VissJun 11, 2025

so this local mess thing is a pretty huge deal.

also, if youve ever wondered "how the fuck does instagram know this shit, are they listening to me?!"

well.. yes, they are (https://futurism.com/the-byte/facebook-partner-phones-listening-microphone)

but they, until the 3rd of this month, were playing hot potato with their tracking pixels that live on millions of sites, your browser, and fb/ig apps on your phone

https://localmess.github.io/
[edit] oops, had the wrong link for localmess writeup

In Leak, Facebook Partner Brags About Listening to Your Phone’s Microphone to Serve Ads for Stuff You Mention

One of Facebook's alleged marketing partners explained how it listens to users' smartphone microphones and advertises to them accordingly.

Futurism
Show threadVissJun 11, 2025

the tl:dr is basically this:

- fb/ig open local ports on your phone
- your mobile browser hits a site, and facebooks javascript sends cookie data to "localhost:<that port>", so now fb/ig have data on the site you just visited

incognito mode doesnt matter, cuz you just outed yourself to them.

vpns dont matter, because both actions are 'on your device', using local sockets.

you cant trust facebook.

Show threadVissJun 11, 2025
add graph.facebook.com to your firewall to prevent outbound traffic, or add it to your internal dns as 127.0.0.1.
Show threadTim LavoieJun 12, 2025
@Viss I'm shocked actually, that it wasn't already on the (mostly standard) blocklists I had on pi-hole. Trivial to add now, of course.
Show threadVissJun 12, 2025
@tim_lavoie the tracking pixel may have been in things like ublock, but i dunno about graph.facebook.com. id hafta go look. but its definitely in my firewall now
Show threadTim LavoieJun 12, 2025

@Viss Right, you need something that inspects the contents for the pixel I think, IIRC it was just www.facebook.com (which I would be fine to block, but…)

If the graph is fair game to nuke though, I see no downsides even for the rest of the home network.

Show threadVissJun 12, 2025
@tim_lavoie you gotta block in multiple places. firefox on mobile and an in browser blocker, then something like adguard or pfsense at the firewall
Show threadTim LavoieJun 12, 2025
@Viss For sure, family's mobile devices are the leaders in nonsense requests, or attempts at same (judging from pi-hole).
I should get something software-based for my wife's iOS devices at least, for the the things that aren't domain-level blocks.
Show threadVissJun 12, 2025
@tim_lavoie is that even possible on apple?
Show threadTim Lavoie

@Viss There are apps that claim to help, often commercial. I do have free AdGuard on my phone, but not sure how much it actually sees.

I suspect anything that works at the Safari level is probably fine, and anything that is blobbed into random apps' ad APIs is a shit-show.

Jun 12, 2025 at 4:09amWeb
Show threadTim LavoieJun 12, 2025
@Viss By the way, nobody's complained about the couple-hundred-ish blocked requests to graph.facebook.com in the last few hours, so I think that can stay there.
Show threadVissJun 12, 2025
@tim_lavoie excellent
Show threadTim LavoieJun 12, 2025
@Viss Oh for sure, though I suspect I should make a point of blocking DNS over HTTPS too, both for my own visibility, and because I expect the app vendors to lean on easy bypasses.
Show threadVissJun 12, 2025
@tim_lavoie disable it everywhere you can. @da_667 was right - that shit was invented to bypass your ability to introspect what dns queries are happening. which means telemetry, usually.
Show threadTim LavoieJun 12, 2025

@Viss @da_667 Pleasant surprise, I had downloaded (and mostly implemented!) this guide ages ago.
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf

(In case anyone else would like a handy guide).

The IP block lists appear to be updated still, so that's great.