from NeedyPlatter@lemmy.ca to privacy@lemmy.ml on 22 Oct 23:08
https://lemmy.ca/post/53839046
Today around 12:00pm EDT, a post was uploaded to r/whenthe by u/concussionmaker_91 about how despite their multiple privacy measures, Reddit was still able to ping their location and show them an ad about a business in close proximity to their house. Then, in less than 2 hours after the post when live, their year old account was permanently banned. 
Redditors in the comment section used a website called SnooSnoop to see if this account has done anything malicious in the past that may be grounds for a ban only to find nothing. 
I don’t think this is a mere coincidence and some comments I read on the post may be there to dismiss the situation.
I’m currently working on archiving the post and comments in case Reddit decides to try and erase this entire situation from the web, I’ll attach the files when I do.
threaded - newest
They are likely fingerprinting their browser.
That identifies the user sure, not location. More likely, the VPN was off at one point and reddit logged their known location. Just ignore the IP and take the last known personal location.
Guys logged in so fingerprinting isn’t needed. They already got the guy. They’re still fingerprinting though
Or it’s just a bakery they’ve looked at online, and that has been packed into their advertiser profile.
So might not have anything to do with location. Also, most VPNs are data brokers. Which is why Israel’s Kape Technologies has been buying them up.
True. Weird a supposed privacy conscious dude doesn’t have an arblock and/or a tracker blocker to minimize that risk.
Ublock, Firefox, and Ghostery are friends
Not ghostery. uBO is fine by itself.
^ Not to mention that considering how privacy conscious the OOP was there’s a good chance they had some way to limit IP tracking. When I verify log-ins for 2FA the approximate location shown in emails is rarely in my city much less close enough to pin any business near my home.
Edit: I skipped over the part where they had proxies active. Which leads me to my next question: If they had proxies active wouldnt they cover their tracks if the VPN fails?
It just takes one time logging in without having VPN enabled for your account to be associated with a location. Their ad network probably filters out known VPN IPs, or IPs from countries where there are no ads to serve up, which might leave the only valid IP address associated with their account to be used.
.
It can identify the user and their hobbies, schedule, device, and all sorts of info depending on how careful the user is. Not too far of a leap to match it to a non vpn fingerprint with a known ip and location.
If they can identify the user’s computer, they can cross reference against all the other tracking metadata available. Since they know the browser down to the individual, they also know the predominant IP of said browser and can link your actions from before and after the vpn/proxy account was created.
As long as javascript is running they can track your mouse movement, which is similar to people’s gait when they walk. it’s unique, it’s identifiable. You can probably fuck with them by using a trackball on one profile, but once they link that trackball movement to your profile with other metadatas then the cat is out of the bag and you’re permanently known to Reddit and whoever it sells it’s data to.
As much as people will claim “just disable javascript!” - you’ll find that you practically cannot use the internet without it… and having JS disabled makes your fingerprint even more unique as few disable it carte blanche.
Basically, once they have a shadow profile of who you are it’s just a matter of time for them to link any account created to it. I suspect almost everybody’s shadow profile is quite complete.
Gonna need a source or a reference for that second part. Yes, I’m very aware that your mouse movement can be tracked, so we can skip that part.
Just look up mouse fingerprinting.
This was one of the first results for me.
The rest were companies selling user deanonimization solutions that use mouse fingerprinting.
Good thing I have never looked at anything questionable on Reddit…
It IDs the user which is then matched to the last known location of that user.
Unless they’re spoofing their MAC address, hardware fingerprinting is much more reliable and predictable. It’s easy to watch a MAC bounce all over the country/world in a matter of minutes.
At this point in history, it’s too late to implement identity protections. Your profile is already built, stored, and backed up. They even know your deleted edgelord MySpace account and that you unfriended Tom (you monster). I guess if you were born in a ditch without a SSN, and never signed up for anything, not even a house/apartment, you could go under the radar.
MAC addresses don’t leave your home network, they are layer 2
I’m speaking from the point of view of the app you willingly installed that tracks your MAC address. Part of the reason iOS11 implemented built in spoofing, but I can tell you right now, I know Tim Apple ain’t on the users side anymore.
Never has been.
MAC address is in the data link layer of the networking stack, and would only be seen by other devices on the same network as you. This isn’t visible to websites you visit (unless you’re on the same subnet), and as TCP packets go through network hops, the MAC address is replaced with with the routers MAC address for each hop.
The reason for MAC address randomization (standard on iPhone and Android) is not for anonymity to the websites you visit, but is there to anonymize the wifi broadcasts in your general vicinity, like a 30 meter radius. The MAC address is randomized so that broadcasts to check wifi networks while you’re out and about can’t be used to track your physical location.
