Trying to understand device ID and tracking, could use some insight

Graffeine

Forgive my ignorance, still learning about GOS and privacy. My threat model is big tech tracking and monitoring.

It is my understanding from reading about the GOS WiFi privacy is that it is practically anonymous. So I'm assuming this means no identifiable data about the device is transmitted while using WiFi. So here are my questions:

If I am using a Pixel with GOS without a SIM (Wifi only) and a VPN, and I connect to the Wifi in my home network, am I opening myself up to identification? And if so, how? The SSID? IP somehow? I know there are cookies and fingerprinting, but aside from those, how would anyone be able to tell its the same device connecting again the next day for instance?
If I am using the above setup and log into an account, say an Amazon account, have I now compromised the device and revealed its identity and connected the device to my identity forever? Or can I log out, delete cookies, reset the connection (changing the MAC) and look like a new device again?

Thanks for any help.

de0u

Graffeine Forgive my ignorance, still learning about GOS and privacy. My threat model is big tech tracking and monitoring.

If not already, I would recommend a careful reading of this part of the FAQ: https://grapheneos.org/faq#security-and-privacy

Graffeine It is my understanding from reading about the GOS WiFi privacy is that it is practically anonymous. So I'm assuming this means no identifiable data about the device is transmitted while using WiFi.

It may be more productive to focus on which information you wish to conceal from whom, because phrases such as "practically anonymous" and "no identifiable data" are hard to evaluate.

For example, the DHCP client code identifies devices running current (Android 14) GrapheneOS as "android-dhcp-14". Does that constitute "identifiable data"? Also, by default GrapheneOS devices contact several GrapheneOS-specific services -- one of which, I believe, the Pixel Tablet does not contact. Thus a careful operator of a Wi-Fi network can probably determine when a device is running GrapheneOS, whether it is a phone or a tablet, and which major version of GrapheneOS is running. Is that "identifiable data"? What if some Wi-Fi network operator never sees more than one GrapheneOS device signed in at the same time, but some GrapheneOS device shows up every weekday around 9:15 a.m.?

Graffeine If I am using the above setup and log into an account, say an Amazon account, have I now compromised the device and revealed its identity and connected the device to my identity forever?

Please see https://grapheneos.org/faq#hardware-identifiers (and later text).

Graffeine

de0u this is difficult for me for me to answer because I do not have an in-depth understanding of the technical mechanisms that could be used to identify me. So therefore, I do not know the manner in which they can be used and what information that may provide about my identity. And by identity, I am primarily referring to the ability of private party's to establish enough information about me through digital surveillance to monetize or use my activity, location, financial transactions, communications etc. for nefarious or political purposes. But again, it is difficult for me to fully evaluate or understand who that would be and what their capabilities are from a technical standpoint. I am not interested in hiding from LE or government agencies. I am interested in being a private citizen and not subjected to inappropriate use of my data by greedy invasive corporations.

With that said, I know this is not a black and white topic and I know privacy is not an on or off switch. I am just looking for information on how connecting to my home WIFI or logging into an account creates vulnerabilities for staying anonymous while using GOS. The documentation on the WiFi privacy explains it somewhat but I have a hard time understanding if MAC and fingerprinting are the only things I need to be concerned with.

[deleted]

Your device is most likely pseudonymously identified based on your browser fingerprint. If you entered any personal information, it may be linked to you. If you use any kind of social media, you may be linked by your contact lists. It goes on and on. No one has exactly same setup, you need to have a think on what may help anyone identify you as a person using particular device. There are likely hardware and non-hardware IDs that that are publicly unidentified (without proof) and are exploited in the wild. I learned not to worry about this. I trust Android (GrapheneOS version of) permission model and added hardening protects me against most common surveillance as opposed to any other stock device.

Graffeine

[deleted] OK so it basically sounds like be careful and do your best lol.

de0u

Graffeine I am just looking for information on how connecting to my home WIFI or logging into an account creates vulnerabilities for staying anonymous while using GOS.

If you use an app that is designed to track you, you will be tracked. If you put information about you into an app that is designed to sell information about you to somebody, the information you provide the app with will be sold. This is largely independent of which network connection you use.

Connecting to a Wi-Fi network can potentially identify you to the operator of the Wi-Fi network. If you operate your home Wi-Fi network, that's maybe a non-issue. But if your home Wi-Fi network is operated by your ISP, then that ISP could plausibly form an inventory of your devices (one phone runnning GrapheneOS, one Windows 10 laptop, etc.). Either way, your ISP probably knows a fair amount about your daily schedule.

Graffeine I am interested in being a private citizen and not subjected to inappropriate use of my data by greedy invasive corporations.

Probably the most leverage would come from not avoiding behavior-based "social media" systems -- not running the apps, not using the web sites. There isn't really a way to feed behavior into behavior-tracking systems without being tracked.