A VPN is Useless Against These Kinds of Internet ID Threats | Rob Braxman Tech

Today we’re going to expand your knowledge of how Internet surveillance works. In my last video, I explained how VPN’s operate and described a VPN specific task of hiding an IP address. Users are surprised though to find that some people using a VPN are sometimes blocked from YouTube, while some other users are not blocked while using the same exact VPN server. Now this should give you a clue that there’s some other operation involved in distinguishing these users that is not obvious to the average person. This operation involves something I generally described as fingerprinting. This is the basis of a lot of Internet tracking.

Fingerprinting in this context has nothing to do with your actual fingers or your device fingerprint sensor. The term fingerprinting is really about gathering forensic data that identifies your device, even when you don’t provide an id. This is actually a combination of various things, including browser fingerprinting, device fingerprinting, cross device tracking and device location tracking combined with certain behavior. And it’s a complex and ghostly world of secret little tricks used by everyone from Google to third party trackers with the intent of knowing everything you’re doing. The interesting thing about this capability is that this is going on outside of the network layer.

Instead, it is in the application layer, in the OSI model or OSI layer seven. Unfortunately, only a few of us understand what’s going on. I’ve already made it clear that a VPN or any networking level solution will not get around this. It needs a different approach. Today, I will uncover the threats and then we can see if there are solutions available to us. If you’re interested, stay right there. Here’s what we’re gonna do. First, I will describe the different tracking techniques done on your device that are outside of an IP address. Then I will build up this story with different pieces of Lego which we will reassemble at the end so it makes sense as a whole.

And this is the best part. I’ll tell you how to beat all this. The strategy for tracking users via some sort of device fingerprinting is a technique mastered by Google and Meta. The earliest versions of this beyond just IP address tracking, what’s called browser fingerprinting. What is interesting though is that browser fingerprinting as a technique, it’s very democratic. Anyone can do it. I want you to see this example. I’m going to this site called Brax me Geo, which is my site, and you’ll see a hash on top called fingerprint. And then if I click on device signature, show details, it will list some common characteristics of my device.

I will end up with a unique fingerprint among millions. This was a capability discovered over a decade ago now, and now used extensively as a tracking tool. Google wants to introduce alternatives to browser fingerprinting in Chrome in their attempt to control this surveillance method available to all. They want control of surveillance for themselves, but so far other browsers are not buying this. So it looks like browser fingerprinting will be with us for a while. Understand though, that browser fingerprinting is the weakest of all the tracking methods because it is not 100% accurate by itself. However, within a platform that’s not too large, it can be accurate enough.

There’s another type of tracker where a platform leaves a cookie on your device that is attributed to your identity, like a Google ID or a Facebook id. The way this is abused though is that these trackers can be read cross site, meaning the Google id, for example, can be read in sites not run by Google. This means that these trackers can be used to identify you even as you go to different sites on the Internet. Aside from Google and Meta, many, many advertisers will leave this cross site cookies and they can all persist throughout the Internet.

While this is a recognized threat, the problem is that the solutions offered by non experts will not work. The common approaches used to solve this is by blocking cookies and clearing history, which is a short term solution at best. Now, why does this not work? Let’s explain it further. If a platform has a way of identifying your device, and so far the only way I’ve described is via browser fingerprinting and your login, then it doesn’t matter if there’s a cookie or not, since they can index to the unique identifier instead of storing fingerprint data in a cookie.

The alternate way of doing this is storing the fingerprint data in the cloud using databases of the attacker platform, let’s say Google. So an attacker doesn’t need to store your device fingerprint identifiers in a cookie, it can store it with your account, the same account that you use to log in. Thus they can then have an exact match of who you are. Then they can index with either identifier, since both will point to the same place. The problem here that you have to face is that this kind of tracking leaves no trace. This is why simply deleting or blocking cookies does not solve the problem, as this is the next level way of attack to make sure you’re identified.

