Today around 12:00pm EDT, a post was uploaded to r/whenthe by u/concussionmaker_91 about how despite their multiple privacy measures, Reddit was still able to ping their location and show them an ad about a business in close proximity to their house. Then, in less than 2 hours after the post when live, their year old account was permanently banned. 
Redditors in the comment section used a website called SnooSnoop to see if this account has done anything malicious in the past that may be grounds for a ban only to find nothing. 
I don’t think this is a mere coincidence and some comments I read on the post may be there to dismiss the situation.
I’m currently working on archiving the post and comments in case Reddit decides to try and erase this entire situation from the web, I’ll attach the files when I do.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 108 users / day
- 435 users / week
- 1.32K users / month
- 4.54K users / 6 months
- 1 subscriber
- 4.44K Posts
- 112K Comments
- Modlog
You’re not safe. Signed, a tech person
Is this related to the other post about Reddit collaborating with Palantir? Because it sures feels like it…
Can’t track you if you never use their service
That is false
hahaha meta would like to have a word with you
Nothing odd about a fash website doing fash shit.
edit: Oh wait… The original redditor was fash too? Typical reddit.
The plot thickens…
I think I’m so done with reddit, even old.reddit, that I reflexively pressed back after I clicked your link.
Ah-ha! I looked at the link and decided it wasn’t worth clicking haha, one step ahead of ya!
Easiest explaination:
So no rocket science involved here…
Arguably he wouldn’t have even needed to turn off his VPN. If he logged into an account associated with his real life. (A Meta program or Google environment) then he would have gotten those same location cookies. Same could be said if he had reddit on his phone. A VPN helps, but everything in your life is connected to everything else these days.
Me when I turn on my VPN and still sign in via google
Fix: Everytime you go to use a VPN, you delete any browsing data, ideally even start an entirely new vm, with a privacy friendly browser. Also gotta make sure to use an operating system that can’t be so easily fingerprinted, along with the computers hardware. So the only real easy answer is Whonix.
Don’t most “privacy browsers” (I use LibreWolf) delete browsing data every time you close the program?
Doesnt bejng so difficult to properly fingerprint just leave a trail of anomalous fingerprints to follow?
Like, I know its not the same but you can identify people from their silhouette, you don’t need a photo of their face. Paint around a subject well enough and it becomes clear even if you never add it to the image.
I guess what I’m asking is, does it leave a Clean Enough hole that people can tell what should be there?
Is your question rhetorical? I remember reading before that Facebook was creating shadow accounts for people that didn’t have actual accounts. They would build a user based on everything they could track, even attaching presumed names.
not to defend reddit too much, but posting “i feel like doing a terrorism on reddit” is worrying
The user never said that though.
The user posted a picture of Ted because Ted was anti-technology and now the user feels anti-technology sentiments because they were tracked despite taking precautions.
Nowhere do they express a desire for violence or other illegal activity.
Before we start rolling out conspiracy theories and such, let’s all apply a little Occam’s razor to this.
The simplest explanation is that OP is full of shit.
The simplest explanation is that OP doesn’t have good opsec, and got a few tracking cookies after deleting cookies, before setting up their proxy/VPN. Then, on the VPN, the advertiser recognized their VPN IP address, and chose to exclude that from generating location data, deferring instead to the location indicated in their existing tracking cookies.
Privacy is hard. The system is rigged against privacy. You have to do everything perfectly, because one simple mistake could leak your IP address.
Hanlon’s Razor seems much more apt, suggesting OP’s incompetence rather than malice
Hehehee
Actually though, theat’s not truthfully Occam’s razor. Occam’s razor requires the easiest answer with the least assumptions, which would be, that they’re using their tooling wrong.
Finally, someone uses Occam’s razor correctly! The least amount of assumptions is the right verbage.
He just got unbanned and posted a meme about it.
Did you live under the impression, that Reddit where there, to not profit from their user base? Or to make sure the users has rights?
They require you to turn off your VPN for signup. If you use the main webpage then that’s different. I use a client that’s open source called continuum with no built in tracking.
Can you link the client you use?
