Today around 12:00pm EDT, a post was uploaded to r/whenthe by u/concussionmaker_91 about how despite their multiple privacy measures, Reddit was still able to ping their location and show them an ad about a business in close proximity to their house. Then, in less than 2 hours after the post when live, their year old account was permanently banned. 
Redditors in the comment section used a website called SnooSnoop to see if this account has done anything malicious in the past that may be grounds for a ban only to find nothing. 
I don’t think this is a mere coincidence and some comments I read on the post may be there to dismiss the situation.
I’m currently working on archiving the post and comments in case Reddit decides to try and erase this entire situation from the web, I’ll attach the files when I do.
You must log in or register to comment.
Easiest explaination:
- Visit website X without VPN
- Get tracking cookie set that’s associated with your IP and approximate location
- Turn on VPN because your’re an idiot that believes VPNs fix everything
- Wonder how website X knows your approximate location
So no rocket science involved here…
not to defend reddit too much, but posting “i feel like doing a terrorism on reddit” is worrying
Before we start rolling out conspiracy theories and such, let’s all apply a little Occam’s razor to this.
The simplest explanation is that OP is full of shit.
He just got unbanned and posted a meme about it.
They require you to turn off your VPN for signup. If you use the main webpage then that’s different. I use a client that’s open source called continuum with no built in tracking.
Can you link the client you use?
It might be this: https://github.com/cygnusx-1-org/continuum
Yuu have to get an API key which you can get through the developer settings under “create app.” Just look up how to get reddit API key.
Doesn’t getting an API key defeat the purpose of “no tracking”? Genuinely asking, don’t know much about this, but intuition points me they will be able to track you by API key used then.
fyi there is also redreader, no idea if you can still register from it tho
That’s it. I use obtanium to install it.
Did you live under the impression, that Reddit where there, to not profit from their user base? Or to make sure the users has rights?
Location could just be from when the account was made right? I’m sure it would be very difficult to create a new account while utilizing a VPN considering how active reddit has become in blocking connections from known VPN providers.
Quit your bullshit. The post is still up, and the user account is still there.
https://old.reddit.com/r/whenthe/comments/1odcvwm/i_dont_fucking_feel_safe_guys/
If you read any of those comments in what you yourself linked, you’d see that a whole bunch of them are referencing and talking about OP’s profile no longer there. So obviously, due to technical issues or other means, the OP of that post was not there for some time period and it has since been restored. “Slam dunk”
They are likely fingerprinting their browser.
That identifies the user sure, not location. More likely, the VPN was off at one point and reddit logged their known location. Just ignore the IP and take the last known personal location.
Guys logged in so fingerprinting isn’t needed. They already got the guy. They’re still fingerprinting though
Or it’s just a bakery they’ve looked at online, and that has been packed into their advertiser profile.
So might not have anything to do with location. Also, most VPNs are data brokers. Which is why Israel’s Kape Technologies has been buying them up.
True. Weird a supposed privacy conscious dude doesn’t have an arblock and/or a tracker blocker to minimize that risk.
Ublock, Firefox, and Ghostery are friends
Not ghostery. uBO is fine by itself.
If they can identify the user’s computer, they can cross reference against all the other tracking metadata available. Since they know the browser down to the individual, they also know the predominant IP of said browser and can link your actions from before and after the vpn/proxy account was created.
As long as javascript is running they can track your mouse movement, which is similar to people’s gait when they walk. it’s unique, it’s identifiable. You can probably fuck with them by using a trackball on one profile, but once they link that trackball movement to your profile with other metadatas then the cat is out of the bag and you’re permanently known to Reddit and whoever it sells it’s data to.
As much as people will claim “just disable javascript!” - you’ll find that you practically cannot use the internet without it… and having JS disabled makes your fingerprint even more unique as few disable it carte blanche.
Basically, once they have a shadow profile of who you are it’s just a matter of time for them to link any account created to it. I suspect almost everybody’s shadow profile is quite complete.
Good thing I have never looked at anything questionable on Reddit…
As long as javascript is running they can track your mouse movement, which is similar to people’s gait when they walk.
Gonna need a source or a reference for that second part. Yes, I’m very aware that your mouse movement can be tracked, so we can skip that part.
Just look up mouse fingerprinting.
This was one of the first results for me.
