alt.hn

4/14/2026 at 3:46:43 PM

Google, Microsoft, Meta All Tracking You Even When You Opt Out

 https://www.404media.co/google-microsoft-meta-all-tracking-you-even-when-you-opt-out-according-to-an-independent-audit/

by Cider9986

4/14/2026 at 6:45:03 PM

Meta's WhatsApp app under certain network conditions will try to bypass Android VPN settings using Google Public DNS servers even when (a) the OS settings "Always-on VPN" and "Block connections without VPN" are enabled, (b) port 53 is forwarded to a local address,^1 (c) DNS settings under "Network details" for the router point to local addresses only and (d) "Mobile data" is disabled for the SIM and the phone has no access to cellular data (e.g., MMS will fail)

Even the Google pre-installed system apps don't do this

Meta's attempts to conduct surveillance go further than ignoring the sec-gpc header. Meta tries to bypass Android's built-in VPN and the system DNS settings

I use a computer I can reasonably control, i.e., one running an OS I compiled myself, as the gateway for the phone so traffic destined for 8.8.8.8 and 8.8.4.4 is blocked by the gateway's firewall. (TLS forward proxy on the gateway also adds sec-gpc header to all HTTP/HTTPS traffic^2)

1. For example, using PCAPDroid or NetGuard

2. In addition to HTTPS traffic, Meta's WhatsApp app sends some requests over unencrypted HTTP, too, e.g., destined for c.whatsapp.net

by 1vuio0pswjnm7

4/14/2026 at 10:32:46 PM

As for the networking conditions required to reproduce this issue, bringing down the network interface on the gateway will trigger it for me

by 1vuio0pswjnm7

4/14/2026 at 7:23:59 PM

Do third party solutions like AdBlock prevent this?

by aagha

4/14/2026 at 4:22:24 PM

Why wouldn't they? There seems to be no real consequences for these huge corporations, and all of the potential profit incentives.

by ramijames

4/14/2026 at 4:35:01 PM

Execs are paid in stock, the only consequence that would matter is missing revenue projections for 2 quarters in a row, that's yet to happen.

by tlibert

4/14/2026 at 4:40:29 PM

Wells Fargo finally took a dive this quarter - we’ll see what happens.

by lazide

4/14/2026 at 4:47:28 PM

2 quarters. ;-)

by tlibert

4/14/2026 at 4:06:37 PM

they have no fear of the current financial incentives, there has to a punitive quantity involved, and the mentality of any regulators has to catch up with present day.

fines that amount to a daily expenditure account, do nothing. fines have to have potential to do real damage to, or destroy noncompliants, if there is going to be any deterrent.

contempt, is obvious, the chance of jail should exist in actuality, rather than a vague possibility.

by rolph

4/14/2026 at 4:18:25 PM

If you read the report this is why I say network traffic with a Sec-GPC: 1 (GPC opt-out) should return a 451 automatically instead of a cookie, and how the Meta Pixel code can wrap a GPC conditional around execution. That's why they are terrified - fines don't matter, code does.

by tlibert

4/14/2026 at 4:30:39 PM

yes that seems to be workable, but then its thier code, and house techs you have to preempt. the problem seems to be one of, effectively compelling a change of code and heuristics.

im wondering what would be more effective.

1] desist or existentially threatening fines, or indentureship will occur.

2] you have a problem with code maintainence, we will take code maintainence into receivership, until you have demonstrated that you can maintain code in a legal framework.

by rolph

4/14/2026 at 5:57:30 PM

That's a terrible idea though. It means that anyone who selects the "Do not track me" option will find that they can't access the content at all, which will quickly train users to never select "Do not track me".

by nostrademons

4/14/2026 at 4:31:18 PM

> fines that amount to a daily expenditure account, do nothing.