It might be this: https://github.com/cygnusx-1-org/continuum
Yuu have to get an API key which you can get through the developer settings under “create app.” Just look up how to get reddit API key.
fyi there is also redreader, no idea if you can still register from it tho
Doesn’t getting an API key defeat the purpose of “no tracking”? Genuinely asking, don’t know much about this, but intuition points me they will be able to track you by API key used then.
Yes and no. I can’t really down the engineering behind an API key but I can tell you it is definitely individually linked to the account you setup the key on. But it can’t only track what’s being done in the app. I only use it to view web results where I’d be tracked much more by using the website. The app client itself has no trackers built into it. So it can’t spy on what else you’re doing.
That’s it. I use obtanium to install it.
Location could just be from when the account was made right? I’m sure it would be very difficult to create a new account while utilizing a VPN considering how active reddit has become in blocking connections from known VPN providers.
I don’t find that extraordinarily odd at all really. This has been Reddit’s modus operandi for quite a while now. Anything that might pull the curtains back to peep at what/who’s running the show is sternly frowned upon. Usually, they will just shadow ban you which I personally find cowardly. I’d rather you tell me straight out to piss off.
On the topic of browser fingerprinting. I have a more than fair understanding of how it works, however, I am an expert at nothing. What has always struck me as odd is that browser fingerprints change over time, so how do you use a browser fingerprint to source the origin user? Without changing anything, my fingerprint ‘score’ changes daily. Some things that change or affect browser fingerprinting are:
About 80% to 90% of all browser fingerprints are unique at any given time. Only 30% to 50% of browser fingerprints change within 1 to 3 months. Users who regularly update, wipe their browser data, or install extensions have the most changes, whereas users who hardly ever update anything, never wipe browser data, or install extensions have the most consistent browser fingerprints that can last months to years. So, in my thinking, a browser fingerprint alone would do little to pinpoint a specific user, if they are regularly maintaining their security envelope. I guess in the case of forensics, a browser fingerprint could be used as a part of complementary evidence.
If they were using a VPN, it could be that their DNS was leaking. However, Reddit usually rejects accounts made with a VPN engaged.
Checking fingerprinting is something I do regularly because I’m very curious. The best I’ve been able to achieve is partial or nearly unique. I also do daily DNS leak tests, which may sound all paranoid, but even with a VPN, and a stand alone pfsense firewall/unbound, and various other obfuscation techniques, VPN IPs change and the IP you had yesterday for a certain locale, might not be the same as today, so it’s worth me taking a minute to check. Not that I have anything to hide. /s
I recommend a daily cleansing with Bleachbit, or Privazer. Schedule task or a cron to run it before shut down.
If someone has expert knowledge of browser fingerprinting, I stand by to be schooled.
way to complicated, the reddit app just checks what wifi is connected, and then send the SSID and probably the MAC adress to the reddit servers, they then compare that info the a global map of know wifi locations (created by multiple sources like google street cars, apps that collect that data, amazon ring devices etc) and then they have the location down to something like 30m.
30 miles covers a lot of potential users.
What about wired connections? I guess I fail to remember, a lot of people use their phones as a mobile compute platform, which I very rarely do, and certainly not a Reddit app.
I think he means 30meters. miles is mi.
My bad. Me with my freedom units. LOL Me Skuzi.
yes
Quit your bullshit. The post is still up, and the user account is still there.
https://old.reddit.com/r/whenthe/comments/1odcvwm/i_dont_fucking_feel_safe_guys/
https://old.reddit.com/user/concussionmaker__91/overview
If you read any of those comments in what you yourself linked, you’d see that a whole bunch of them are referencing and talking about OP’s profile no longer there. So obviously, due to technical issues or other means, the OP of that post was not there for some time period and it has since been restored. “Slam dunk”
https://www.reddit.com/user/concussionmaker__91/
Welcome to the internet, where everything is made up and the points do not matter.
Privacy is pretty much an illusion at this point.
You just don’t get it by only concealing IP address. I bet if they also managed to avoid browser fingerprinting and giving clues about their location through their use of the site, that would have been enough that Reddit isn’t showing advertising based on location.
The biggest lie of the internet is that VPNs give you privacy.
They give you privacy from on-path attackers (ISP, network peers) from snooping on your traffic, that’s about it. Maybe also mixing your traffic into everyone else sharing the VPN server.