Then it goes deeper. Now let’s accelerate further to the next level. Depending on the device, there is access to another level of unique fingerprints. And this time I will describe this by type of device. Let’s say you’re on a computer running Windows. The tracking application is a Windows executable. Windows apps have easy access to information kept in the Windows registry. There are plenty of unique identifiers there. For example, a plainly obvious identifier is the Microsoft Windows license key. This is unique to your Windows computer. There is even the Microsoft id which is also in the registry and that is an email address.

Often people put their real name on the computer name as well, and unique licenses for other software may be found. And hardware data will have unique identifiers like a CPU id. There are also the unique hardware identifiers in each computer, like the Mac address of the Ethernet adapters, Wi Fi and Bluetooth, three right there alone. The capability to access things like the Windows registry and similar storage in macOS is possible only with a native application, in this case a native Windows application. So a platform running only on the browser like a website, will not have access to the registry and these kinds of details unless they also make the browser important point here.

So pay attention to what I will say. Browsers are native applications. Google makes Chrome Chrome is a native Windows app. On Windows it can access the registry, so be aware of this. Apple, Google and Matilda makes the main browsers and there are many other browsers based on these like Brave and so on. Some of these browsers are open source and some are not. The unique case here is Google, where the platform makes both the Internet platform, let’s say YouTube or Google search, as well as the browser Chrome, meaning it could secretly pass additional identification data to its sites not normally available to other platforms.

There is a novel approach to tracking on a browser which can be done on both mobile and PC, and that is the use of something called web workers. In a browser, a platform can launch a background running task called a web worker. This, for example, is commonly used to handle notifications on a platform, even for a browser. The problem is that Google, for example, will start this background web process when you log into Google and then this will persist your identity to Google. Even if you log out. This web worker process will run indefinitely, perhaps forever, and will restart each time the browser starts.

This is a particularly insidious tracking method because you will not know it is doing this. The solution, fortunately is easy on that browser, clear cookies and history, and that should clear out all the web workers currently running. The limitation of a web worker is that it is JavaScript based, so it can only access data available to browser fingerprinting there’s something similar and actually an even more bothersome approach on a mobile device. A mobile phone has many unique identifiers. I’ve talked about many of them before, like the IMEI, which is the unique hardware id, the IMSI, which is the unique SIM card Id.

On top of these are so many other hardware unique identifiers like the Mac address of each network interface, like Wi Fi and Bluetooth. These identifiers have been used in other technologies like contact tracing during the pandemic. Now, on a mobile device, if you’re talking about some app, there are restrictions on third party apps getting access to these identifiers. But understand this, the OS has no such limitations. This is why the OS was able to implement things like contact tracing on both iOS and Android. So just understand that the OS has special tracking capabilities. And that’s why the choice of OS matters as an external party.

If you write an Android app expecting to start recording IMEI, MZ and Mac addresses and selling that data, those days are gone for you. Same on iOS, but for third parties as well as the same OS makers. Instead of just these hardware identifiers, phones now have soft identifiers. There are several, but I will name two here. One is the advertising id. Apps can identify a phone by the advertising iD, which would uniquely identify the user. However, the supposed security feature here is that the advertising id is fixed. You can change it. However, it should be obvious that the OS maker Apple and Google can just record every instance of the advertising id historically.

Also, while you’re logged into a platform, the platform can also just keep the history of advertising ids matched to your login id. There’s another identifier called the notification id. Every time you get a notification, the notification server has to find you. So your device has to report itself to the notification server with your notification id, which is unique for each app. The point is, your device is emitting its own identifier and you’re not even aware of this. Any app with notifications enabled is pinging Google and Apple, the OS makers, with their announcements. Basically, your mobile device is never quiet.

It is always sending these telemetry signals. If you’re running Google, Android and iOS now, this is something common as a security measure in many sites. In fact, my own site, Braxme, will do it as well. And that is to record certain behavior on Braxme. Setting up multiple accounts in one day is a suspicious action, which the app will flag and stop. On some sites they may use some other triggers like accessing without logging in and then using a VPN and maybe frequency of access. Under these conditions, I’m sure I could come up with various clues that some site could track as something they don’t like.