Even those relatively small fines rarely get paid. Companies can tie up the judgements in the courts for years without having to pay a single cent. [1]

> The Data Protection Commission (DPC) is owed more than €4 billion in fines that have not been collected or are subject to legal challenge. The DPC hit companies – including firms in Big Tech – with more than €530 million in fines last year. However, just €125,000 of that has been collected so far, according to data released under FOI laws. Over the past six years, the commission has levied an incredible €4.04 billion in fines, mostly on multinational technology companies. However, of that total, €4.02 billion remains uncollected and just €20 million has been paid in fines so far. In 2024, €652 million worth of fines was levied, of which €582,500 has been paid.

[1] https://www.irishtimes.com/business/2026/01/12/data-protecti...

by wnevets

4/14/2026 at 5:45:59 PM

Hopefully they hold off until the financial straw breaks and then they leverage their owed fines to claim ownership of these shithole companies completely.

I know I'm dreaming, but still.

by BizarroLand

4/14/2026 at 5:53:52 PM

" are you enjoying the party?"

" yes, havn the time of my life !"

"heres your bill."

"whaa aat ?!"

" oh, did you think it was all free, when everyone normal, pays ? "

by rolph

4/14/2026 at 4:28:23 PM

I always opt out if given the option and if not given the option I click x and close the site. However, unfortunately, I have assumed that they are already tracking me when the pop-up hits. This kinda confirms that is true.

We have 'get tough on X, Y, Z' things that don't impact me at all. You can dial 911 if someone assaults you in the US, but I don't know of a single resource to get law enforcement involved when I am digitally assaulted. I think that is a big part of the problem here. Nobody is actually taking the call to enforce this stuff.

by jmward01

4/14/2026 at 4:31:01 PM

The only reason I ever click reject is to open the devtools and count the ads cookies still set. I managed to turn that hobby into https://webxray.ai as a business.

by tlibert

4/14/2026 at 4:44:29 PM

There may be an opportunity here for a plugin that auto-reports violations in some way that can then be used in lawsuits against these companies. Obviously there are privacy concerns with something like this but there may be ways to anonymize the data or otherwise preserve privacy meaningfully. There is 'company X is doing bad thing' and 'company X did bad thing, provably, this many times to these people'.

by jmward01

4/14/2026 at 4:51:34 PM

For legal work you need a controlled forensic environment, this is evidence gathering in the same way a crime scene is. We've developed a lot of proprietary methods to ensure clean-room conditions.

That's not to say the idea isn't interesting, but in terms of legal proceedings, chain of custody with the forensic data is most important.

by tlibert

4/14/2026 at 4:30:59 PM

Forget the "Humans must always be in the loop for accountability" argument against AI, we already don't have such checks today!

by sigbottle

4/14/2026 at 4:51:58 PM

Ha, the question is always "which humans"!

by tlibert

4/14/2026 at 4:06:40 PM

That’s what made big tech big - one giant tracking operation. Trawler style - dolphins be damned

by Havoc

4/14/2026 at 4:32:16 PM

This report relies on several year old technology on our part, our more cutting systems are a few years beyond SOTA, and I can there's a lot more under the surface.

by tlibert

4/14/2026 at 7:02:30 PM

It's funny that following the link to source https://globalprivacyaudit.org/2026/california

Appends a source-url attribute at the end (404media).

I'm sure they're not doing anything nefarious with it, but it is a tiny bit ironic that there's a referral url like that associated with an organization that is speaking out about global privacy audits.

I'm glad they're doing this, and understand this is complex, but throwing out a "check the plank in thine eye before the sty in the others". I haven't really dealt with referral links like that, IIRC that's something 404 is sending as a referrer URL? Would it be prudent to reroute on the GPA sites such referral urls to strip them before sending back?

by wormius

4/14/2026 at 7:22:57 PM

We don’t process it, not our decorator.

by tlibert

4/14/2026 at 4:12:44 PM

Hi, I'm Dr Tim Libert, founder of webXray who did this audit. Happy to answer questions from YC'ers. [Note, stepping away for some mental health exercise, stressful day!]

