I didn’t expect to be shocked by tracking tricks anymore — but then I read this piece on Ars Technica and, well… wow.
Turns out Meta and Yandex have been quietly using their tracking scripts — Meta Pixel and Yandex Metrica — to link your browser activity to your logged-in app identity. Not via cookies, not through ad clicks, but through local ports on your Android phone.
Here’s the playbook:
1. You visit a site with their pixel.
2. The pixel script reaches out — not to a remote server, but straight to the native Facebook, Instagram, or Yandex app running on your phone.
3. These apps are silently listening on localhost. The browser hands over a unique ID like fbp.
4. The app connects the dots: anonymous browsing becomes fully identifiable.
It works even in incognito. No click required. And consent? Over 75% of sites skip that entirely.
Yandex has been doing this since 2017. Meta joined in late 2024. Google only started blocking this in Chrome a few weeks ago — after researchers went public. Until then, nobody knew. Not even most developers using these trackers.
Both companies say it’s all for “better personalization.” Of course it is.
If you work with GA4 to BigQuery exports, be sure to check out my SQL cheat sheet.