For example, some combination like adblockers plus a VPN. Or maybe the use of a VPN location that is not consistent with the time zone. That’s an obvious flag, lots of permutations and combinations. The point is that this could be recorded in the account data and thus be a way to flag particular users as well as in combination with other identifiers. There’s a common technique for finding your location which does not require a GPS. All that is needed is data already provided by your Wi Fi adapter. So as long as your device has access to the Wi Fi hardware, it can perform this location check.

It is done simply by recording all the Wi Fi routers near you. This is very simple. Each Wi Fi router announces their identifier, called a Mac address. Then the OS or browser reports at least two of these routers with the signal strength to the geolocation API of Google or Apple, and it returns a location accurate to 6ft. And there are more accurate methods. Now, in addition, by using the Apple mesh network, for example, that is used for Airtag, the point is that the OS maker always knows the location of their devices. Wi Fi triangulation is enabled by permission for third party sites, but understand that location cannot be restricted for the OS maker like Apple and Google.

Never. And here’s the other secret. If a browser like Chrome can read the Wi Fi router data as a regular app, then it can know the location too, outside of the OS permissions. Important point, Wi Fi triangulation is a passive listener, so it is not affected by airplane mode. Now let’s get to the sophisticated level of tracking. Now I’ve discussed the general data available to the OS or the Internet platform, and in some cases like Google, that could be the same party. The new element I will add now is cross device tracking. This is where there is simultaneous telemetry among multiple devices like a phone, computer, and even some health sensor device like a watch.

This then can be used in combination to cross verify what you’re doing. Case in point, you are on a browser not logged into the platform, but identifiers match you to your phone at the same location on the same ip address. Algorithms will then verify you as being the same person. The same algorithms can then detect if you’re trying to do other things like hide your identity with a VPN while not being aware that there are alternate ways to verify you. If an inconsistency is caught with known device identifiers and other things like location logins, then dont be surprised if the platform flags you.

What have I explained so far? I want you to look at these points and see what a platform can know about you. You have a login id that has an established identity, the Google ID, Apple ID, Facebook ID and so on. Often this login id is KYC verified with a mobile phone number or email. Your devices can have persistent and unique identifiers that can be easily acquired, especially by the makers of the OS or makers of browsers. Some identifiers are hardware based and cannot be changed, but some other soft identifiers can be generated by the Osdhead and retained by the OS.

This makes solutions like sandbox environments unreliable. A platform can keep a record of these identifiers and can use them interchangeably. If you don’t specifically log in or state your identity, a platform can generate continuous telemetry over multiple devices to cross check what you’re doing simultaneously. This allows them to further verify your identity where there is not a certainty. Some platforms can generate telemetry of every website you’re going to in every app you use. This is true of Google Meta, Microsoft and Apple. Your behaviors while using these identities can be recorded and used to gauge what actions a platform may take against you if they feel you’re attempting to hide your identity.

Location tracking via Wifi triangulation is done either at the OS level on mobile, or at the browser level on a computer. Note that this triangulation may be blocked to third parties, but can never be blocked to the OS or even a native app like a browser. Now that you understand the techniques being used, you just realize that the OS makers, the browser makers, and third party trackers all have a lot of information about you. How do you evade this? It’s actually not that hard, and I will lay out some common solutions. Many of the threats mentioned here has to do with a rog OS or browser maker secretly tracking identifiers without your knowledge, and some of these without necessarily even the acceptance of the OS maker.

For example, a chrome OS browser with access to the Windows registry. But here the solution is simple. A lot of these identifiers on Windows or a Mac do not exist on Linux. So even if a chrome browser tried to gather information from a Linux system, it won’t exist. Location data can be globally blocked from all applications in Linux. Because Linux is open source, there can be no secret code doing things outside of what is stated as I described browsers being native applications can be doing secret things on your device, like doing secret tracking without your knowledge.

