> UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.
> Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday.
> The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).
> Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.
i would love to have a software engineer's union, not so much to get better working conditions but to be able to say stuff like "i can't implement that unethical feature, it's against union rules and i'd lose my membership".
Honestly - shouldn't one assume that train already departed when they decided to work for company that is basically data mining operation with no ethics?
You could join the Order of the Engineer and refuse to do things that would not be compatible with your understanding of the Obligation of an Engineer [1]. Of course, that doesn't stop your employer from asking someone else to do it and asking you to find other employment.
There's a few other orders or societies or what have you that you could join. Personally, I don't drive a train or even wear a stripey hat, so I haven't considered joining an organization for Engineers.
Why not just ask for context and approval of the legal team? That would generate enough trail so some shady requirements get dropped almost immediately; having your superior explicitly sign off in writing a feature you deemed unethical and/or potentially illegal is a great way of actually removing them from the pipeline. You can even frame it as "a good guy" just alerting him/her that there may be a fallback, so make sure it has all necessary elements. Compliance decisions are often above a developers paygrade, and one should squarely document the culprit on any shady decision - and boy, this is very easy in big organizations where no single decision-maker wants to be accountable.
I've recently been exploring options for allowing web apps to access LAN services. For example, a WebDAV server so you can watch local videos in the app without streaming them through a server.
You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to `http://service.local`, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains.
Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console.
It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad.
Defendants have failed to stop this litigation from going forward
Expect a settlement before this moves into discovery
The Court's understanding of "localhost" in this Order may be less than complete but if this litigation progresses further and experts are retained then that could change
19 comments
[ 4.8 ms ] story [ 45.1 ms ] threadhttps://localmess.github.io
> UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.
> The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).
> Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.
May 12, 2026
>standard pixel tracking, linked to meta (js , web)
>Meta exploited Android's localhost (os level)
There's a few other orders or societies or what have you that you could join. Personally, I don't drive a train or even wear a stripey hat, so I haven't considered joining an organization for Engineers.
[1] https://order-of-the-engineer.org/about-the-order/obligation...
Not sure how it would benefit you telling some website you run all the software.
Since that discussion in 2025
Rose v Meta was consolidated with some other privacy cases against Meta
A first amended complaint was filed,^1 Google was added as a defendant
Defendants motion to dismiss was denied
A third amended complaint was filed on Monday
Here are the PDFs
1.
1st amended complaint
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Meta motion to dismiss
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Google motion to dismiss
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Plaintiffs response
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Meta reply
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Google reply
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
Order
(Payment required)
https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...
2nd amended complaint
(Payment required)
https://pacer.login.uscourts.gov/csologin/login.jsf?pscCourt...
You can actually achieve a form of discovery if your service registers itself using mDNS for something like `service.local`. Browsers will allow direct navigation/redirection to `http://service.local`, but they'll block any fetch/XHR requests due to mixed content rules, even if you have CORS configured. And of course you can't get a cert for `.local` domains.
Newer things like Chrome's LNA[0] are actually really helpful, because (for now at least) if the user grants the permission, fetch/XHR will go through, but you'll get a bunch of mixed content warnings in the console.
It seems like the only way to fully support this use case currently is with WebRTC, which is pretty sad.
[0]: https://developer.chrome.com/blog/local-network-access
https://dn711508.ca.archive.org/0/items/gov.uscourts.cand.45...
No claims were dismissed without leave to amend
Defendants have failed to stop this litigation from going forward
Expect a settlement before this moves into discovery
The Court's understanding of "localhost" in this Order may be less than complete but if this litigation progresses further and experts are retained then that could change