server so you can watch local videos in the app without streaming them through a server.
You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to `http://service.local`, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains.
Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console.
It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad.
Defendants have failed to stop this litigation from going forward
Expect a settlement before this moves into discovery
The Court's understanding of "localhost" in this Order may be less than complete but if this litigation progresses further and experts are retained then that could change
i would love to have a software engineer's union, not so much to get better working conditions but to be able to say stuff like "i can't implement that unethical feature, it's against union rules and i'd lose my membership".
To be fair; you don't need a union... you can just say no. Context; I told them they couldn't ship this exact feature as designed. (It worked until I left.)
yes, true sometimes (not always). but if more people have access to a way to confidently say "no" (with protection behind them), then i think saying "no" would happen more often, by people who might've otherwise complied.
Why not just ask for context and approval of the legal team? That would generate enough trail so some shady requirements get dropped almost immediately; having your superior explicitly sign off in writing a feature you deemed unethical and/or potentially illegal is a great way of actually removing them from the pipeline. You can even frame it as "a good guy" just alerting him/her that there may be a fallback, so make sure it has all necessary elements. Compliance decisions are often above a developers paygrade, and one should squarely document the culprit on any shady decision - and boy, this is very easy in big organizations where no single decision-maker wants to be accountable.
You could join the Order of the Engineer and refuse to do things that would not be compatible with your understanding of the Obligation of an Engineer [1]. Of course, that doesn't stop your employer from asking someone else to do it and asking you to find other employment.
There's a few other orders or societies or what have you that you could join. Personally, I don't drive a train or even wear a stripey hat, so I haven't considered joining an organization for Engineers.
are there examples of unions that have started around a focus on the ethics of the services they provide? unions traditionally start locally, around issues for which the locality is a hotspot, which is why they usually focus on pay and working conditions. it's also easier to get a large group to agree on a set of improvements to working conditions vs a set of ethical boundaries.
actually, it looks like this is happening inside Google right now. DeepMind workers are unionizing, and most of their demands revolve around ethical boundaries and the right to refuse to contribute based on ethical grounds.
Fellow software engineers aren't incentivized to destroy their company's reputation in the same way that boards of directors have proven to be time and time again.
maybe, but the union could provide a lot of services to someone who loses their job this way (like income insurance and legal services) and could leverage collective power over companies that demonstrate a pattern of behavior.
This is something that has just never sat well with me. How exactly will the union provide this insurance? That insurance isn't free, so paid for by member dues? How many members are required to be able to afford the payout for just one member? How about the other services unions are touted as being able to provide? They all come from the same dues? I know that unions will put money into investment funds to attempt to grow the coffers, but that just means the money isn't liquid.
Unions are always touted as a panacea, but logically, it doesn't compute for me. They feel more like ponzi schemes than anything else.
that's definitely a big question and i don't pretend to have enough expertise to answer fully; however, i will point to the Ontario Teacher's Pension Plan which is (per Wikipedia[1]) "one of the world's largest institutional investors [...] over $266 billion in net assets, with a one-year total-fund net return of 9.4%, and a 7.4% 10-year total-fund net return". the union runs their own investment fund; it's an extension of collective power into the financial realm.
> This is something that has just never sat well with me. How exactly will the union provide this insurance? That insurance isn't free, so paid for by member dues?
i don't believe that software development should require a license. imagine having to get board-licensed to download gcc; therein lies the death of free software and owning your devices.
Honestly - shouldn't one assume that train already departed when they decided to work for company that is basically data mining operation with no ethics?
> The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).
> Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.
May 12, 2026