I also want to push back on Google telling the press our California Privacy Audit is "is based on a fundamental misunderstanding of how [Google's] products work".

I'm the former head of Cookie Compliance at Google and I have the federal court filings that show their statements are not simply true, and Google knows it isn't true.

For the record, here are direct quotes from a federal court filing made by Google's "Data Protection Officer and Senior Director of Privacy", who stated that "If called to testify as a witness, [they] could and would testify competently to such facts under oath."

Here are those facts:

* "Due to Dr. Libert’s academic background focusing on cookies, he became one of the primary members of the team assisting with Google’s cookie compliance and governance efforts..."

* "Dr. Libert quickly assumed responsibility for aiding our in-house regulatory lawyers in addressing governmental investigations into cookies..."

* "Dr. Libert often worked under the guidance of in-house counsel to develop technical solutions to issues raised by privacy regulators..."

* "Dr. Libert was also responsible for the development of internal policies on cookies and web storage. He drafted Google’s internal cookie guidelines in 2021 and early 2022, which applies to all cookies or cookies-like objects, and outlines processes on managing cookies, storing cookies, logging data associated with cookies, server protocols, policies on data collection, and data linkage..."

* "By developing the policy and conducting the audit, Dr. Libert gained insight into every Google-owned cookie deployed across Google’s web properties..."

* "Dr. Libert also proposed changes to how Google interprets specific definitions across its products’ various privacy policies. This included work on policies relating to analytics and advertising services used by third-party apps and websites..."

--

TLDR: Google can say what they want about me in public, but when they are under oath in a federal court of law, this is what they really say.

by tlibert

4/14/2026 at 4:28:37 PM

The GPC spec does not say "no cookies will be set" [1], and does not mention cookies at all. It merely provides a way for the user to indicate their preference that their information not be shared or tracked. The spec even says:

> In the absence of regulatory, legal, or other requirements, websites can interpret an expressed Global Privacy Control preference as they find most appropriate for the given person, particularly as considered in light of the person's privacy expectations, context, and cultural circumstances.

The CCPA [2] also never explicitly mentions cookies or forbids them from being set. The relevant passages about opting out on the sale of personal information are:

> a) A business shall provide two or more designated methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, a form submitted through the mail, and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information

How would you respond to their claim that you are fundamentally misunderstanding GPC, and that the spec and the law do not mean you never set cookies, they mean that you must honor the preferences expressed by the header in backend processes that involve tracking or sale of personal information?

[1] https://w3c.github.io/gpc/

[2] https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oa...?

by nostrademons

4/14/2026 at 4:45:58 PM

To quote our report: At webXray we are experts in tracking technologies, and we work closely with in-house counsel, defense, plaintiff firms, and regulators. However, we are not lawyers ourselves, thus nothing in this report represents a legal conclusion. webXray was not founded to supplant the role of lawyers, courts, or judges. We were founded to provide clear, accurate, forensic data, without fear or favor. We believe that by filling this gap we can enhance outcomes for all consumers, businesses, and regulators.

---

We are filing the gap related to reliable facts not existing. We did a scientifically controlled test with GPC on and off. We presented the results as technical findings along with general background.

We are not lawyers, and we are happy to help others perform their own audits: https://webxray.ai - we have no desire to be lawyers.

We are a hard-tech engineering outfit, we deliver scientific clarity on complex topics.

by tlibert

4/14/2026 at 4:51:20 PM

So you agree that you have no way to confirm whether those websites honor or do not honor the do-not-sell-my-info choice. You are simply checking whether they set cookies or not, without knowing whether the data is sold or not on the backend.

by warkdarrior

4/14/2026 at 4:55:49 PM

We run scientific audits that provide evidence of specific data transfers under specific network conditions.