The rest were companies selling user deanonimization solutions that use mouse fingerprinting.
^ Not to mention that considering how privacy conscious the OOP was there’s a good chance they had some way to limit IP tracking. When I verify log-ins for 2FA the approximate location shown in emails is rarely in my city much less close enough to pin any business near my home.
Edit: I skipped over the part where they had proxies active. Which leads me to my next question: If they had proxies active wouldnt they cover their tracks if the VPN fails?
It just takes one time logging in without having VPN enabled for your account to be associated with a location. Their ad network probably filters out known VPN IPs, or IPs from countries where there are no ads to serve up, which might leave the only valid IP address associated with their account to be used.
It IDs the user which is then matched to the last known location of that user.
It can identify the user and their hobbies, schedule, device, and all sorts of info depending on how careful the user is. Not too far of a leap to match it to a non vpn fingerprint with a known ip and location.
Unless they’re spoofing their MAC address, hardware fingerprinting is much more reliable and predictable. It’s easy to watch a MAC bounce all over the country/world in a matter of minutes.
At this point in history, it’s too late to implement identity protections. Your profile is already built, stored, and backed up. They even know your deleted edgelord MySpace account and that you unfriended Tom (you monster). I guess if you were born in a ditch without a SSN, and never signed up for anything, not even a house/apartment, you could go under the radar.
MAC addresses don’t leave your home network, they are layer 2
I’m speaking from the point of view of the app you willingly installed that tracks your MAC address. Part of the reason iOS11 implemented built in spoofing, but I can tell you right now, I know Tim Apple ain’t on the users side anymore.
Never has been.
MAC address is in the data link layer of the networking stack, and would only be seen by other devices on the same network as you. This isn’t visible to websites you visit (unless you’re on the same subnet), and as TCP packets go through network hops, the MAC address is replaced with with the routers MAC address for each hop.
The reason for MAC address randomization (standard on iPhone and Android) is not for anonymity to the websites you visit, but is there to anonymize the wifi broadcasts in your general vicinity, like a 30 meter radius. The MAC address is randomized so that broadcasts to check wifi networks while you’re out and about can’t be used to track your physical location.
I’m speaking from the point of view of the app you gave permissions to collect your hardware data. Y’all are talking like I think a MAC is transmitted over tcp. I don’t need an intro to OSI. Those apps use the hardware data to know if you’re using Samsung, LG, Apple, etc and they store large databases of MAC addresses on individuals. They can even build a local hardware profile to see if you sold your device, to whom, and what device you replaced it with.
At this point in history, it’s too late to implement identity protections. Your profile is already built, stored, and backed up. They even know your deleted edgelord MySpace account and that you unfriended Tom (you monster). I guess if you were born in a ditch without a SSN, and never signed up for anything, not even a house/apartment, you could go under the radar.
i was going to say something along these lines and also that the data they have on you has life long implications.
i used to work for a data broker and the tricks that their data scientists were able to cook up to track and predict people’s behavior was really unnerving to me.
the company’s clientele was mostly high end retail & real estate and geared towards predicting the likelihood of your next “lifetime milestone purchases” (that’s what they called it). i had access to the product; so i looked up its portfolio for me and it predicted that i was ever going to buy a house or car.
i chuckled at it back then because my salary as a software engineer at the time was a very comfortable 6 figures so it didn’t seem likely to me. 8 years later i’m scraping by working for a local non-profit, i’m still driving the same car and home ownership has never seemed further away.
At this point there are 100 easier ways to track users. They probably signed up with a personal email address.
Odd to be using vpn and supposedly 2 proxies but not using an adblocker. I wouldn’t even know if I’m getting targeted ads because I don’t get ads and stay away from apps that have ads.
Something odd happened on Reddit today…
I don’t find that extraordinarily odd at all really. This has been Reddit’s modus operandi for quite a while now. Anything that might pull the curtains back to peep at what/who’s running the show is sternly frowned upon. Usually, they will just shadow ban you which I personally find cowardly. I’d rather you tell me straight out to piss off.
On the topic of browser fingerprinting. I have a more than fair understanding of how it works, however, I am an expert at nothing. What has always struck me as odd is that browser fingerprints change over time, so how do you use a browser fingerprint to source the origin user? Without changing anything, my fingerprint ‘score’ changes daily. Some things that change or affect browser fingerprinting are:
- User-Agent (browser, OS, version)
- Screen resolution & color depth
- Installed fonts
- Plugins & extensions
- Canvas & WebGL rendering
- Timezone & language settings
- HTTP headers (Accept, Do-Not-Track, etc.)
