Clarification regarding fingerprinting and some questions

someone27281

I noticed by previous post has been flagged and locked. I apologise for any code of conduct violation I may have performed, that wasn't intentional.

I did indeed check through FAQ, and rechecked it again right now, the reason I made the original post was to talk about de-anonymising by correlation of identities, which I would like some questions answered. It'd be even better if it got added to FAQ also :)

Is user profiles be treated as completely separate identities? In the previous post admins noted that the mediaDRM I'd wasn't namespaces, but also not a hardware id. My original doubt was since it's not namespaced, if I use the same app without VPN in my main profile, with a VPN in a second profile, the app can corelate both as me by checking the mediaDRM id right? Also the only way for one app to get a different mediaDRM id is by factory reset? In that case Will uninstalling and reinstalling an app make the new instance co-relatable to the old instance?

Also the other details like SIM operator name, OS details, and other data would also be the same to both instance of the app right? So if an app wants to, even ignoring the DRM id, would it be possible to start correlating activity between the 2 instances? Like if one instance see a sim info, a specific OS config (GOS is already considered "niche" compared to stock), WiFi related info etc... Wouldn't that be pretty unique? Who else would have my same phone, installed with GOS, has my same SIM, which has the same WiFi characteristics, app lists etc?

I guess my question would an app be able to identify 2 user profiles as being the same user based on info that is common between them

I ask this because everyday we hear incidents like Tor users being caught by their opsec mistakes, and most of the time it's correlation of activities. For example, in this video: https://youtu.be/qLgCzFN_LDo basically every example in the video is opsec mistake. My original intention for the post is for people like me who thought they can play split personality with user profiles to keep their expectations grounded in reality, not sensationalise anything (again, apologies for the maybe clickbait-y wordings)

someone27281

someone27281 Is user profiles be treated as completely separate identities?

Can someone answer this question?

other8026

someone27281 It'd be even better if it got added to FAQ also :)

There's also a post with a lot of info here: https://discuss.grapheneos.org/d/17118-identifiers-across-private-space-and-profiles/4. As you can see, the info there was shared by a project member. The project is open about these things. Maybe the FAQ doesn't list them out like in this post, but the FAQ does say that certain global info is available to apps.

someone27281 mediaDRM

https://github.com/GrapheneOS/os-issue-tracker/issues/2314

someone27281 SIM operator name

In the FAQ. Also, I believe you can disable the SIM for that (don't know for sure, so you can check that yourself), otherwise remove the SIM.

someone27281 OS details

In the FAQ

someone27281 I guess my question would an app be able to identify 2 user profiles as being the same user based on info that is common between them

(Kind of just started writing and went on a little rant here, but I don't feel like making it shorter, so here you go... Also, want to point out that I'm NOT a GrapheneOS developer, nor am I involved in making decisions for the project, so keep that in mind. Maybe a developer or someone who actually makes development decisions would have different opinions.)

This depends on a lot of factors, but I'd like to sort of quote a thing another forum member, de0u, sometimes says: I don't expect [insert feature here] to convert privacy-invasive apps into privacy-respecting apps. (from this post specifically).

In other words, I think what you're trying to do is to install and use apps that you don't expect will respect your privacy. GrapheneOS's privacy and security features already do a lot to help protect GrapheneOS users' privacy, but GrapheneOS users cannot expect the project to add features where the OS will reliably break apps that don't respect users' privacy in certain ways to block those apps' access to certain things, all while maintaining app compatibility.

Ultimately, it's a numbers game, but consider if toggles spoof everything, then possibly both profiles have the same spoofed info, so since GrapheneOS is a well-known OS, fingerprinting services/companies could then add some logic to their fingerprinting library or service to account for that and see over time "this phone is always at 50% battery, is never charging, its charge cycles never seem to change, storage is aways at 50%, the timezone is set to GMT, no mobile carrier, but it's clearly a phone based on the screen size so that's strange, etc." and they see the same info from another profile. So now a potentially bigger fingerprinting datapoint is right there: here are two "devices" that spoof almost everything. So, in effect, you stand out in a crowd even more that way.

So, clearly more thought needs to go into this sort of feature. Adding features without first considering these things is not helpful, and may actually end up being harmful to your privacy. So the features have to be even more complicated, meaning more resources need to go into development, etc., etc. Are toggles user specific? If so, more infrastructure needs to be added. Will spoofed data be random? If so, that needs to be planned and implemented in a way that works and is effective.

Anyway, simply adding toggles to supply fake data might end up being harmful, and GrapheneOS doesn't do dumb stuff like that. You could also consider that maybe no spoofing is the best way to not stand out. But I think it would be most ideal for upstream AOSP to limit access to these things so that the changes can made more cleanly and apps don't break or fingerprinting isn't easier because of downstream changes. Also cool because then GrapheneOS can work on more interesting features.

de0u

someone27281 Is user profiles be treated as completely separate identities?