by tlibert

4/14/2026 at 5:38:17 PM

Your marketing should specifically say "We track cookies" (or if you wanna get punchy about it, "We track cookies so cookies don't track you") so potential customers know exactly what they're getting. For the purposes of legal compliance, this is pretty irrelevant. There may be people that want to know that the existing laws and company's compliance to them doesn't actually stop the cookies from being sent, but your privacy report says the companies are "Our findings reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements", which is untrue and potentially opens you up to libel claims. They are not ignoring the laws, they are complying with the laws in a way that may or may not be what the consumer actually cares about.

by nostrademons

4/14/2026 at 6:28:20 PM

Do you have any legal experience, evidence, or case history to support your perspective? You assert that the statement "Our findings reveal major technology companies simply ignore globally defined opt-out signals, raising the spectre of industrial-scale non-compliance with California requirements" is untrue -- how do you know? Do you think everything found in the discovery process would agree? Do you think a company with a history of privacy violations would actually go through with a lawsuit where they'd have to definitively prove they don't? What about proving malice, that webXray knew their statements were false or acted with reckless disregard for their truth? What about the risk of filing a suit where California's anti-SLAPP statue would probably apply?

by tbrockman

4/14/2026 at 4:16:26 PM

> I'm the former head of Cookie Compliance

If the Internet didn't turn out the way it turned out, this could have been the greatest job ever.

by steve1977

4/14/2026 at 4:38:47 PM

Being the best in the world at what you do and not being allowed to do it is...not the greatest job. ;-)

by tlibert

4/14/2026 at 5:14:23 PM

Thank you for doing it anyways. The state of things seriously depresses me. We used to leave platforms just for putting up banner ads.

by nextzck

4/14/2026 at 4:17:51 PM

Thanks for speaking out publicly - especially as an Ex-Big Tech employee who knows the internal workings of these companies - and actually trying to do something about this.

I personally felt many times being tracked by Google or other big tech companies showing me something relevant to previous search queries even though they were made on different platforms and using adblock extensions (ublock origin). So their active tracking is definitely very elaborate.

by mentalgear

4/14/2026 at 4:27:25 PM

I won't lie, I miss the Staff/L6 paycheck and lack of stress. This is way less money for way more stress, but I chart my own path. I'm proud of what my company https://webxray.ai is doing.

by tlibert

4/14/2026 at 4:22:32 PM

Apologies in advance an excuse my ignorance as I am going on a hunch here and don't have much rather than perhaps frustration driving my comment, but it feels like this isn't the first and nor will be the last we find stuff like this.

I can't help but think they will pay the fines and go on continuing doing this, which makes it seem like it just evolved into a scheme where the government now takes their cut.

by hmokiguess

4/14/2026 at 5:18:41 PM

Sadly this isn’t even that bad compared to what’s in their own app binaries. If you’ve got an old iPhone you can jb and some claude usage to spare I highly recommend hooking up a ghidra mcp so you can see for yourself.

I don’t have any of their apps on my phone. And there is no known method to get rid of the trackers in your iCloud keychain.

by nextzck

4/14/2026 at 4:26:20 PM

I've been at this 15 years now, and it's neither the first nor last thing I'll do. We call the site "Global Privacy Audit" because California is first. The laws in California are weaker than elsewhere in the world. This is a warm up for the main dish.

by tlibert

4/14/2026 at 4:15:04 PM

No questions to ask, just wanted to say thank you for your work. I'm sure it's not easy and definitely less stressful to just leave things be. Thank you.

by bilekas

4/14/2026 at 4:17:16 PM

This is a phenomenally stressful day, I pissed of Google, Microsoft, and Meta in one shot, and they will come after me again. We do it because we believe in our product, and we'll stand the test anybody - even BigTech - puts us to: https://webxray.ai/

by tlibert

4/14/2026 at 4:50:31 PM

Not sure why you're being downvoted. Thank you for what you do.

by throwawayq3423

4/14/2026 at 5:17:35 PM

There are a lot of Google and Meta engineers who are convinced that they're not the bad guys.

by jmye

4/14/2026 at 5:01:21 PM

Appreciated, means a lot.

