Dan Goodin, writing at Ars Technica:

This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users. The researchers say it may be technically feasible to target iOS because browsers on that platform allow developers to programmatically establish localhost connections that apps can monitor on local ports.

In contrast to iOS, however, Android imposes fewer controls on local host communications and background executions of mobile apps, the researchers said, while also implementing stricter controls in app store vetting processes to limit such abuses. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ browsing habits on sites containing these trackers.

I’ll note that among the so-called “interoperability” requirements the European Commission is demanding of iOS is for third-party apps to run, unfettered, in the background, because some of Apple’s own first-party software obviously runs in the background. And I’ll further note that Apple made clear, back in its December 2024 report laying out its objections to the EC’s demands, that:

No company has made more interoperability requests of Apple than Meta. In many cases, Meta is seeking to alter functionality in a way that raises concerns about the privacy and security of users, and that appears to be completely unrelated to the actual use of Meta external devices, such as Meta smart glasses and Meta Quests.

This newly uncovered “Local Mess” exploit — which seemingly only works on Android — is exactly the sort of scheme Meta wants to pull on iOS: to track users across millions of websites while they justifiably believe their web browsing is sandboxed from all native apps.

Back to Goodin:

Meta Pixel and Yandex Metrica are analytics scripts designed to help advertisers measure the effectiveness of their campaigns. Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.

Every one of the sites that includes these tracking scripts is complicit to some extent in the theft of hundreds of millions of Android users’ web browsing privacy.

 In January 2025, the U.S. 5th Circuit Court of Appeals upheld an injunction issued by a Texas federal district court barring enforcement of a 2022 Guidance Document and related Letter on emergency abortion care issued by the Department of Health and Human Services. HHS had taken the position that under the Emergency Medical Treatment & Labor Act, emergency rooms must sometimes perform abortions as a method of stabilizing pregnant women who have pregnancy complications. HHS also took the position that this federal requirement pre-empts Texas laws barring abortions. The 5th Circuit concluded that EMTALA requires hospitals to stabilize both the pregnant woman and her unborn child and that doctors must comply with state law in balancing those obligations. (See prior posting.) On May 29, 2025, HHS placed a statement on the 2022 Guidance Document that it was being rescinded. However, it went on to apparently limit the rescission to plaintiffs in the 5th Circuit case, saying:

HHS may not enforce the Guidance and Letter’s interpretation of EMTALA—both as to when an abortion is required and EMTALA’s effect on state laws governing abortion—within the State of Texas or against the members of the American Association of Pro-Life Obstetricians and Gynecologists (AAPLOG) and the Christian Medical and Dental Association (CMDA).

Then today (June 3, 2025), HHS issued a Statement (full text) saying that it is rescinding the prior policy for all hospitals, not just for parties to the prior litigation.  The Statement said in part that the 2022 Guidance Document and Letter (which has also been stamped "Rescinded"):

do not reflect the policy of this Administration. CMS will continue to enforce EMTALA, which protects all individuals who present to a hospital emergency department seeking examination or treatment, including for identified emergency medical conditions that place the health of a pregnant woman or her unborn child in serious jeopardy. CMS will work to rectify any perceived legal confusion and instability created by the former administration’s actions.

Meanwhile, ADF today issued a press release saying that in light of the rescission of this policy it has filed a voluntary dismissal of another lawsuit it had filed challenging the Guidance Document.

Customs and Border Protection seized a shipment of t-shirts from a streetwear brand that sells an "Eliminate ICE" t-shirt and multiple shirts critical of police and capitalism. Among the shirts seized was a design that features a swarm of bees attacking a police officer. Emails seen by 404 Media indicate that the shirts are going to be shipped back to China or will be "destroyed."

Last we checked in with Cola Corporation, they were getting threatened with bogus copyright threats from the Los Angeles Police Department over their "FUCK THE LAPD" shirts. The Streisand Effect being what it is, the attention from that naturally led the store to sell out much of its stock. The cops, broadly speaking, appear to be messing with Cola again. [...]

Cola said that he is making more t-shirts with the same design and is now selling for preorder as "the confiscated collection."

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Also, you can't block it. As Kyle Reese reminded us, "It absolutely will not stop -- ever -- until you accept its pull req̷̩̓u̸̾͜ḙ̶̈s̶̫͑t̶̙͒."

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.