No.

someone27281 if I use the same app without VPN in my main profile, with a VPN in a second profile, the app can corelate both as me by checking the mediaDRM id right?

Probably. And also via other data points.

someone27281 I guess my question would an app be able to identify 2 user profiles as being the same user based on info that is common between them

It would be best to assume that an app written by an entity whose business model involves tracking people is fairly likely to be tracking people.

If an entity claims (pethaps in a ToS document) that they are not tracking in some specific way, and that entity is subject to a jurisdiction that punishes false claims about tracking, the entity may well act much of the time in the way they claim to. This is less likely to be true of entities homed in jurisdictions lacking functional independent judiciaries.

If one installs apps from "modder"/"unlocker" sites operated by unknown parties in unknown jurisdictions... 🤔

ryrona

someone27281 Is user profiles be treated as completely separate identities?

Secondary user profiles were developed for a user case that has nothing with security, privacy or anonymity to do. They were developed to allow multiple physical users to share a single device, say, you have one profile and your child has another profile on your phone. That way, you can each have your own apps installed, and your own files, without conflicting with each other.

Many use secondary user profiles in the context of GrapheneOS as a way to get compartmentalization. For example to have your real-life banking activity in one profile, and your anonymous online activism in another profile. It wasn't designed for this though, so it is a little bit abuse of technology. Unfortunately, this also leads to many perceived leaks, according to user expectation, such as that apps between two different user profiles actually can communicate with each other using localhost connections, and that all profiles can access and change global settings, not to mention that there are lots of data usable for fingerprinting. In the multiple physical users on one device use case, none of all that are any issue at all. But if you use secondary user profiles for compartmentalization, it becomes an issue, possibly for some use cases, a very big issue.

I believe the GrapheneOS developers are very interested in moving towards having a proper solution for compartmentalization into security domains, but such a solution will likely have to depend on virtual machines, or it would be an impractical amount of work to implement and too much custom code to maintain to be viable. Until we have such a solution, for use cases that really depend on anonymity, it is better to use an operating system actually designed for that, such as QubesOS for laptop and desktop computers.

someone27281

Interesting replies by other8026 and de0u

I originally started using GOS after seeing "the hated one"s video about it. In videos like https://m.youtube.com/watch?v=yTeAFoQnQPo and https://m.youtube.com/watch?v=8FDIef7tVFg , he claims apps installed in GrapheneOS makes it anonymous. I feel this might be only true in specific circumstances where you only use the phone only in public WiFi and keep it turned off or something, even then you can be uniquely identifiable from other users so not properly anonymous.

I guess my OG post was because I had this idea of GrapheneOS being anonymous but it's clearly not the case unless in specific scenarios. @other8026 is it possible to add an entry in FAQ regarding this specific issue? Since there are YT videos claiming this I'd say it's necessary to clarify this.

other8026

someone27281 In videos like https://m.youtube.com/watch?v=yTeAFoQnQPo and https://m.youtube.com/watch?v=8FDIef7tVFg , he claims apps installed in GrapheneOS makes it anonymous.

The first video is about security, the second is about their specific "anonymous" setup in which they specifically say they don't use a mobile network, etc.

someone27281 is it possible to add an entry in FAQ regarding this specific issue? Since there are YT videos claiming this I'd say it's necessary to clarify this.

They aren't making the claim you're saying they are.

You seem to believe GrapheneOS does certain things that it doesn't after consuming content that states something else. You also keep saying "anonymous" but I am not sure if you really mean "anonymous" or something else. Consider how many people and how many devices are out there. Just guessing, but you are probably just one in tens to hundreds of thousands in your area. Just because apps have some access to global data doesn't mean they know who you are.

Consider a setup where you have a fairly popular device, in a country with many people, with mobile service provided by a major provider, device's locale is set to something common. If an app or fingerprinting library attempt to fingerprint you, they will find some data that would be exactly the same as the majority of the country. That data isn't very useful then, is it? But, if you do weird things to stick out, then that makes the job much easier. For example you're one of the very few people using said mobile provider in said country, but your phone's timezone is set to something very different (for example, setting the timezone to the same as New York's when located somewhere in Europe).

Anyway, I didn't plan on writing yet another long post, but looks like I did anyway. I'll leave it here. I'd suggest you take a step back and try to look at fingerprinting in a different way. I have a feeling this topic is much more complex than you give it credit for.

ryrona

Oh, and by the way, I filed a ticket about local IP addresses being accessible to apps even when using a VPN with killswitch enabled. Since that actually can be an anonymity concern in some edge cases, beyond merely being a fingerprinting concern. I hope it will be a somewhat easy change to prevent apps from accessing that when killswitch is enabled.

https://github.com/GrapheneOS/os-issue-tracker/issues/5081