Research that changes platforms, policies, and protections for billions of users.
0
IoT vendors patched
0
Browser/OS mitigations
0
Countries with lawsuits
0
Media outlets
Regulatory & Policy
- The Spanish Prime Minister cited the research to announce a parliamentary investigation into Meta. Our team testified before the Spanish Congress commission.
- Members of the U.S. House of Representatives cited the research in a formal inquiry to Meta leadership.
- Class actions filed in the U.S. (Rose v. Meta, Carroll, Zaveeri), Quebec, British Columbia, and Germany (SOMI Foundation).
- Disclosures to CNIL, EDPS, AEPD, EDPB, UK CMA, and the European Commission.
- Invited to present at the CNIL Privacy Research Day 2026.
- Civil society response from EFF and Privacy International.
Platform & Technical
- Google introduced a localhost permission in Android 17 to prevent platform-wide abuse.
- Chrome 137 and Firefox deployed localhost access restrictions. WebKit engaged with findings.
- Advanced the W3C Local Network Access (LNA) standard. Disclosed bypass vectors.
- Invited to present at IETF PEARG 123 and the Ad-Filtering Dev Summit 2025.
- Research highlighted at the IEEE Milestone Award Ceremony honoring the selection of Rijndael as AES.
- uBlock Origin, AdGuard, and DuckDuckGo adopted tracking protections based on our findings.
Industry Response
- Meta and Yandex terminated the abuse on the day of public disclosure.
- VPN vulnerability and cross-profile tracking vectors disclosed to Google.
Press Coverage & Commentary 15+ outlets
Washington PostMeta found a new way to violate your privacy
Ars TechnicaMeta and Yandex are de-anonymizing Android users
El PaísThe hidden method Meta uses to track mobile browsing
Schneier on SecurityNew Way to Covertly Track Android Users
Daring FireballMeta and Yandex's LocalMess exploit on Android
De MorgenHet sluwe achterpoortje waarmee u online gevolgd wordt
Deutschlandfunk Forscher decken Privacy-Verstoß von Meta auf
TechdirtMeta busted spying on Android users in creepy new way
TweakersMeta had inzage in surfgedrag van Android-gebruikers
Security BoulevardMeta's LocalMess tracking technique
CPO MagazineMeta and Yandex accused of using Android loophole
Knack Data NewsFacebook en Yandex apps weten welke sites je bezoekt
ABCMeta y Yandex consiguen datos concretos sobre tus hábitos
Daily KosGetting off Facebook is NOT enough
Sky NewsMeta found 'covertly tracking' Android users through Instagram and Facebook
The RegisterMeta pauses mobile port tracking tech on Android after researchers cry foul
MediaPostMeta Must Face Suit For Allegedly Tracking Android Users' Web Browsing
Commentary
Platform & Technical
- Google introduced a dedicated local network permission in Android 16.
- Dozens of privacy-invasive apps and SDKs removed from the Google Play Store.
- 20+ IoT vendors (Philips, Google, TP-Link, Apple) redesigned identifier schemes.
Regulatory & Policy
- Presented at CNIL Privacy Research Day 2024, RIPE 89 Plenary (Prague), and RediMadrid Conference.
- Findings shared with EDPS, AEPD, and CNIL.
Industry Response
- Google publicly recognized the real-world impact of our findings, awarded a $2,000 bug bounty (donated to Médecins Sans Frontières), and engaged with us to explore mitigations via Android OS, app review processes, and IoT standardization efforts.
Regulatory & Policy
- Findings shared with CNIL, EDPS, and AEPD to inform enforcement discussions.