Fauxx Data poisoning for your everyday tracking
from hornedfiend@sopuli.xyz to privacy@lemmy.ml on 15 May 20:50
https://sopuli.xyz/post/45741246
from hornedfiend@sopuli.xyz to privacy@lemmy.ml on 15 May 20:50
https://sopuli.xyz/post/45741246
Fauxx is an open-source Android privacy tool that poisons data broker and ad-tech profiles by generating continuous, plausible, off-demographic synthetic activity from your device. The goal is simple: make your real behavioral signal statistically indistinguishable from noise.
Not my project, but though this is really cool and worth sharing.
threaded - newest
I just found this app on droidify, really cool idea. Id love to see something similar on Linux. (imnotsure if something like that already exists)
Interesting, how useful is it if I’m always behind a VPN and browse privately (hardened browser, ad blocker, no-script, never logged in etc.)?
May be wrong but the way I see it it doesn’t help me much?
i only did a quick readthrough so my understanding of how it works is probably flawed. that said:
you could consider split-tunneling a browser outside of your normal stack for fauxx to pollute. that way your real activity remains as close to “ghost” as possible, and gives your device a fake fingerprint that will fool anyone not directly targeting you.
the reason I’d suggest doing it that way is that nobody’s personal device hygiene is perfect. flooding with synthetic data is a great way to help conceal when you slip up.
Go further. I’m listening like a regard trying to understand
you’re kind of giving me a blank slate to talk here so let me hit the biggest point that is tangential to this conversation.
the easiest point for me to make is that if, on your phone, you bought your SIM card (and attached phone number) with payment info that can be tracked to your bank and your real name, your location is compromised whenever that card is online. this is something that the vast majority of privacy enthusiasts either neglect due to lack of knowledge, or cannot afford to remove from their threat profile due to the pervasiveness of cell networks in day to day life.
The most recent example i can give of this being necessary to consider in your privacy posture: In the US, ICE is using this combination of personal information and compromised locations to focus their efforts in neighborhoods with a primarily minority population.
Do you mean when the card is an active card viable for use? Or stored in the phone somehow? I’m curious what online means and if I am doing it… I don’t have any payments connected to a mobile phone but I do have a SIM card, probably paid for with a now expired card.
basically, a SIM is what connects your phone to your mobile provider’s network. Any time you want to use that infrastructure (the phone turns on, you turn off airplane mode, you turn on your eSIM) your phone makes a request to the network, which requires an authentication via the IMSI number provided by the SIM. When this happens, your location is triangulated and your status as a cell network subscriber is verified. this process also happens periodically, and more frequently if you’re on the move. The technical reason for this is that your phone needs to know which towers to route requests to, and that you are paying for the service.
Theoretically, your phone is capable of being triangulated even without a SIM. However, for this to happen (outside of calling emergency services) as far as I’m aware this requires some sort of device compromise and is therefore out of most people’s scope. If you’re paranoid of tracking, remove your sim (or disable it if it is an eSIM) and if you’re super paranoid, grab a faraday bag to put it in.
let me know if i didnt explain anything well enough.
Thanks! Now I think that when you said “card is online” you meant the SIM card, not credit card. I use an alternative OS that, as I understand it, does a little to offset the tracking but it is, indeed, outside of my scope! I mostly have my phone on airplane mode, even away from home, but of course not always. I do know that this OS eliminates the ability for the phone to call home when on airplane mode.
Your location can be triangulated by reading neighbouring wifi SSID names, because every SSID and MAC identifiers are on a huge database scrapped by rolling slowly along every road and every street. Probably by the same people who took pictures for google maps and etc.
I’m going to be a little pedantic here, I hope you don’t mind.
I wouldn’t say your location can be triangulated by SSID. you’re 100% correct about them being findable online, and that’s why its important to rotate your said every few months to a year. also, don’t be creative with it, just have it be the generic manufacturer string or something similar if you can.
with that database, people can tell where you’ve BEEN, not where you ARE. it doesn’t necessarily compromise your immediate location.
however, yes, it can assist with that. most phones, when not connected to WiFi, broadcast all the SSIDs they have saved in an attempt to connect to one of them. that’s another fingerprint. the caveat is that someone needs to be relatively close to you to be able to snoop those broadcasts, or have a device installed somewhere that’s snooping all traffic. in those cases someone is already following you or you’re (probably) in a fairly public place.
this is also an easy one to foil. when you leave a location where you connect to WiFi, turn your WiFi off so that your phone isn’t constantly broadcasting for it. this saves battery as a nice bonus. grapheneOS enables this by default.
fair point. guess I’ll try to understand a bit better how everything works before making a decision
side note: I like how in this thread we have a crow, a f3nyx and a raccoon lol
I wonder if you could set up a second phone that is logged in with all your accounts, then use it for FAUXX, currently concerned about battery usage / background usage of device.
Like, does it need to be running continuously ALL DAY to effectively poison? Or is sometimes usage helpful? Second phone idea solid?
Anyone understand the data collection better have thoughts?
This method wouldn’t combat device fingerprinting, so it would be trivial for everyone but the aggregate data brokers to filter out as noise.
For a strategy like this to work, your legitimate traffic needs to be indistinguishable from the random traffic.
So basically it has to be running while you’re using it, and on the device your primarily use?
not necessarily. if ‘you’ are sending traffic, i (someone interested in your data) don’t really care where it comes from. Em is correct that it’s trivial to filter out, but it’s also another data point that is interesting and potentially relevant for them, so in practice they won’t.
tracking has gotten to the point where they can infer connections based off of users that have no interaction but otherwise share a location for a period of time (think coffee shop wifi, work). you have things in common with those people. maybe not a lot, but enough to be relevant in someone’s dataset somewhere.
so no, it doesn’t have to be running on your primary device to be relevant. i’d argue that it simply being on your home network would be enough.
That’s cool!
No relation
This is great! I wanted something like this for a long time.
Any suggestions for something similar that runs on a linux desktop?
I used TrackMeNot extension for Firefox in the past, but it has been abandoned and not updated in close to 10 years.
I think what you’re looking for is AdNauseam.
Afaik that won’t really work due to pihole on my network.
AdNauseam works on pages you are visiting, as far as I understood.
Fauxx instead does its thing independently in the background.
Something like this is an interesting approach:
github.com/madereddy/noisy
I’d advise switching from Firefox to Mullvad Browser. They have a window size protection tool built in to obfuscate your actual screen size, as well as some other cool goodies.
the window size protection you mention is a firefox feature called RFP and can be enabled on vanilla firefox as well.
Isn’t it easier to browse with JavaScript off whenever possible and with uBlock origin?
just as an FYI, having JavaScript off potentially adds to your fingerprint.
Everything adds to my fingerprint. Nothing minuses to it. No matter what i tried
it’s a difference approach, OP maximizes the data being harvested to make it harder to tell what the real usage data is, turning off javascript minimizes the data being collected but potentially makes you unique and stand out among other vanilla users
Ok, but how does it work? Not the faux data generation part detailed on the git (which OP didn’t link btw) but how it injects/intercepts the data.
There are magisk modules for this kind of thing, because what can be faked is severely limited without the ability to mess with other apps or the system.
Does it put a local VPN or what?
started using it today, it still is in early stages of development and it’s pretty bugged, but it’s very cool.
the main doubt I have now is if it would be more useful of you could fake activity coherent with your location, for example, because being in EU and faking visits to US gov sites doesn’t exactly sound as stealth.
I could be wrong though.
Why would you not post a link? f-droid.org/packages/com.fauxx.full
Really cool. The dev is doing Che’s work