That’s crazy. As it’s (almost) impossible to prevent those data to be sent from the phone, would it be possible to make the data useless ? For instance by sending loads of fake json payloads for some ids ? Then enjoy my data which says at the same time that I’m in Vancouver, Lisbon, Paris, on my low cost and super expensive phone, with volume at max and zero,… Not possible I guess ?
this post was submitted on 03 Feb 2025
374 points (98.4% liked)
Technology
61757 readers
5591 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
All HTTP requests include your ip address, you don't "consent" to giving it to anybody. You can geolocate somebody based on ip address but it won't be very accurate
True, it's storing the IP address that is the issue.
Storing it and associating it with all the other identifying information collected.
but it won't be very accurate
Which they actually acknowledge in the blog post.
Kind of interesting that they're smart enough to understand how to sniff packets but not enough to understand that IP address = location.
Author noted:
As a quick note - location shared was not very precise (but still in the same postal index), I guess due to the fact that iPhone was connected to WiFi and had no SIM installed. If it was LTE, I bet the lat/lon would be much more precise.
And this was with location services off. How precise is a "postal index" in the author's country (presumably Spain) I wonder.
load more comments
(22 replies)
Does this happen to users in the EU? It’s highly illegal to gather data without consent here obviously. Even processing other data to derive location (which is personally identifiable information) means processing data for purpose that’s different to one that was consented to (if they tried to get any consent at all). There are big companies implicated here so it’d be easy to fine them into submission in jurisdictions that allow it.
The sample data shared in the article includes
"c": "ES", // Country code,
ES is usually used for Spain, so it looks like these tests were run from within the EU.
Ah, there’s also this piece in json:
"uc": "1", // User consent for tracking = True; OK what ?!
My guess is that developers are pretending to get user consent to get more money from the ads. Unity could be encouraging this somehow but good luck proving that.
Easier to ask forgiveness than permission. Most companies are so big, getting caught is relatively cheap with how low the fines are compared to their annual profits.
It's just a line item on their expense sheets, anymore, and most people don't have the money to get the justice they deserve in court.
This we can expect but there’s also a trend to idolise solo developers or small firms. Reality is that everyone can be shitty and therefore everyone should be accountable. In this case a smaller developer steals user data do defraud Unity most likely because they think they’re too small to be worth investigating. When we were implementing GDPR in my country those small developers fought this law as oppressive and unnecessary.
Surprising that this data never heard gets leaked. It's always my social security number
It's in a perpetual state of leakage in a sence that it's a trade item that gets sold between different companies. You can't leak that, really.
No hacker group ever got their hands on this data?
Every hacker group or indeed a random guy, can get and routinely gets this data for very cheap. It's not news because its the norm.
it's been known for a long time that there is enough identifiable information in a "normal" person's internet usage to identify exactly who and where you are and what you are likely doing just from metadata analysis and public domain information
question is, how is this being abused
Even with Linux it wouldn't be that safe, if apps were doing this crap.
We just have to stop using the internet at this point
You'd want to be using only Linux apps that weren't recording and reporting everything. Much easier to get in Linux than Apple/android
You know the towers log data too, right? And that websites themselves can track you regardless of what OS you use, right?
Privacy is good, but stop with this "Linux is a magic weapon" BS.
Separate dongle for internet using a hotspot can help. No system is perfect but Linux phone is an excellent first step
You miss my meaning. All the servers that your info passes through, all the cell towers, etc, can and in many cases do track you(even as just routine loggings). Thinking that running anything makes you more secure while connecting to a giant public network is naive.
Is there any straightforward way of stopping this besides dropping off the grid?
Route all or traffic through tor. Never log into anything. Never use the same identity twice. Ahh and live in a hut in the woods never going to shops or cities that have security cameras.
I think it's more: "Don't use a smartphone". It'll send those requests through any internet connection. No matter if it's a VPN or Tor.
Google hardcodes DNS into their hardware appliances...
So you'd need to block outgoing DNS requests except for your DNS server and god forbid you change location with a smartphone.
I think this is about apps and not the operating system. But yeah, the stock ROMs also phone home to Google. You'd need to patch that. For example like custom ROMs like GrapheneOS do. I don't see another viable alternative. But that still leaves you with the issues with the apps mentioned in the article.
I wouldnt be surprised if Google hardcoded DNS servers even if you override it with a "private dns"
I think it's unlikely that they mess with people's DNS settings. That would just break lots of stuff and internet would stop working for a small amount of people. But there are things like certificate pinning and probably similar things for DNS. We nowadays often circumvent DNS servers and use DOH on an application level. Plus there are things like connectivity checks (made for public wifi portals etc), AGPS... that all connect to Google servers... Well, unless you have that changed, as I said. But that's not something the user can change. You need the whole operating system re-built with different servers in place.
load more comments
(4 replies)
load more comments
(2 replies)
Using firefox in strict mode with ublock origin, cookie auto-delete, and a VPN to change your IP every now and then should stop location tracking and cross-site tracking. Sites will still know you've visited them and what pages you've been to in that session, but that is impossible to stop.
The main thing is don't use apps, they can collect tons of data and tie it directly to your physical device, and run in the background while not actively using it.
Using a web browser is really the safest option I can think of because you have control over almost everything.
load more comments
(3 replies)
view more: next ›