[HN Gopher] Everyone knows your location, Part 2: try it yoursel...
___________________________________________________________________
Everyone knows your location, Part 2: try it yourself and share the
results
Author : mtlynch
Score : 281 points
Date : 2025-04-17 13:41 UTC (3 days ago)
(HTM) web link (timsh.org)
(TXT) w3m dump (timsh.org)
| timsh wrote:
| author here to answer any questions or discuss an app
| uticus wrote:
| solid observations and good analysis! so, seems too obvious,
| are you truly in pioneer territory - nobody else is doing what
| you've done here?
| timsh wrote:
| I mean, there should be something! Maybe not with this exact
| list of apps, but the code should be similar to other "how-
| to-record-traffic" guides.
| feydaykyn wrote:
| Many thanks for your eyes opening article!
|
| Hopefully you have a third article on the making testing
| whether common privacy technics are effective ?
| jrmg wrote:
| On the question of "why do they collect all this data" -
| brightness, battery life, headphone usage, volume etc: It's not
| just because the data is valuable in itself, it's also to
| 'fingerprint' the device across IPFA boundaries and in the face
| of things like NAT and VPNs. There are so many disparate data
| points that are different across different devices that two
| apps reporting an identical or near-identical set in a short
| timeframe are likely on the same device.
| alphan0n wrote:
| Good stuff. You might find more interesting data by
| implementing Frida [0] into your process to snoop on encrypted
| traffic normally not visible due to pinned certificates.
|
| [0] https://frida.re/docs/home/
| sunbum wrote:
| And more specifically just use the maintained scripts from
| HTTP Toolkit.
|
| https://github.com/httptoolkit/frida-interception-and-
| unpinn...
| alphan0n wrote:
| Excellent, thank you. There's a lot to Frida.
|
| HTTP Toolkit only mentions using jailbroken iOS devices,
| but you can also use unjailbroken devices running v13+ via
| injection [0]
|
| [0] https://frida.re/docs/ios/
| elric wrote:
| How the hell is any of this tracking legal?
| lrvick wrote:
| Because you and almost everyone else agreed to the Terms of
| Service where you consented to let them stalk you until they
| can make an accurate enough simulation of you to sell
| increased chances to change your behavior to the highest
| bidder.
|
| You can stop at any time. Cancel your cell phone subscription
| and turn off your phone. It is a perfectly valid choice.
| elric wrote:
| Uninformed consent is not consent. And while you may enjoy
| your life without a mobile subscription, many would not.
| djeastm wrote:
| >Uninformed consent is not consent.
|
| True, but a Terms of Service document is the vehicle by
| which you are informed and consenting. If you're not
| willing to read the information you're choosing to remain
| uninformed.
| wuiheerfoj wrote:
| When it takes multiple lifetimes to read the Terms of
| Service for everything a normal person uses to get
| through daily life, it's not a case of willingness
| Etheryte wrote:
| This is not how the GDPR works, just because you stuff it
| in the ToS doesn't make it legal. Consent has to be
| explicit and freely given, using the service cannot hinge
| on accepting tracking.
| hulitu wrote:
| > Because you and almost everyone else agreed to the Terms
| of Service where you consented to let them stalk you
|
| Because some laws (GDPR) are only valid for some people.
| boppo1 wrote:
| No one took Stallman seriously in the early '00s cuz he looks
| like a total nerd.
| doubled112 wrote:
| Imagine living in the alternate universe where open source
| or privacy had a Jenny McCarthy.
| api wrote:
| It's also because good UI/UX is expensive, open source has
| never been able to do it, and people are lazy. If you are a
| person who likes messing with computers and figuring stuff
| out, you are weird. Most people loathe it. It was super
| easy for superior UX to capture users and herd them into
| surveillance ecosystems.
| drob518 wrote:
| He still looks like a nerd. I think it's terminal.
| wnoise wrote:
| Because no one made it illegal?
| Teever wrote:
| Are you aware of any sousveillance projects with the goal of
| identifying and monitoring the people responsible for this
| tracking?
| anotherpaul wrote:
| I haven't gone through setting it up (yet) but I imagine there
| should be differences between EU and US versions of the apps.
| Is that something you expect to and if so, are you recording
| that info in your survey? Or am I just naive here?
| timsh wrote:
| The difference should be only at the consent level, eg you
| might see less or more "Accept All" buttons with different
| design or different ToS linked. I don't believe there's a
| real difference on the code or even SDK level based on geo.
| qwertox wrote:
| Doesn't California have partially stricter laws than the EU?
