this post was submitted on 29 Jul 2024
66 points (94.6% liked)

Privacy

32103 readers
107 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I want to preface this by saying that yes, I know that Instagram is bad. I am planning to get rid of it in the future but as of now I have to keep it for communication with people who are only on that platform.

So I have grapheneOS, use protonvpn (free version), use mull as my browser, and do not have google play services enabled on my phone. I do have some apps downloaded through aurora store such as Instagram, whatsapp, mychart, and mint mobile, but the rest came from f-droid.

I have noticed multiple times that after having private conversations on matrix, I get Instagram content in my feed that is scarily accurate to the conversation I had on the other platform immediately after. I know that things discussed in Instagram direct messages and group chat will give suggested content based on those conversations, but I get stuff that that is very specific to what I have ONLY discussed on matrix and didn't look up via my browser.

So my question is how is Instagram doing this and what can I do to mitigate the spying it's doing on my other apps. Thanks.

top 50 comments
sorted by: hot top controversial new old
[–] tomalley8342 34 points 3 months ago (2 children)

You probably discussed it because you were aware and interested in it, and your awareness and interest showed through in your other trackable habits outside of your chatroom. You only notice when they guess your interests correctly.

[–] [email protected] 17 points 3 months ago (7 children)

this is the real answer. unless you gave the app a bunch of permissions it shouldn't have, they cannot see what you do/say in matrix. but they don't need to. you willingly feed them enough information through location/posts/comments/private messages/friends/contacts/+a very long list of things for them you figure out your interests and serve you tailored ads.

load more comments (7 replies)
[–] [email protected] 2 points 3 months ago

It's more likely than not that, but I would like to err on the side of caution and figure out a way to fix it just in case my suspicion is true.

[–] [email protected] 14 points 3 months ago (3 children)

whatsapp is owned by Meta. I did a quick DDG search to see if I was correct and got this:

"Meta owns several companies, including Facebook, Instagram, WhatsApp, Messenger, Threads, Meta Quest, Horizon Worlds, Ray-Ban Stories, Mapillary, Workplace, and Portal (discontinued)."

I've been working to get the people I communicate with on Signal.app, instead. Other more informed individuals may be able to make additional suggestions.

[–] [email protected] 4 points 3 months ago

Signal.app

Just say Signal holy fuck.

load more comments (2 replies)
[–] [email protected] 13 points 3 months ago (1 children)

The reality is actually far scarier...

Meta manipulated you to have those conversations.

[–] [email protected] 3 points 3 months ago

/s to a degree.

[–] [email protected] 10 points 3 months ago* (last edited 3 months ago)

Keep nefarious apps in your work profile and don't store any files in your work profile. Turn on the work profile only when you use the app, then freeze it again as soon as you're done. Regularly clear the apps' caches. This will limit what the spyware can spy on and how long they can spy on you.

[–] [email protected] 9 points 3 months ago

Just read most of the comments here and I feel nauseous about this.

My job encourages instagram use.

I think the only way around having our devices spy on our spoken face to face conversations is to have a mobile device with a removable battery. Who remembers the HTC EVO and all the phones like those? Anyone know of a good phone that offers the removable battery?

[–] [email protected] 8 points 3 months ago

It happens to me as well, in my instances it's most likely the social network they tied me to. Some friends of mine are heavy Instagram users and whenever I hang out with them I get almost real time relevant ads on my isolated Instagram.

[–] [email protected] 7 points 3 months ago* (last edited 3 months ago) (1 children)

Use it only through your web browser or bite the bullet and don't use it at all despite those people that are currently on it. Maybe explain in a meme why you are leaving and where you can be found.

[–] [email protected] 3 points 3 months ago (1 children)

Even better: Look into self hosting a Pixelfed server. It takes some skill but will be way better.

load more comments (1 replies)
[–] Zak 6 points 3 months ago (2 children)

I don't think Instagram can read your Matrix conversations, but may be able to predict your interests with fancy algorithms or buying information from data brokers, even if it's related to things you did on another device.

If you want to be more sure it's not spying on your phone, uninstall the app and use it through your web browser.

load more comments (2 replies)
[–] [email protected] 5 points 3 months ago (1 children)

Is IG on a completely different profile in GrapheneOS, or is the app installed on the primary profile where you use your other apps? GrapheneOS's profiles completely isolate from one another.

