Research that changes platforms, policies, and protections for billions of users.

0
IoT vendors patched
0
Browser/OS mitigations
0
Countries with lawsuits
0
Media outlets

Localhost Tracking

Silent web-to-app tracking on mobile via localhost — exposing how Meta and Yandex covertly tracked Android users' browsing across apps.

USENIX Security 2026 Bridges to Self: Silent Web-to-App Tracking on Mobile via Localhost

Regulatory & Policy

  • The Spanish Prime Minister cited the research to announce a parliamentary investigation into Meta. Our team testified before the Spanish Congress commission.
  • Members of the U.S. House of Representatives cited the research in a formal inquiry to Meta leadership.
  • Class actions filed in the U.S. (Rose v. Meta, Carroll, Zaveeri), Canada, and Germany.
  • Disclosures to CNIL, EDPS, AEPD, EDPB, UK CMA, and the European Commission.
  • Civil society response from EFF and Privacy International.

Platform & Technical

Industry Response

  • Meta and Yandex terminated the abuse on the day of public disclosure.
  • VPN vulnerability and cross-profile tracking vectors disclosed to Google.
Press Coverage & Commentary 15+ outlets
Washington PostMeta found a new way to violate your privacy Ars TechnicaMeta and Yandex are de-anonymizing Android users El PaísThe hidden method Meta uses to track mobile browsing Schneier on SecurityNew Way to Covertly Track Android Users Daring FireballMeta and Yandex's LocalMess exploit on Android De MorgenHet sluwe achterpoortje waarmee u online gevolgd wordt Deutschlandfunk Forscher decken Privacy-Verstoß von Meta auf TechdirtMeta busted spying on Android users in creepy new way TweakersMeta had inzage in surfgedrag van Android-gebruikers Security BoulevardMeta's LocalMess tracking technique CPO MagazineMeta and Yandex accused of using Android loophole Knack Data NewsFacebook en Yandex apps weten welke sites je bezoekt ABCMeta y Yandex consiguen datos concretos sobre tus hábitos Daily KosGetting off Facebook is NOT enough
Commentary
Enrique DansIt's time to shut down Meta Zero Party DataLocalhost tracking — est. €32B in fines PodcastIn-depth discussion (40 min) VideoVideo coverage

Smart Home / IoT

Exposing how local network protocols in smart homes violate platform access control assumptions — apps bypass Android's permission model to harvest device metadata.

IMC 2023 In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes

Platform & Technical

  • Google introduced a dedicated local network permission in Android 16.
  • Dozens of privacy-invasive apps and SDKs removed from the Google Play Store.
  • 20+ IoT vendors (Philips, Google, TP-Link, Apple) redesigned identifier schemes.

Regulatory & Policy

  • Presented at CNIL Privacy Research Day 2024, RIPE 89 Plenary (Prague), and RediMadrid Conference.
  • Findings shared with EDPS, AEPD, and CNIL.

Industry Response

  • Google publicly recognized the real-world impact of our findings, awarded a $2,000 bug bounty (donated to Médecins Sans Frontières), and engaged with us to explore mitigations via Android OS, app review processes, and IoT standardization efforts.
Press Coverage 5+ outlets
El PaísHow smart devices spy on us and reveal information about our homes WiredLos dispositivos de tu hogar inteligente te espían CBS NewsAre your home's smart devices leaking private data?

Wireless SDKs

Empirical privacy analysis of wireless-scanning SDKs in Android — revealing how apps exploit Wi-Fi, Bluetooth, and other wireless signals for covert location tracking.

PoPETs 2025 Your Signal, Their Data: An Empirical Privacy Analysis of Wireless-Scanning SDKs in Android

Regulatory & Policy

  • Findings shared with CNIL, EDPS, and AEPD to inform enforcement discussions.
Press Coverage 2 outlets
El PaísHow does your phone know so many private details? How thousands of apps are exploiting mysterious indoor location tracking La Sexta Noticias ¿Alguna vez has pensado que el móvil te espía? Confirmado, apps te siguen usando WIFI, Bluetooth y datos aunque no actives el GPS