| ebfe1 wrote:
| Not exactly related but on the topic of finding target's
| location, A few years ago i used to run a little demo of
| capturing probe wifi ssid network on prefered network list of
| nearby devices and used https://wigle.net/ to identify places
| that people has visited... it was eye opening for some people in
| the audience for sure.
| az09mugen wrote:
| Wow, the map gives a good insight of where "technological
| humans" are concentrated.
| yapyap wrote:
| or where people are actually recording wifi networksk, wigle
| is kept up to date by volunteers
| xattt wrote:
| Complete dead zone in my area, even though the wifi SSIDs
| are saturated.
| thenthenthen wrote:
| That sounds like a super fun demo to do live! I have seen
| people om social media post their funny ssids around their
| house...please do not.
| ddxv wrote:
| I have something similar:
|
| https://appgoblin.info which let's you see trackers installed on
| mobile apps and an Android app that lets you see those on your
| phone.
|
| I'm working on automating a flow similar to the OPs but with an
| emulator so it can run on a server, but it's pretty difficult.
|
| If anyone has advice I'd love to hear it. My biggest problem is
| how finnicky getting the rooted emulator plus apps is.
|
| My current flow for mitm and waydroid is here:
| https://github.com/ddxv/mobile-network-traffic
|
| Hope anyone has some advice!
|
| Edit: just want to mention that the OPs flow is definitely better
| for capturing real data and endpoints, but I didn't see how I
| could automate it?
| 0x008 wrote:
| We all kind of know this is true, but it's always really
| eyeopening to see to what extent these companies know everything
| about us.
|
| Even worse is, I think, that somehow they are allowed to sell all
| the data and that you can basically buy data about everybody
| easily online[1]
|
| [1]: https://media.ccc.de/v/38c3-databroker-files-wie-uns-apps-
| un...
| yapyap wrote:
| > We all kind of know this is true, but it's always really
| eyeopening to see to what extent these companies know
| everything about us.
|
| I agree, if you have a Spotify account I implore you ( and
| anyone reading ) to download their Spotify data [1] and just
| look through it, it's really interesting. I hear news about how
| big companies are collecting all our data and got kinda
| desensitized to just the news but to see it applied to you and
| your specific music experience is pretty eye (re-)opening.
|
| 1. https://support.spotify.com/us/article/data-rights-and-
| priva...
| A4ET8a8uTh0_v2 wrote:
| Could you elaborate a little further ( maybe not data itself,
| but its type and so on )? I don't have Spotify, but I am
| obviously fairly interested in the subject as a whole ( and
| that business model spread widely ).
| morkalork wrote:
| Thanks! Giving it a try. I've been using Google's take out to
| download my Fitbit data already because the app is so shit
| these days. I wonder what else has these data dumps
| available.
| thenthenthen wrote:
| Ah there was a great talk at CCC (actually 2) about a guy
| tracking Germany's politicians, they deducted crazy relations
| from publicly available data iirc. I cannot find the talk right
| now sadly. Was it in German?
| kevin_thibedeau wrote:
| Going after the politicians is the only fix for surveillance
| capitalism. The US's only strong privacy law for consumer
| activity is for video rentals and came about when the
| disclosure of rental records for judge Bork scared members of
| Congress into protecting their own privacy. This still
| applies to modern day streaming services.
| 3abiton wrote:
| I know this topics comes up ever so often here, but this is
| really amazing demo. A reminder that on Android you can use tools
| like XPL-EX (previously XprivacyLua) to heavily block such calls
| and libraries, or something simpler even like something like [App
| Manager](https://muntashirakon.github.io/AppManager/).
| schrectacular wrote:
| Could you share a bit on how to identify and block offenders
| with AppManager?
| williamscales wrote:
| You would need to be rooted for that sort of blocking to be an
| option, right?
| prettyStandard wrote:
| I think you can run a DNS server, and configure Android with
| a custom DNS server. Not sure about this exact case though.
| lrvick wrote:
| You actually can opt out of this. Personally I have not had a
| cell phone subscription in ~5 years and only use cash IRL.
| stavros wrote:
| You can actually opt out of this. Vote for politicians that
| want to regulate this into illegality.
| hulitu wrote:
| > You can actually opt out of this. Vote for politicians that
| want to regulate this into illegality.
|
| The parliament has more than one politician and the
| advertising companies pay better. To opt out of it you need
| to put politicians in jail for conflict of interest and
| bribes and make campains against big tech (which could lead
| to your "suicide). Good luck with that.