I'm not surprised at the downvotes, but someday we all have to look in the mirror and decide if we like what we see, but it's easier to downvote in the meantime.

by tlibert

4/14/2026 at 7:30:47 PM

If I may... I suspect quite a few of your comments have been downvoted for being a little—frenetic. In many ways, your work here (together with your previous work experience) speaks for itself, at least to those of us who get it.

Unfortunately, awareness-raising and solution-building are probably two entirely separate stages for this issue.

by nickburns

4/14/2026 at 4:19:56 PM

Jail time for execs. Only way things change.

by codemog

4/14/2026 at 4:22:16 PM

Just update the codebase, much easier, 10 minutes.

by tlibert

4/14/2026 at 5:32:41 PM

That entirely ignores and excuses the chain of decisions that lead to this problem. Removing it from the codebase today does nothing to dissuade them from doing something similar tomorrow

by Zetaphor

4/14/2026 at 5:46:03 PM

That's why webXray (https://webxray.ai) has perfected forensic privacy auditing - we catch every code change that has visible traces. I'll catch the same thing any way you do it - cookies, local storage, js obfuscated network payloads...no sweat. I'll go all day long.

by tlibert

4/14/2026 at 10:22:54 PM

Working as intended #WONTFIX

by JohnTHaller

4/14/2026 at 4:04:52 PM

Is there still anyone competent that "doubt" so? As long as data transit through their infrastructure, in security, we must always assume that it's recorded (and later-on, eventually used), it has nothing to do with "settings".

by pixel_popping

4/14/2026 at 4:20:27 PM

If a user has an "opt-out" button or signal it should be wired up to a system that functions as such. This is just a software engineering, you could vibe-code a fix in ten minutes.

by tlibert

4/14/2026 at 8:16:04 PM

Opt-out still goes through their servers, which means unsecure. We use encryption everywhere to not trust the middle layer, if it transits somewhere in cleartext, then it's logged and eventually used later-on.

I genuinely believe that people are insane to think otherwise, proof is that there has been millions(billions?) issued in fines for non-respect of this specific issue, why are people still having "hope"? It doesn't make sense, it's THERE, it's in THEIR DB.

The same goes for LLMs of course, every prompts is recorded and will be used, be sure of that.

by pixel_popping

4/14/2026 at 5:33:51 PM

You are assuming this was simply a development oversight and not part of a larger systemic issue

by Zetaphor

4/14/2026 at 8:16:42 PM

Exactly, this is wanted, why would Google not exploit your data "opted-out"? That makes no-sense from their business point of view.

by pixel_popping

4/14/2026 at 5:46:19 PM

Oh, I very much am not.

by tlibert

4/14/2026 at 5:25:01 PM

I don't think monetary fines are going to protect the rights of the people. The justice system must arrest the CEO's and put them into prison. I would like to know if there are less drastic measures, but there needs to be consequences such that these corporations won't try this again.

by kittikitti

4/14/2026 at 4:09:06 PM

I mean duh, but also this seems like a fairly weak gotcha. Cookies != Tracking, they can track you just fine without cookies, and they can use cookies without tracking you.

by dec0dedab0de

4/14/2026 at 4:15:44 PM

The report is specifically ads cookies and includes links to primary source disclosures on the websites of the companies mentioned. We did not count things like DDoS cookies, login tokens, and the like. We operate with unparalleled precision in our domain.

by tlibert

4/14/2026 at 4:21:48 PM

I'm curious why this was downvoted--I'm not complaining or trying to go against HN guidelines; I'm genuinely unclear as to why the first-party source for the article clarifying the question in GP was marked dead. Bad actors? Misinterpretation? Other?

by zbentley

4/14/2026 at 4:42:27 PM

No idea, I thought it was a valid question and we go to great lengths in our methodology for this reason. The audits we supply for enterprise are highly specific as to cookie purpose for this reason: https://webxray.ai

by tlibert

4/14/2026 at 4:14:06 PM

> Cookies != Tracking, they can track you just fine without cookies

That's probably true, but not what the articles reporting:

> 55 percent of the sites it checked set ad cookies in a user’s browser even if they opted out of tracking

So essentially, it's ignoring user preference directly, not just in spirit.

by benrutter

4/14/2026 at 4:25:13 PM

"Legitimate interest."

by Balinares

4/14/2026 at 4:48:50 PM

That concept is applicable to the European Union, doesn't apply in California.

by tlibert

4/14/2026 at 4:12:44 PM

Cooking != Tracking?

