Curiosity - tracked despite private bowsing, VPN, and manual browsing data wipe
Hello, I have a curiosity question, related to privacy. I recently found that eBay was able to confidently identify me when I would not have expected. By the way, I work in tech, often dealing with security and basic privacy. I am well aware of "fingerprinting," but typically that is used to break up people into subsets, or cohorts, not individually identify the user. And of course, even when it does, it typically won't show/tell the user that it has successfully done so. Anyway, here's what happened:
1. I visited eBay using FF's "Private browsing" in "Strict" mode, over a VPN connecting to country "alpha". This was running directly on the host OS of Windows 10, with a non-default (but common) window size, and one very common browser plugin. eBay marked me as belonging to the country of my VPN endpoint, and set the region and currency accordingly. 2. I close the private browsing window, change VPN endpoint to country "beta", and re-connect to eBay. It still recognizes the previous region settings, even though my VPN endpoint is in a different country. Thinking maybe cookies were not wiped until the browser session was completely terminated, I go a little further; 3. Close all browsing tabs, go to settings, and manually clear all data (cookies, cache, etc.). Change VPN endpoint again. 4. Connect to eBay again. It still recognizes me. Note that I have not changed any other signals about the session. Browser window size has not changed, still the same OS, the same browser version, the same browser plugin. I did these tests in quick succession, which could also be a signal to them. But this session did not carry a cookie, and was coming from a different IP address. All cached data had been cleared (supposedly, at least).
Is eBay's fingerprinting just that good, that they actually identify me individually, without a cookie and coming from halfway around the world? Or is there some other tracker or signal they are able to follow me with, to re-identify me?
I was running FF on a transparent virtualization layer, so I just wiped all data stored by FF since the testing started, switched to another VPN endpoint, and just like that, eBay had no idea who I was again. But why didn't FF's Private browsing, or the built-in data wipe (cookies & cache) de-identify me? It can't see it having been advanced fingerprinting, or it would have seen through me wiping the virtualization layer.
Thank you!
All Replies (4)
Did you verify that the IP was changed ? SDid you use "Forget About This Site"? Does restarting Firefox work?
cor-el said
Did you verify that the IP was changed ?
Yes, the IP changed successfully.
Did you use "Forget About This Site"?
No, I went hamburger menu > Settings > Privacy & Security > Clear Data, and cleared all. The "Manage data" option indicated that there was nothing left after doing so.
Does restarting Firefox work?
Nope, restarting the browser did not work. I tried that after using FF's Clear Data feature, but forgot to mention that.
An gyara
Figure8565 said
I did these tests in quick succession
If you are too quick the VPN connection might not be ready yet. It's easy for a connection to momentarily go through the wrong endpoint unless you configure the browser to strictly use a specific endpoint at all times.
zeroknight said
Figure8565 said
I did these tests in quick successionIf you are too quick the VPN connection might not be ready yet. It's easy for a connection to momentarily go through the wrong endpoint unless you configure the browser to strictly use a specific endpoint at all times.
Good point, but I didn't mean *that* quick. In this case, the browser is only allowed to access the the VPN. Direct access to the WAN is blocked at the gateway, as well as by settings in the browser. I also verified that the WAN address had changed prior to each test.
Thank you for the tip, though.