I’m speaking from the point of view of the app you gave permissions to collect your hardware data. Y’all are talking like I think a MAC is transmitted over tcp. I don’t need an intro to OSI. Those apps use the hardware data to know if you’re using Samsung, LG, Apple, etc and they store large databases of MAC addresses on individuals. They can even build a local hardware profile to see if you sold your device, to whom, and what device you replaced it with.
i was going to say something along these lines and also that the data they have on you has life long implications.
i used to work for a data broker and the tricks that their data scientists were able to cook up to track and predict people’s behavior was really unnerving to me.
the company’s clientele was mostly high end retail & real estate and geared towards predicting the likelihood of your next “lifetime milestone purchases” (that’s what they called it). i had access to the product; so i looked up its portfolio for me and it predicted that i was ever going to buy a house or car.
i chuckled at it back then because my salary as a software engineer at the time was a very comfortable 6 figures so it didn’t seem likely to me. 8 years later i’m scraping by working for a local non-profit, i’m still driving the same car and home ownership has never seemed further away.
At this point there are 100 easier ways to track users. They probably signed up with a personal email address.
Who cares
Why are you in the privacy community?
I care. Reddit, and other major sites, should not be doing what is shown. That scares me. I care deeply
They can do whatever they want as long as it brings more profit to shareholders.
Why is this not obvious to y’all by now?
You don’t have to use reddit. You definitely don’t have to have an account there
I think this is clear to most visitors here. I doesn’t hurt to relay stories, although this one appears to be untrue, someone posted links above pointing to the user account that’s not, in fact, banned.
The Friedman Doctrine (shareholder value is the only thing that counts) is the most harmful idea in capitalism.
I get that Reddit has to make money, but it’s still possible to show ads without infringing on your users’ privacy.
Pretty sure it’s completely obvious to everyone.
Why is this not obviously a problem to you by now?
V0te with ur clickzzz!!! smh.
I’m curious if that user follows a sub for his home town. Could be the recommendation is just a popular spot in that city.
Two parts to this:
The first is Reddit (or any site) being able to identify you. And that is not a hard problem. Either they fingerprint the browser so your cookies tell who you really are or they just analyze your traffic and realize this user in Istanbul is constantly looking at the Cleveland subreddit. Its why VPNs aren’t really (at all) useful for privacy unless you are combining it with burner accounts and even browsers. VPNs mostly are just useful for accessing region/network limited resources and spinning up a true beater.
As for the ban? They probably changed VPN, got an IP that a known “bad” user used, and got immediately caught in the same automated banwave. Don’t use VPNs with accounts you actually care about. Partially because of the risk of data leakage but also because you don’t know what the last person using that IP did. See also why you wear a condom before you stick it in the glory hole.
See also: why you don’t wear a condom someone else came in
Odd to be using vpn and supposedly 2 proxies but not using an adblocker. I wouldn’t even know if I’m getting targeted ads because I don’t get ads and stay away from apps that have ads.
Welcome to the internet, where everything is made up and the points do not matter.
Privacy is pretty much an illusion at this point.
You just don’t get it by only concealing IP address. I bet if they also managed to avoid browser fingerprinting and giving clues about their location through their use of the site, that would have been enough that Reddit isn’t showing advertising based on location.
The biggest lie of the internet is that VPNs give you privacy.
They give you privacy from on-path attackers (ISP, network peers) from snooping on your traffic, that’s about it. Maybe also mixing your traffic into everyone else sharing the VPN server.
Quit your bullshit. The post is still up, and the user account is still there.
old.reddit.com/…/i_dont_fucking_feel_safe_guys/
old.reddit.com/user/concussionmaker__91/overview
https://www.reddit.com/user/concussionmaker__91/
If you read any of those comments in what you yourself linked, you’d see that a whole bunch of them are referencing and talking about OP’s profile no longer there. So obviously, due to technical issues or other means, the OP of that post was not there for some time period and it has since been restored. “Slam dunk”
I don’t find that extraordinarily odd at all really. This has been Reddit’s modus operandi for quite a while now. Anything that might pull the curtains back to peep at what/who’s running the show is sternly frowned upon. Usually, they will just shadow ban you which I personally find cowardly. I’d rather you tell me straight out to piss off.
On the topic of browser fingerprinting. I have a more than fair understanding of how it works, however, I am an expert at nothing. What has always struck me as odd is that browser fingerprints change over time, so how do you use a browser fingerprint to source the origin user? Without changing anything, my fingerprint ‘score’ changes daily. Some things that change or affect browser fingerprinting are:
About 80% to 90% of all browser fingerprints are unique at any given time. Only 30% to 50% of browser fingerprints change within 1 to 3 months. Users who regularly update, wipe their browser data, or install extensions have the most changes, whereas users who hardly ever update anything, never wipe browser data, or install extensions have the most consistent browser fingerprints that can last months to years. So, in my thinking, a browser fingerprint alone would do little to pinpoint a specific user, if they are regularly maintaining their security envelope. I guess in the case of forensics, a browser fingerprint could be used as a part of complementary evidence.
If they were using a VPN, it could be that their DNS was leaking. However, Reddit usually rejects accounts made with a VPN engaged.
Checking fingerprinting is something I do regularly because I’m very curious. The best I’ve been able to achieve is partial or nearly unique. I also do daily DNS leak tests, which may sound all paranoid, but even with a VPN, and a stand alone pfsense firewall/unbound, and various other obfuscation techniques, VPN IPs change and the IP you had yesterday for a certain locale, might not be the same as today, so it’s worth me taking a minute to check. Not that I have anything to hide. /s
I recommend a daily cleansing with Bleachbit, or Privazer. Schedule task or a cron to run it before shut down.