| xico wrote:
| Isn't it what the EU is doing step by step to protect its
| citizens?
|
| Politicians should be jailed, both on the legislative and
| executive side, including Presidents, if they ignore the
| law. France is showing this once again with hopeful Marine
| Le Pen and former president Sarkozy, together with dozens
| of their associates.
| lclc wrote:
| But then the government couldn't track you anymore with the
| help of those companies.
| whobre wrote:
| There are no such politicians, and even if they were your
| vote does not matter.
| stavros wrote:
| _Laughs in GDPR_
| tirant wrote:
| Instead of making something illegal, that might be perfectly
| acceptable for someone else, why don't take a personal
| decision to stop using those services altogether?
|
| It's very tempting to impose our own personal truths to
| everybody else's via politics, but that's a quite close
| approach to totalitarianism.
| stavros wrote:
| Why would I stop using the services when I can use the law
| to keep using them without being tracked?
|
| > It's very tempting to impose our own personal truths to
| everybody else's via politics, but that's a quite close
| approach to totalitarianism.
|
| "Regulation is totalitarianism" is a take that's too hot
| for me today.
| smt88 wrote:
| > _Instead of making something illegal, that might be
| perfectly acceptable for someone else, why don't take a
| personal decision to stop using those services altogether?_
|
| Because there is no competition in the marketplace based on
| privacy, and if I want to use the services my
| friends/family/employer use, then I'm forced to give up my
| privacy.
|
| The free market has never and will never solve a problem
| like this. The only thing that ever has is regulation and
| this is a textbook case of what regulation is for.
| bix6 wrote:
| What do you do for work / how do you handle work or personal
| calls?
| ghaff wrote:
| I would not happily give up my smartphone but, speaking for
| myself I get very few personal calls, and latterly, don't
| know the last time I had a work call on my phone.
| gruez wrote:
| You don't even need to go off the grid to "opt out". Unless you
| granted location permissions to those apps, all the "locations"
| that the apps are sending are most certainly from geoip
| databases. That's technically a "location", but not what most
| people would think of when you say "everyone knows your
| location". Denying location permissions to random flashlight
| apps, disabling cross-app identifiers in ios/Android, and using
| a VPN will provide the same amount of anonymity.
| azinman2 wrote:
| I would never trust a public VPN personally.
| gruez wrote:
| It's either using a VPN, or having your real (ISP) IP
| address exposed. Self-hosting your VPN is actually worse,
| because you still are tunneling your traffic through a
| third party that could be monitoring it, and unlike with a
| public VPN you can't blend with other users.
| bix6 wrote:
| Most of us need cellphones so are we just out of luck?
| franga2000 wrote:
| You need a cellphone, but you really don't much on it. Browser,
| email, a chat app or three, banking, navigation, public
| transport/parking. Most of these have good privacy-minded
| options or are usually not the biggest offenders. It's games,
| ecommerce, social media and such that do the most spying, and
| you can absolutely live without those apps.
| 2mlWQbCK wrote:
| Does turning off data (mobile+wifi) when not actually using
| any app help at all (on Android)? Will apps still be able to
| phone home in the background? Or will they just fill up a
| huge cache with data and bulk-transfer it the next time the
| phone is online?
|
| Maybe at least disconnecting from the internet while not
| using it will make location tracking slightly more difficult?
| ghaff wrote:
| Yes? I assume. If I'm international and am not using my US
| plan they'd better not be using my home plan in background
| and I've never seen any evidence they were.
| bix6 wrote:
| Is that true though? I know the banks sell my info to third
| parties.
|
| I love games. Is there no way to safely block their network
| calls?
| gruez wrote:
| >I love games. Is there no way to safely block their
| network calls?
|
| Use a VPN?
| jajko wrote:
| Or another phone, anyway best gaming phone ain't the best
| phone/smart device for other parts of our lives
| 3np wrote:
| If you love games that much, why not get a dedicated gaming
| device? One that you use purely for gaming and don't expose
| your non-gaming accounts or info on. There's no reason why
| the entertainment device and the personal communication
| device need to be the same one, right? Just like there is
| no reason why you should log in with your old hotmail
| account on your Xbox just because they are both MS.
|
| Ideally it wouldn't even have an enabled web browser.
|
| If you find yourself unable to do this, that's a sign that
| "love" is actually addiction which means the upside for
| actually decoupling is probably a lot bigger than you
| imagine if you disregard the idea.
| tedunangst wrote:
| Has anyone else actually tried it themselves?
___________________________________________________________________
(page generated 2025-04-20 23:01 UTC)