[–] [email protected] 1 points 3 months ago (2 children)

IG is on the primary profile.

[–] [email protected] 1 points 3 months ago

This will be able to do cross site (apps) information collection within other sites (apps) in this profile. The way this works is one of many, and complicated so: https://blog.mozilla.org/en/products/firefox/cross-site-tracking-lets-unpack-that/

The idea of profiles is to stop this behaviour and other behaviours through isolation. Along with other practices makes up a privacy-in-depth (layered) approach. It doesn't solve everything.

For example if you are in the same house sharing an internet connection, it is possible to say "at least one outstation in this house (IP) are interested in 'x' and therefore I should target everyone in that house because people who live together are interested in similar things". Even if you isolate, you could still teach a data hoarding company like meta you like something simply by them by necessity needing your IP to communicate.

Some people try to say 'I've got a VPS with a VPN to communicate all traffic through' but that doesn't add any privacy, your exposed VPS with its IP is an IP only for you and still all collected information about you would be able to be thumbprinted to that IP across many services (eg instagram whatsapp and Facebook). A public VPN provider in this case adds a layer of obfuscation since you can change your IP rapidly and it's an IP that's shared with other unrelated users. Which is exactly why many services like reddit are banning access from them under the guise of "oh training data leaks from VPN, and we want to sell it" bs.

Anyway it's a tough world out there to be private. I'm at an age where after 10 years without Facebook and I never had instagram, everyone knows I'm contactable via sms. It's not secure, it's barely private, but I don't really "chat" except at the pub. So that's where they ask me to visit. Lol.

[–] [email protected] 1 points 3 months ago

Use the user profiles feature of grapheneos to make a "social" profile and only use that to access Instagram / facebook.

You'll want to consider isolating IG from your primary profile, to start. The above user's suggestion hits the nail on the head.

Once the profile ks created, and you've installed IG, you'll want to deselect the option in your Manage Profiles settings on GrapheneOS to 'Allow running in the backgroud.' This way, you can ensure the app is entirely stopped until you want it open.

Another consideration may be to turn off your Bluetooth when it's not in use, as well: BT emits an 'address' of sorts that, if another IG user has enabled BT access on their IG app, may be able to detect your phone and track a conversation knowing you are in the other user's vicinity.

[–] [email protected] 4 points 3 months ago

If you want to be extra safe I guess the best way would be to use the web version of Instagram with ublock origin installed. If you can find a way to use Firefox containers on Android as well it could really restrict what they can access.

[–] maniac 4 points 3 months ago (1 children)

Use a modified app of Instagram.

[–] [email protected] 2 points 3 months ago (5 children)

At that point you might as well move to something else

load more comments (5 replies)
[–] [email protected] 4 points 3 months ago (2 children)

Probably because your friends search about it when they are not having things separated and based on the social graph that IG thinks you're interested in it too?

[–] [email protected] 3 points 3 months ago (1 children)

None of my matrix friends are on Instagram and vice versa

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 4 points 3 months ago (1 children)

Its really hard to tell from a technical perspective, especially without having closely monitored all of your digital activity (and those that you have been in close contact with) in the days/weeks leading up receiving the ads. Some things that Meta could have done (in varying degrees of realism) include:

  • read anything you downloaded from your Matrix client, like file attachments
  • read your notifications if they contain any contents of the conversation
  • read your clipboard if you copy/pasted anything into/out of a Matrix client
  • actively participating in the room and associated your Matrix ID to your Meta account(s)
  • scraped the contents of the room if it is public and unencrypted
  • others in the Matrix room saved your Matrix ID in your contact information within their contacts
  • Meta is recording your screen outside of Meta's apps
  • a Meta library is used in another app/service on your device that is sharing information back to Meta
  • read an attachment that you downloaded elsewhere then shared on Matrix
  • Meta read screenshots you or others took of the conversation
  • Meta has a back door in the Matrix server or client software used
  • the administrators of your Matrix home server (or the administrors of any other home server in the room) are sharing non-encrypted information to Meta to offset hosting costs
  • Meta is running a home server of a user in the room
  • you or someone you are associated with clicked on a link shared in the Matrix room that contained a tracker or led to a site that contained a tracker

Its really hard to comprehensively and conclusively avoid all "spying" that Meta/Instagram could do to you. The best thing that you could do is something that many people aren't capable or willing to do - not install any Meta software, don't use any Meta services, block any Meta IP addresses and/or domain names, and advocate that those around you do the same.