This includes capturing device identifiers. As I mentioned, if you use an open source browser, then the likelihood of these hidden trackers sending secret location data or private device identifiers are eliminated. The chromium browser in itself is open source. Popular open source browsers include brave, which is based on Chromium. Firefox is open source. A derivative of this is waterfox and it’s also open source. Chrome is the spyware filled version of Chromium, or call it the Google Chromium. This is definitely not open source. Safari is not open source. Opera is not open source. Edge is not open source.

The number one benefit of an open source mobile os is that they have no Google ID or Apple ID, so they have no login id. That can be the basis of identification and that will be the characteristic feature here. There are many options with open source oses on mobile oses like Android, open source project AOSP, and derivative oses like lineage os, braxos, calixos, grapheneos to name a few are all open source. I generally call this a de googled os, but be careful here. There are many oses originally based on AOSP, like Huawei’s os which is really no longer connected to AOSP.

This being chinese on and control should raise a lot of suspicions. Another type of OS that is not based on AOSP is a Linux based os like Ubuntu Touch and various other Linux flavors of mobile which are in the early stages. These are all very safe and again all open source. These devices have no Google ID or Google code and thus no telemetry to pass information like location, device ids and so on. So basically they are invisible to Google. However, if you use grapheneos with Google in a sandbox on that os, then you’re completely tracked and this will persist.

Because of what I’ve said about soft identifiers and even web workers. This is a flawed approach that introduces the Google ID to what would have been a pristine device. So don’t use that. In addition to using open source browsers, we need to solve the problem of being tracked with your Google id. I specifically will focus on this because it is solvable and is easy. Other platforms like Meta is unsolvable to me, so the answer to that is to leave meta. What I do is have several browsers available on my Linux desktop. I’m running Chromium, brave and Firefox.

I will use these three browsers simultaneously on Chromium I’m logged into Google. Since I’m obviously always on YouTube. I acknowledge that I’m being tracked on this browser since I’m logged in and I assume that Google is recording my device info and keeping track of everything I do on Google. But they already know that since I’m logged in but I never visit any other platform. On Chromium it is Google only logged in. And because it is a watched environment, I’m careful with what I do next. I use brave. Brave is for everything else, and I mean everything as long as it’s not Google.

So everything from banking to online shopping to reading news, all that is done on brave. I could use brave for using YouTube without logging in, but it’s even better to use a third browser, which in my case is Firefox. This is also a never logged into Google browser. Now let me explain the effects of this procedure. Because Google is isolated to Chromium, the Google id can never leak. So even if tracking occurs on any other site with any kind of fingerprinting, it can never resolve to some validated identity like a Google id. And of course, being different browsers, they have different browser fingerprints.

Thus I ignore things like cookie trackers, browser fingerprinting and so on because I know it will never be applied to an identity other than on the Chromium browser. So my Chromium browser is made to be the signal that I’m an average citizen subjecting myself to surveillance like everyone else. But in actuality I control what is being seen since there is never a Google login on a mobile device. In my case there is no cross device identity. In summary, the procedures I use solve the problems based on identified threats. There are other threats that I didnt discuss and involve tracking like the client size scanning with AI or Apple’s find my phone mesh network and other similar threats on Google Android.

But the solutions I gave here eliminate even those threats without having to explain the threats. This video is too long as it is. So learn from this. Use this procedure and keep yourself safe folks. Privacy is ongoing headbutting between pro privacy evangelists like me and big tech companies intent on surveillance. As we discussed here, there are solutions, but it requires a change. I started a company with products that provide tools to protect our privacy. These tools are available on my site Brax me. One of the solutions suggested is to use a de Google phone which is invisible to big tech.

We have this in our store. We have the Brax virtual phone which can give you new phone numbers that makes you disappear from the phone records of big tech. We have Brax mail that can give you metadata, free aliased email addresses that hide your metadata. We have a VPN service, bytes VPN to protect your ip addresses. All these are on our site, Braxme, where we have a community of over 100,000 users who are gathered talking about privacy issues daily. Our store is available there once you sign up. Thank you for watching and see you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.