That's historically been a very prominent purpose of cookies.

Sure it's not exclusively tracking, but it's nonsense to make the assertion that "Cookies != Tracking"

by rockskon

4/14/2026 at 5:02:26 PM

Cookies serve a lot of valuable purposes, it's important to disambiguate.

by tlibert

4/14/2026 at 5:27:09 PM

Sure. But given the lack of specificity from the person I was responding to, it felt important to correct.

by rockskon

4/14/2026 at 4:17:39 PM

And in modern times: everybody, including big companies trust the AI APIs from

Google, Microsoft, OpenAI, Anthropic etc. etc.

sure... the contracts saying often there is no saving or learning from the AI API usage. But it's at the end like a "trust me bro" promise.

There is a saying on the internet:

The generation that refused cookies is now giving AI permission to read their emails, scan their local files, and manage their bank accounts.

It seems many have given up...

by therealmarv

4/14/2026 at 4:23:17 PM

Luckily "trust me bro" is not a defense in court - there is a thing called "discovery" when they have to prove their claims. The fact is few regulators ever use it, but class-action cases often do.

Guess who's winning?

by tlibert

4/14/2026 at 4:24:35 PM

Companies have been getting increasingly aggressive with ‘destruction as a normal course of business/policy’ to help reduce the impact of that. And that assumes that the people tasked with doing the dirty work are following the policies.

It’s been pretty obvious at the federal level (Signal leaks, etc.) that the folks at the top are explicitly trying to avoid it.

by lazide

4/14/2026 at 4:32:10 PM

These greedy corporations spy on us. Our data is valueable to them.

When someone spies on you, it means they do not trust you. That means we should not trust them either.

It's not just merely these giant corporations though. I think the whole business model is broken, if they need to spy on people in order to milk out more profit. One big glaring weakness is ... the browser. I think we need to find a solution here. Chrome is a problem. Chromium can not offset this problem; Google still makes most decisions. (You can adapt, but it is a constants wear-and-tear race to do so, Google has more resources.)

I used to think that Ladybird could provide an alternative; then I was banned from the project site, allegedly for "trolling" and "insulting". I disagree with that but there is no real regulation to protest. This unfortunately exemplifies a problem how the modern www became too restrictive in general and alternatives stumble on their own "morality", before they even produced a real competitor here. (I still think there should be competitors to Google, so it is good that Ladybird exists; I am just no longer attached in any way as to whether they succeed or not, due to the ban.)

What we need is a real global movement. Everywhere. The whole www model has to change. It should not be controllable by private entities or state agencies - those who watch the age verification process already know what's coming next.

Got your ID ready to access information yet, bud?

by shevy-java

4/14/2026 at 4:34:13 PM

So this is the first audit in our Global Privacy Audit, we're going to keep going. California was the warm up, we're going world-wide with this, our technology scales 1:1 with theirs.

by tlibert

4/14/2026 at 4:05:05 PM

Luckily almost all modern corporate tracking is done through javascript execution + cookies. The days of parsing actual webserver logs are over for the most part. After all, it's only the browsers that execute javascript code and provide profitable personal information about the human behind the browser that matter. People with JS off are not providing sellable information and therefore classified and treated as if they were bots.

Turning off JS by default and temp-whitelisting only mitigates most of this tracking.

by superkuh

4/14/2026 at 4:10:57 PM

The issue is, even with all the browser protections, you still create an account anywhere or buy something an input your name/email address/shipping address, your "hashed data" immediately gets sent to meta/google as a conversion with "this guy bought a cat toy", and you start getting ads for cat related stuff everywhere.