Realistically, the best advice that youre going to get has already been said. Use the web browser instead of the app as much as possible, ideally in a different browser and/or user profile. If you must have the app installed, keep it in a separate profile and kill the app and/or profile whenever it is not in use. Review all of your security and privacy settings in all Meta apps. Review any apps/services you allowed Meta to connect to/from (and the security/privacy settings of those apps). Reduce the amount of information that you enter/share on Meta platforms. Review the other users that you are connected with on Meta's platforms.

[–] [email protected] 1 points 3 months ago

I like the way your mind works.

[–] [email protected] 4 points 3 months ago (2 children)

Use the user profiles feature of grapheneos to make a "social" profile and only use that to access Instagram / facebook.

Meta sells your convo data on WhatsApp for ads, if you use it you will get targeted ads regardless.

Other options are signal (Molly on fdroid), simplex, etc.

[–] [email protected] 2 points 3 months ago (1 children)

My car has an aux cable to connect to my phone. The cable died again so I've been rediscovering the radio and I've been been hearing commercials for whatsapp. They advertise E2EE as a feature. What you are saying is a contradiction to that. Is it possible to have E2EE AND have them sell your convo to third parties?

[–] [email protected] 2 points 3 months ago (1 children)

they encrypt the content, but not the metadata. so Meta might not know what you're talking about, but will know who do you talk with, how often, where from, for how long, and so on. that'll often be more valuable for advertisers than the contents of the messages themselves.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago)

More importantly, Meta also has the encryption keys of any WhatsApp conversation.

It's like a fucking META password manager that unlocks your vault.. (...as in your WhatsApp conversations) and locks it when they are done spying, whenever they feel like. Repeatedly.

You have no control, as in a secure private conversation unless you have the keys on your device.

[–] [email protected] 1 points 3 months ago

Unfortunately I do have WhatsApp and I absolutely cannot get rid of that unless I cut off all my older family members who don't know how to use anything else (which I don't wanna do). I'm gonna put Instagram on a separate profile like you recommended, but can't for WhatsApp because that'll mean I can't pick up calls and the likes. I do have molly and quite like it, but only have a couple of friends on it that I've managed to convince to switch. I hope to get more on there from Instagram in the future, but will have to wait for when I am better friends with those people and less of a weird acquaintance.

The only place I get any ads nowadays is on Instagram, but I'm assuming that after I am rid of that they'll still have a shadow profile on me in the background.

Also, another question: what is the network permission on graphene OS? I haven't been able to find a clear answer about it on the net.

Thanks.

[–] GustavoFring 4 points 3 months ago (1 children)
[–] [email protected] 1 points 3 months ago (1 children)

I have heard mixed things about instander

[–] GustavoFring 1 points 3 months ago

I'm curious as to what kinds of things. I've had no issues with it as of yet.

[–] [email protected] 3 points 3 months ago (1 children)

Maybe Instagram has access to your keyboard so it can monitor what you're typing in other apps.

[–] [email protected] 2 points 3 months ago (3 children)

All I'm using is the default graphene keyboard

load more comments (3 replies)
[–] [email protected] 2 points 3 months ago

Could this be related to Off-Facebook Activity?

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (1 children)

If the only thing you use it for is chat, I think you can chat with instagram users on FB messenger instead, which you can then heavily restrict in terms of the OS permissions you give to it.

[–] [email protected] 1 points 3 months ago (1 children)

Wait, really? Can I log in with my Instagram account onto it? If so that's great news because the main reason I'm keeping it right now is the chat, but sometimes get sucked into the content vortex.

[–] [email protected] 2 points 3 months ago (1 children)

I'm not sure, I think it may use an FB account. But you could make one specifically for this one use-case and then nuke your IG account.

load more comments (1 replies)
load more comments
view more: next ›