alt Hacker NewsThe counter point is that anyone who cares about being anonymous is using methods to disguise their identity that cannot be compromised by this attack, e.g: a VPN. Plus, there are much more effective versions of this attack, like sending a link to an endpoint that you control -- getting someone to click a link isn't hard if you're considered trustworthy enough to send them notifications. And less technical versions, like correlating when the user is online vs. offline with timezones around the world.
The method that both Apple and Cloudflare use in their own privacy software (iCloud Private Relay for apple, WARP for Cloudflare) is specifically based on the idea that your region is not information that reveals your identity. If you enable Apple Private Relay, your origin IP will be obscured but the IP your traffic is routed through will be in the same country -- same principle.
https://www.apple.com/icloud/docs/iCloud_Private_Relay_Overv...
This attack is academically interesting and novel but it's not "deanonymization".
Replies
> The counter point is that anyone who cares about being anonymous is using methods to disguise their identity
Not everyone who indirectly cares about anonymity is an activist who feels they need to go to great lengths to disguise their identity. Sometimes anonymisation is part of a process, and the ability to collect potentially deanonymizing data this way is still a privacy breach.
E.g. imagine sending otherwise anonymised participants in a clinical trial a questionnaire, containing an image. The owner of the image could then partially deanonymize the trial participants. Or voters. Or demonstrators in a rally.
Not everyone who cares about privacy is Edward Snowden material.
I am not sure I understand what you mean by "trustworthy enough to send them notifications". Do you need anything other than one's phone number to send them a signal message?
On iCloud public relay, go to settings and select “use country and time zone” instead of “use general location.”
Now you’re no longer “within 250 miles,” hell my phone geo IPs everywhere from Louisiana to New Jersey , which are not even “in my time zone,” but there you go.
This setting was pissing meta/Facebook off big time because they also couldn’t narrow me down to a precise geographical area, resulting in much nagging and whining about “was this you signing in from [shreveport]?” and frequent account lockouts , password resets, and endless requests to approve my logins from a device that’s already logged in before I finally said to hell with it and deleted FB a few days ago.
I figure if a privacy setting makes meta mad , then it’s .. probably … a good setting. Must really irk them trying to sell location relevant ads when my state changes every other time I unlock my screen.
It’s a combined behavior of using private browsing and refusing to install their app, thereby giving them a permanent supercookie no matter what my IP is, so if you don’t like the sound of this it [might not] affect you if you use their apps. “X” does it too, just look up “inferred identity+ twitter” on google.
I’m editing out a tall claim in the last paragraph of this for some other time when I’m less tired and have sources next time we’re on the subject.
> The counter point is that anyone who cares about being anonymous is using methods to disguise their identity that cannot be compromised by this attack, e.g: a VPN.
Yes unless Apple is doing Apple things and ignores VPNs for things like push notifications…
https://x.com/mysk_co/status/1579997801047822336