They don't even need to "track" you properly for this stuff to work and it seems there's no way to escape it.

by phn

4/14/2026 at 4:15:25 PM

I don't experience that though I have friends who use smartphones who describe it. So I think a lot of it is via javascript. I doubt every retailer, or even a significant fraction, has their backend sending that type of data to $megacorp. But maybe I'm just lucky or shop weird places or it's because I use a new email address @superkuh.com for every account sign up. Or maybe I'm just not seeing the targeted ads for my $superkuhprofile that do exist because I have almost all ads successfully blocked. Perfect is the enemy of good anyway, all mitigations help a bit. And blocking JS is a huge mitigation.

by superkuh

4/14/2026 at 4:18:27 PM

If those companies are using big SaaS companies for eCommerce and have not going "Don't Track" part of their admin panel to turn off tracking, a lot of those SaaS companies will just sell off the data.

So sure, cat toy small time retailer on Etsy won't but credit card processor or shipper might.

by stackskipton

4/14/2026 at 4:20:14 PM

I think part of the issue is that these retailers are also customers of meta/google on the side of purchasing ads, and as a merchant you're highly encouraged to send as much data on your events as you can, or your conversion tracking can be "less accurate"and your campaigns are less efficient.

So it's less about "we're sending the data to $megacorp" and more about "I want the most bang for buck on my own campaigns" when the decision is made.

Using a different email certainly helps, though!

EDIT: highly encouraged by meta et. al! Whether this is a legitimate request to improve results or pure self-interest on the part of meta I don't know!

by phn

4/14/2026 at 4:21:17 PM

We look at 2 examples of third-party HTTP cookies and 1 example of javascript. It's both, you have to defend on a complex terrain.

by tlibert

4/14/2026 at 5:04:22 PM

mind reading tech is here

by Lapsa

4/14/2026 at 4:24:03 PM

Now it'll be interesting to see if the AI companies do the same

by david_d8912

4/14/2026 at 4:29:18 PM

Still waiting on a public recognition from a company I helped quietly fix a serious problem. I'm generally on the side of helping people fix, revealing what's going on publicly isn't our first preference.

(And to the person who resolved the issue with the Major AI Company - would it really hurt to give a shout-out for the help we gave you?)

by tlibert

4/14/2026 at 4:25:40 PM

In other news, thieves steal things, and liars keep telling lies.

by WhyNotHugo

4/14/2026 at 4:40:39 PM

And the tellers of truth keep telling the truth.

by tlibert

4/14/2026 at 4:27:26 PM

great works! hope this gets more attention soon. Unfortunately I do not care for the graphic at the top of article (that casual readers will be impressed by) since it conflates spiritual imagery with spying.. People with little education in either easily conflate the two.. People who are hostile to spiritual topics can quickly amplify the vilification of it.. so, please consider not using that kind of symbol in media campaigns and public outreach. thx

by mistrial9

4/14/2026 at 4:25:44 PM

Wait until you folks learn about the quantum panopticon. It sounds fake but governments everywhere are recording as much encrypted data as possible in hopes of decrypting it in the future w/ quantum computers: https://link.springer.com/article/10.1007/s11023-025-09723-2

by measurablefunc

4/14/2026 at 4:30:13 PM

Yes, only true solutions are network layer severing.

by tlibert

4/14/2026 at 4:29:44 PM

Max Schrems has entered the chat.

by robotswantdata

4/14/2026 at 5:47:00 PM

Max is a lawyer, I'm an engineer. ;-)

by tlibert

4/14/2026 at 4:20:29 PM

I'm shocked!.... not

by 725686

4/14/2026 at 4:13:02 PM

[dead]

by dfhvneoieno

4/14/2026 at 4:02:54 PM

[dead]

by CWwdcdk7h