So I decided to use my really old pixel 3a as a test of sorts. It has calyxos, with always on VPN (surfshark). I have no accounts on it, google or anything else. I usually use it for streamio or tiktok.
But I have noticed that I am still getting video recommendations based on what my flatmate watches (we share an internet router). Or what I watch on my other non-VPNed devices.
So what gives?
I am looking for an explanation as to why its happening, not just how to fix it. Btw I also use private DNS so dns leaking is not the likely culprit.
Anyone knows how to debug this info leak?
Lots of “anti-tracking features” on phones are smoke screens. Like, apps can get your SSID without asking for any permission, and the same thing goes for “list of apps has been installed on this device”. Those 2 alone can create unique fingerprints.
Is there any way to install apps in a closed docker app like partition where the app only sees a rather default looking list of apps?
I’m pretty sure GrapheneOS’ sandbox does this.
Check out ipleak.net and see if your vpn is working like you expect it to.
I found that apps and browsers could fingerprint me with aspect ratio alone. For me it was DuckDuckGo giving me localized results; I’m pretty sure both apps and browsers can get this info very easily. I’m sure Tiktok can fingerprint your phone with very few information points, especially if it’s an app running on your phone, if not a simple website on your browser.
You might be able to get around fingerprinting if you use a firefox fork like Iceraven or Fennec, install ublock origin and privacy badger, and browse via the website, but even there they may have enough information points to fingerprint you. Megacorps like TikTok and Meta bend over backwards to get your info
Occam’s Razor: coincidence is the most likely explanation. Most of us aren’t as unique as we think we are. It doesn’t take very long for a keen observer (or algorithm) to profile our behavior based on direct surveillance.
Think of it this way: if you were the algorithm and were looking at a detailed account of every second of time you spent on the platform, and also had the same accounting for every other user… what inferences and connections might you, the algorithm, be able to make about you, the person?
It’s a feature, not a bug, for platforms to recommend relevant content. It’s also intrinsic for you to engage with the platform authentically, engaging with it in a way that aligns with your interests, preferences, and demeanor. Relevant content drives engagement. Engagement drives revenue. Irrelevant content does the opposite and serves to benefit no one involved. The popular platforms blew up exactly because they are so good at knowing what you want to see even before you do.
In short: no amount of tech can save us from ourselves.
https://pmc.ncbi.nlm.nih.gov/articles/PMC8843047/
BLE contact tracing? BLE is often always enabled on phones, even when “Bluetooth” is disabled.
Is this true for GrapheneOS?
either the videos you both get into ur recs are just viral vids that get blown into everyones feed or like every other company, they bought data on you so they know you live together
The videos in question were about badminton, because he went to play badminton and he was looking online for tutorials. He is also into MMA and I am now getting those as well.
Let’s say someone did buy data on us, we are good friends so they would know about our connection.
But I still don’t understand how could they connect my real identity to my pixel 3a? Considering I never put my sim or logged into google on it after flashing with Calyx.
I want to research if SurfShark themselves collect some kind of data cuz I am using their app rather than some wireguard/ovpn profile.
Your cell company and Google aren’t the only companies that could make that link.
Companies could link your identity and your phone together by your browsing habits, any other account from other services you’ve signed into, (e.g. tiktok if you used it before calyx, or any other email provider, search engine, news website, etc that you’ve visited), if you did any browsing on the same device before installing calyx, they could have gotten tons of browser fingerprinting information directly influenced by minute differences in your phone’s hardware to others, or you could have just slipped up at one point and not had a killswitch on your VPN, so they were able to make a network connection outside your VPN before it managed to connect.
There’s a million different reasons that could be why.
I’d say check if your VPN is set to block all network connections when it’s off first, then think about if any account you use on your device now existed on a device with an OS prior to calyx, and prior to when you used a VPN. If the first is true, it’s likely you just had a simple IP leak. If it’s the latter, then that’s just gonna be basic tracking from any number of data brokers. And if it’s neither, then it’s probably some form of behavioral analysis that linked your past activity to your present activity, or your general interests to those of people around you.
To add to this, in CalyxOS you can enable Global VPN, Always on VPN, and Block connections without VPN in your network settings. All great settings to leave on by default
Have you checked to see if your VPN has a DNS leak?
Are you mutuals on TikTok? It’ll send some of the videos it recommends to your friends to you as well in my experience.
I’m not familiar with CalyxOS, but could something be reporting your location? Could something be watching which WiFi networks are available to your phone? Such things could be used to figure out your phone is in the same household as the other devices.
I usually have my location disabled all the time, but thats a good idea. Im pretty sure there should be some kind of logs that mention location history or smth.
As for CalyxOS, its a custom ROM that advertises themselves as privacy friendly so I am assuming their defaults would be privacy friendly.
Location isn’t the only way they can track your position. Things like nearby WiFi networks and the times of day you get on also tell them where you are, because your neighbors probably have their location on and their phones sees the same networks yours does. Not to mention, any other data that the app is allowed to access. If I remember correctly, there’s a long list of information the app requests from the device, and even if you’re behind a VPN and on a custom ROM that refuses to give even half of that data to TikTok, the other half is enough to fingerprint you.
For that matter, the fact you’re using a custom ROM is a big waving flag that advertises your identity. How many people do you figure use CalyxOS in your city? I’d wager the number is less than you think. If it’s a smaller city, you may be the only person TikTok knows who uses it.
Are you using the app or the website?
deleted by creator
I was on a degoogled OS and vpn watching tiktoks as privately as possible when I began getting videos(like 3 in a row) about the awkward posture that I happened to be laying in. Phone camera was off and phone settings were as private as possible.
I looked around and my bro was there watching tiktoks on his Google Android phone. His phone camera was facing right at me.
My conclusion: I was being watched through his normie phone.
Cross device tracking is also a possibility: https://www.youtube.com/watch?v=j1FfVK6sj4I&t=379
