
Ask HN: How do I prevent Facebook and Instagram from tracking me across devices? - AndyGriffin
Phone #1: Installed Facebook app on iOS, added <i>PhoneNumberX</i> to 2FA.<p>Phone #2: PhoneNumberX was never used on this phone apart from WhatsApp that had <i>PhoneNumberX</i> linked to it. Installed Facebook app. Logged in to my Facebook account. Facebook app did not have access to photos&#x2F;location&#x2F;etc due to privacy concerns. After some time i deleted my Facebook account and uninstalled the app. Cleared Safari cookies&#x2F;etc. Ad tracking on iOS was disabled in settings by default. Six months later my friend installed Instagram app on this phone and registered his Instagram account (phone number was not used) and signed out. Instagram app uninstalled.<p>Phone #3: My friend is using his Instagram account on his own phone and gets a notification: &quot;Do you want to add YOUR <i>PhoneNumberX</i> to your Instagram account?&quot; This prompt have appeared once just recently and there is no way to find <i>PhoneNumberX</i> anywhere on his account to alter or change this.<p>To me it seems that Facebook is using some form of secret fingerprinting that got Uber in trouble with Apple. See here: https:&#x2F;&#x2F;www.the-parallax.com&#x2F;2017&#x2F;04&#x2F;26&#x2F;uber-device-fingerprinting&#x2F;<p>Now that Facebook without my knowledge have linked data from my deleted Facebook account (or WhatsApp account?) to my friend&#x27;s Instagram account in some form of shadow profiling it is unclear what can be done to remedy the situation. There is no tool available for public to access these shadow profiles even though they are clearly a part of users data. Privacy implications are huge.<p>What would security&#x2F;privacy experts recommend in this situation?
======
Rjevski
> PhoneNumberX was never used on this phone apart from WhatsApp that had
> PhoneNumberX linked to it.

WhatsApp's sole purpose is to be a data stealer for Facebook - the messaging
part is a side effect. It seems like it's done it's job as expected though.

iOS allows the concept of App Groups which means apps from the same developer
can talk to each other. Since iOS 11 the Keychain (a secure storage area for
access tokens, etc) persists even after uninstalling an app, so nasty apps can
put the tracking ID in there (you need to restore your entire device to clear
this)

> Facebook is using some form of secret fingerprinting that got Uber in
> trouble with Apple

Actually, there is very little information you can use for a fingerprint on
iOS. All devices are actually pretty similar.

What happened is that WhatsApp did what it was designed to do and got your
phone number (and contacts) and uploaded them to FB. When you installed the FB
app, it used App Groups to talk to the WA app to get your profile ID from
there, and link your WhatsApp profile with your Facebook one. In addition,
both of these apps will save a persistent ID in the keychain to track you even
if you were to delete & reinstall the app.

When you installed Instagram, it used App Groups to ask whatever other
Facebook app there was (WhatsApp, Facebook, Messenger, etc) to figure out if
any of them had a profile on you, and that's how it got your phone number.

This persistence mechanism is more advanced than most malware out there.

> What would security/privacy experts recommend in this situation?

Give the middle finger to Shitbook. Use the GDPR to your advantage to request
all your data to be deleted (but don't actually trust they will delete it,
because it's in their best interest not to). If you must use their services,
use a separate device, on a different carrier, with none of your data on it
(make a pseudonymous account if possible), and don't connect it to the same
Wi-Fi network as your personal device.

~~~
AndyGriffin
I applaud your elaborate and thorough reply. Thank you.

What it also made me think about is DeviceCheck. A recent framework
implemented in iOS that allows app developers to use persistent device
identification even after full device restore/reset. One can watch Apple's
very own developers pitching it as privacy friendly way to protect app vendors
from fraud while no mention of how it can be abused by the same app vendors
against customers privacy:
[https://developer.apple.com/videos/play/wwdc2017/702/?time=1...](https://developer.apple.com/videos/play/wwdc2017/702/?time=1444)

Given what you wrote, it is pretty clear how this feature can be and is
probably being abused by Facebook. Your recommendation is the only thing that
can remedy this indeed as resetting device just wont do anymore.

For people who somehow already got into privacy trouble with Facebook or
Google but don't want to change/sell a device, this method might prove to be
useful: [https://stackoverflow.com/questions/48239712/is-
devicecheck-...](https://stackoverflow.com/questions/48239712/is-devicecheck-
or-indentifierforvendor-safe)

Acquiring .ipa file of an app, then altering Bundle ID in AirSign and side
loading it to your device using XCode thus resetting DeviceCheck identifiers.

Overall, this is a dark chapter we are entering. Companies groom themselves to
literally own customers's mind as the only safe route to maximizing profits.

> Use the GDPR to your advantage to request all your data to be deleted (but
> don't actually trust they will delete it, because it's in their best
> interest not to).

While learning about GDPR, i have learned that indeed companies may not honour
data deletion requests. Have you made any research on how such requests should
be implemented especially if one does not reside in the EU? Would using VPN be
sufficient at the time of making such request? Interested in submitting such
request to Google.

Also what is curious in case of Facebook, they have moved their users from
Ireland to US so they don't have to comply with GDPR:
[https://www.theguardian.com/technology/2018/apr/19/facebook-...](https://www.theguardian.com/technology/2018/apr/19/facebook-
moves-15bn-users-out-of-reach-of-new-european-privacy-law)

------
happybuy
_What would security /privacy experts recommend in this situation?_

It sounds glib, but the obvious and best recommendation is to delete both
Facebook and Instagram apps from all of your devices.

It's not feasible to expect to use apps such as this – whose primary design
principle is to track and extract as much data as possible from it's users –
without being tracked cross-app and cross-device.

For a similar reason, when I launched my adblocking app
([https://www.magiclasso.co/](https://www.magiclasso.co/)) I didn't release an
Android version. It is a losing battle trying to work against the key reason
that something exists. In the case of Android it is owned and developed by the
world's largest advertising company, so it would be futile trying to create a
privacy and security first adblocker in such a hostile platform and
environment.