If someone has expert knowledge of browser fingerprinting, I stand by to be schooled.
way to complicated, the reddit app just checks what wifi is connected, and then send the SSID and probably the MAC adress to the reddit servers, they then compare that info the a global map of know wifi locations (created by multiple sources like google street cars, apps that collect that data, amazon ring devices etc) and then they have the location down to something like 30m.
30 miles covers a lot of potential users.
What about wired connections? I guess I fail to remember, a lot of people use their phones as a mobile compute platform, which I very rarely do, and certainly not a Reddit app.
Location could just be from when the account was made right? I’m sure it would be very difficult to create a new account while utilizing a VPN considering how active reddit has become in blocking connections from known VPN providers.
They require you to turn off your VPN for signup. If you use the main webpage then that’s different. I use a client that’s open source called continuum with no built in tracking.
Can you link the client you use?
It might be this: github.com/cygnusx-1-org/continuum
That’s it. I use obtanium to install it.
Yuu have to get an API key which you can get through the developer settings under “create app.” Just look up how to get reddit API key.
Doesn’t getting an API key defeat the purpose of “no tracking”? Genuinely asking, don’t know much about this, but intuition points me they will be able to track you by API key used then.
Yes and no. I can’t really down the engineering behind an API key but I can tell you it is definitely individually linked to the account you setup the key on. But it can’t only track what’s being done in the app. I only use it to view web results where I’d be tracked much more by using the website. The app client itself has no trackers built into it. So it can’t spy on what else you’re doing.
fyi there is also redreader, no idea if you can still register from it tho
.
Did you live under the impression, that Reddit where there, to not profit from their user base? Or to make sure the users has rights?
He just got unbanned and posted a meme about it.
Before we start rolling out conspiracy theories and such, let’s all apply a little Occam’s razor to this.
The simplest explanation is that OP is full of shit.
Hehehee
Actually though, theat’s not truthfully Occam’s razor. Occam’s razor requires the easiest answer with the least assumptions, which would be, that they’re using their tooling wrong.
Finally, someone uses Occam’s razor correctly! The least amount of assumptions is the right verbage.
Hanlon’s Razor seems much more apt, suggesting OP’s incompetence rather than malice
The simplest explanation is that OP doesn’t have good opsec, and got a few tracking cookies after deleting cookies, before setting up their proxy/VPN. Then, on the VPN, the advertiser recognized their VPN IP address, and chose to exclude that from generating location data, deferring instead to the location indicated in their existing tracking cookies.
Privacy is hard. The system is rigged against privacy. You have to do everything perfectly, because one simple mistake could leak your IP address.
not to defend reddit too much, but posting “i feel like doing a terrorism on reddit” is worrying
The user never said that though.
The user posted a picture of Ted because Ted was anti-technology and now the user feels anti-technology sentiments because they were tracked despite taking precautions.
Nowhere do they express a desire for violence or other illegal activity.
Easiest explaination:
So no rocket science involved here…
Fix: Everytime you go to use a VPN, you delete any browsing data, ideally even start an entirely new vm, with a privacy friendly browser. Also gotta make sure to use an operating system that can’t be so easily fingerprinted, along with the computers hardware. So the only real easy answer is Whonix.
Doesnt bejng so difficult to properly fingerprint just leave a trail of anomalous fingerprints to follow?
Like, I know its not the same but you can identify people from their silhouette, you don’t need a photo of their face. Paint around a subject well enough and it becomes clear even if you never add it to the image.
I guess what I’m asking is, does it leave a Clean Enough hole that people can tell what should be there?
Is your question rhetorical? I remember reading before that Facebook was creating shadow accounts for people that didn’t have actual accounts. They would build a user based on everything they could track, even attaching presumed names.
Don’t most “privacy browsers” (I use LibreWolf) delete browsing data every time you close the program?
Arguably he wouldn’t have even needed to turn off his VPN. If he logged into an account associated with his real life. (A Meta program or Google environment) then he would have gotten those same location cookies. Same could be said if he had reddit on his phone. A VPN helps, but everything in your life is connected to everything else these days.
Me when I turn on my VPN and still sign in via google
.
The plot thickens…
It’s so conceited to think the Jews are making you gay. They are a busy people and do not care about your love life. The Illuminati do put ‘the subliminal messages turning you into a femboy’ into all of your entertainment, but that was really more of a joke that got out of hand.
I think I’m so done with reddit, even old.reddit, that I reflexively pressed back after I clicked your link.
Ah-ha! I looked at the link and decided it wasn’t worth clicking haha, one step ahead of ya!
Nothing odd about a fash website doing fash shit.
edit: Oh wait… The original redditor was fash too? Typical reddit.
<img alt="" src="https://lemmy.dbzer0.com/pictrs/image/f289454c-20ba-43b2-999a-ff7414ac4031.webp">
Can’t track you if you never use their service
hahaha meta would like to have a word with you
Is this related to the other post about Reddit collaborating with Palantir? Because it sures feels like it…
You’re not safe. Signed, a tech person