Here are some of the most popular vs. unlikely techniques that can be used to identify people.
Permalink to heading Disclaimers Disclaimers
- My point is to explain why convenience should not prevail over basic security and privacy
- It might look scary but it’s not even an exhaustive list of all possible privacy intrusions
These techniques are quite misknown by users but massively used by companies, and you may have read terms such as browser fingerprinting or device fingerprinting.
Algorithms can generate a pretty unique fingerprint based on collected specs. It gets worse when you have non-standard configurations and devices. Go check amiunique.org.
Permalink to heading Non-js techniques Non-js techniques
Permalink to heading The IP address The IP address
Probably the most obvious one. ISP attribute IP addresses to their customers and have strict legal duties such as data retention (e.g., keeping logs), so that data never expire and authorities can inspect the entire traffic for a specific IP.
In most countries, it’s impossible to get internet access without providing your real name and your personal address. As a result, your real IP is you.
Permalink to heading WiFi nearby WiFi nearby
Google and Apple maintain and use a gigantic database of Wi-Fi routers and their matching location. Any Android or iOS device run passive scans for nearby routers.
It’s a powerful mechanism that can locate anybody very accurately. There’s no opt-out, even if you turn off the GPS.
Domain Name Systems are a fundamental mechanism of Internet. Browsers use them to find the IP for a specific service. For example, when you enter \https://myfavoritesite.com, the browser queries a DNS service to reach the matching servers.
ISP provide DNS services by default for convenience, so you don’t have to manually configure things but they can log absolutely everything. That’s also what many authorities and governments like to use to block the access to some websites.
DNS services are prone to MITM attacks (Man In The Middle) by various threat actors. You might try private DNS services or even set your own DNS but, in my experience, the browser will still send unencrypted request in plain text, so it’s a questionable mitigation.
Permalink to heading Sneaky telemetry Sneaky telemetry
All major operating systems and apps collect data using telemetry. If you don’t disable data collection, it can be used to deanonymize you.
Remember that privacy is not anonymity.
Permalink to heading Offline tracking Offline tracking
Popular devices such as MacBooks can be tracked even when you’re offline. Your device can have some peer-to-peer Bluetooth communications (with nearby devices) thanks to Bluetooth Low-Energy.
As long as the battery is plugged, it’s on.
Permalink to heading Device IDs and IMSI Device IDs and IMSI
Manufacturers attribute IMEI (International Mobile Equipment Identity) to all mobile devices. Even privacy-focused manufacturers implement it.
Google, Apple, and many other actors collect that identifier and keep logs. There’s no opt-out, and, in many countries (not all, though), modifying that number or buying a burner phone is illegal.
If it’s required, it’s possible to trace back the entire history of the device.
In addition, there is the IMSI (International Mobile Subscriber Identity), a unique number associated with the SIM card. IMSI catchers are relatively small devices used by authorities and threat actors to capture sensitive information, including your real identity (SIM card), messages, calls, etc.
If someone uses it against your phone for some reason, it’s game over for your privacy.
Permalink to heading RFID identification RFID identification
Radio-frequency identification is widely used in contactless transactions (e.g, NFC payments).
I’ve never read about a direct identification but it’s pretty efficient to approximate someone’s location, and it’s pretty hard to protect.
You have to buy expensive products that block RFID or get rid of all RFID chips, which are used in passports, IDs, or credits cards.
Permalink to heading EXIF data EXIF data
All electronic documents contain metadata that can disclose sensitive information. For example photos but also PDFs and MS documents.
Use EXIF removals to get rid of them before sharing your documents.
Permalink to heading Invisible watermarking Invisible watermarking
Some organizations use invisible watermarks on documents to identify their creators but also their viewers. It’s a built-in feature in many apps and printers, so it’s not complicated to enable but, in contrast, quite difficult to detect by the victims.
It’s a serious threat for whistleblowers but not only.
Permalink to heading CSS fingerprinting CSS fingerprinting
CSS media queries can trigger when the browser size changes to a specific width.
External resources or assets can be downloaded with media queries, so every time you resize the window an HTTP request is fired, for example, to grab some background images. It gets worse if you have special habits like resizing the window to a particular size regularly (e.g., tiling Window).
It’s very specific, and you might say pretty unlikely, but it’s still possible.
Permalink to heading Underestimated areas and techniques Underestimated areas and techniques
Permalink to heading Wireless vulnerabilities Wireless vulnerabilities
Whether it’s WiFi or Bluetooth, it’s hard to secure such wireless connections. It’s best if you can turn off such services when not in use.
Even the Bluetooth Special Interest Group acknowledges some flaws.
Besides, some devices lack security features to prevent unwanted pairing and information disclosure.
You can only mitigate the threat, and I strongly recommend updating your system regularly.
Permalink to heading Wireless mouses and keyboards Wireless mouses and keyboards
Wireless devices are convenient but prone to attacks. While some manufacturers take security very seriously, others clearly don’t, and you’d be surprised how easy it is to hack that with very cheap equipment.
These companies buy low-cost chips to build their products but they have to write the firmware themselves, which often leads to flawed or inexistent implementation of critical security features such as encryption.
Once you’re tapped, everything can happen from stolen credentials to severe privacy intrusions.
Permalink to heading Data recovery Data recovery
Cute but not meant to erase documents securely. Besides, most built-in Recovery disk utilities are not allowed to perform secure erase.
There are various software that can recover the so-called “permanently removed data” in minutes.
I’m not even talking about advanced software used by authorities that can perform advanced scanning and filtering in seconds but simple free or cheap products anyone can install.
Permalink to heading Tricked hardware Tricked hardware
You may be familiar with the term “backdoor” but do you know it can be implemented at the hardware’s level? Fortunately, there are now YouTube videos that raise awareness about hardware backdoors but it remains quite unknown by the vast majority of the population.
Something that looks like a USB drive or even charging cables could contain backdoor that would allow a remote adversary to take full control of the system.
Permalink to heading Unblur me Unblur me
People and media sometimes share sensitive documents that contain revelations and may put some people at risk.
To prevent unwanted disclosures, they may blur some areas or use “overpixelated” images, but even Photoshop (or free open-source alternatives such as GIMP) can revert the operation, at least, partially, which can ultimately lead to deanonymize someone.
GitHub is full of free open-source tools that rely on Deep Learning to “unblur” or “depixelate” documents based on open-source datasets.
Permalink to heading Biological signatures Biological signatures
Big companies such as Google sit on mountain of confidential data, which sometimes includes writing and typing styles. As nobody writes or types exactly the same way, these are biological signatures that can ultimately deanonymize anyone who hides behind a fake IP and an anonymous account.
Gmail has been collected and shared such data with its partners for years.
Permalink to heading 7 ways to protect 7 ways to protect
Of course, you can buy a faraday cage or become paranoid about technology, but here are practical measures you can take to improve your safety:
- Use dedicated devices and operating systems for sensitive (not “illegal”) activities and learn compartmentalization
- Use full disk encryption and end-to-end encryption for your communications
- If you don’t trust the website, don’t even go there
- Define your threat model
- Mask your real IP and your location
- Don’t plug anything unwisely to the USB ports (some even disable these ports but it looks a bit overkill)
- You want to hide something in a document before sharing it publicly? Use a black pencil or just remove it
There are threats you can neither eliminate nor mitigate, so don’t worry too much about them. Instead, use several layers of protection and don’t sacrifice your privacy and safety for very little convenience and cheap equipment.