- WebRTC, audio context, hardware info
- Cookies, local storage, caching behavior
About 80% to 90% of all browser fingerprints are unique at any given time. Only 30% to 50% of browser fingerprints change within 1 to 3 months. Users who regularly update, wipe their browser data, or install extensions have the most changes, whereas users who hardly ever update anything, never wipe browser data, or install extensions have the most consistent browser fingerprints that can last months to years. So, in my thinking, a browser fingerprint alone would do little to pinpoint a specific user, if they are regularly maintaining their security envelope. I guess in the case of forensics, a browser fingerprint could be used as a part of complementary evidence.
If they were using a VPN, it could be that their DNS was leaking. However, Reddit usually rejects accounts made with a VPN engaged.
Checking fingerprinting is something I do regularly because I’m very curious. The best I’ve been able to achieve is partial or nearly unique. I also do daily DNS leak tests, which may sound all paranoid, but even with a VPN, and a stand alone pfsense firewall/unbound, and various other obfuscation techniques, VPN IPs change and the IP you had yesterday for a certain locale, might not be the same as today, so it’s worth me taking a minute to check. Not that I have anything to hide. /s
I recommend a daily cleansing with Bleachbit, or Privazer. Schedule task or a cron to run it before shut down.
If someone has expert knowledge of browser fingerprinting, I stand by to be schooled.
way to complicated, the reddit app just checks what wifi is connected, and then send the SSID and probably the MAC adress to the reddit servers, they then compare that info the a global map of know wifi locations (created by multiple sources like google street cars, apps that collect that data, amazon ring devices etc) and then they have the location down to something like 30m.
30 miles covers a lot of potential users.
What about wired connections? I guess I fail to remember, a lot of people use their phones as a mobile compute platform, which I very rarely do, and certainly not a Reddit app.
I think he means 30meters. miles is mi.
yes
Welcome to the internet, where everything is made up and the points do not matter.
Privacy is pretty much an illusion at this point.
You just don’t get it by only concealing IP address. I bet if they also managed to avoid browser fingerprinting and giving clues about their location through their use of the site, that would have been enough that Reddit isn’t showing advertising based on location.
The biggest lie of the internet is that VPNs give you privacy.
They give you privacy from on-path attackers (ISP, network peers) from snooping on your traffic, that’s about it. Maybe also mixing your traffic into everyone else sharing the VPN server.
Two parts to this:
The first is Reddit (or any site) being able to identify you. And that is not a hard problem. Either they fingerprint the browser so your cookies tell who you really are or they just analyze your traffic and realize this user in Istanbul is constantly looking at the Cleveland subreddit. Its why VPNs aren’t really (at all) useful for privacy unless you are combining it with burner accounts and even browsers. VPNs mostly are just useful for accessing region/network limited resources and spinning up a true beater.
As for the ban? They probably changed VPN, got an IP that a known “bad” user used, and got immediately caught in the same automated banwave. Don’t use VPNs with accounts you actually care about. Partially because of the risk of data leakage but also because you don’t know what the last person using that IP did. See also why you wear a condom before you stick it in the glory hole.
because you don’t know what the last person using that IP did
See also: why you don’t wear a condom someone else came in
I’m curious if that user follows a sub for his home town. Could be the recommendation is just a popular spot in that city.
Who cares
Why are you in the privacy community?
I care. Reddit, and other major sites, should not be doing what is shown. That scares me. I care deeply
They can do whatever they want as long as it brings more profit to shareholders.
Why is this not obvious to y’all by now?
You don’t have to use reddit. You definitely don’t have to have an account there
The Friedman Doctrine (shareholder value is the only thing that counts) is the most harmful idea in capitalism.
I get that Reddit has to make money, but it’s still possible to show ads without infringing on your users’ privacy.
They can do whatever they want as long as it brings more profit to shareholders.
Why is this not obvious to y’all by now?
I think this is clear to most visitors here. I doesn’t hurt to relay stories, although this one appears to be untrue, someone posted links above pointing to the user account that’s not, in fact, banned.
