IMDEA Networks research on covert mobile tracking wins the 2026 CNIL–Inria Privacy Award

The award recognizes the paper Bridges to Self: Silent Web-to-App Tracking on Mobile via Localhost, which exposed a previously unknown tracking technique used by Meta and Yandex on Android and prompted browser, platform and policy changes

06 July 2026

An international research collaboration co-led by IMDEA Networks has received the 2026 CNIL–Inria Privacy Award for uncovering a previously unknown tracking technique that allowed Meta and Yandex to link users’ web browsing activity with their mobile app identities on Android devices. The award recognizes not only the scientific contribution of the work, but also its real-world impact on browser security, regulation and privacy protection.

The award-winning paper, “Bridges to Self: Silent Web-to-App Tracking on Mobile via Localhost”, revealed how the security boundary between web browsers and mobile applications on Android could be circumvented. Although both environments are designed to operate independently, the researchers showed that local communication channels could be exploited to silently connect tracking scripts embedded in websites with native apps installed on the same device. As a result, apps such as Facebook, Instagram and several Yandex applications were able to associate users’ browsing activity with their persistent app identities without their knowledge or consent. The technique bypassed existing privacy protections, including Incognito mode and other safeguards intended to prevent this type of cross-platform tracking.

After responsibly communicating their findings to the affected entities, the research has had a significant impact beyond academia, resulting in technical mitigations, regulatory engagement and policy discussions in Europe and the United States. “The impact has extended far beyond the paper itself. Following our responsible disclosure and the press coverage, Meta and Yandex immediately stopped the tracking technique, all major browsers on Android and Android itself introduced mitigations, and the findings have been discussed in web standardization bodies. We also presented our work to multiple data protection authorities and the Spanish Congress last December, while members of the U.S. Congress requested information to Meta’s CEO based on our findings. It’s rewarding to see empirical research translate into concrete technical, regulatory, and policy changes”, explains Narseo Vallina Rodríguez, Research Associate Professor at IMDEA Networks and one of the authors of this work.

On June 24, 2026, on the occasion of Privacy Research Day and the G7 of data protection authorities, Bruno Sportisse, CEO of Inria, and Marie-Laure Denis, President of the CNIL, presented the CNIL–Inria Privacy Award in Paris. Awarded annually by the CNIL and Inria since 2016, the CNIL–Inria Privacy Award recognizes outstanding research that advances the protection of privacy and personal data while contributing to public awareness and evidence-based policymaking. “It’s a tremendous honor because it shows that rigorous privacy research is valued not only by the scientific community but also by regulators. This recognition reflects the work of an exceptional team spanning Radboud University, KU Leuven, and IMDEA Networks, and acknowledges the enormous effort involved—from responsible disclosure and coordination with browser and OS vendors to engagement with regulators—to ensure research delivers real benefits for society”, says Vallina Rodríguez.

For the researchers, the award also underlines the importance of collaboration between academia, industry, standards bodies and regulators to address emerging privacy threats and ensure that scientific discoveries translate into meaningful protection for end users.

Reflecting on the broader importance of independent privacy research, Aniketh Girish, Postdoctoral researcher at IMDEA Networks and co-author of the paper, adds: “A handful of companies now shape how billions of people experience the internet, with very little independent oversight of what they actually do behind the scenes. This work is a small reminder of why that oversight has to exist. Independent privacy research is one of the few checks that can hold these systems accountable to the people who use them.”

Categorized in:

Archives

Categories