
Ask HN: How does Instagram know who I am on Facebook? - insta_anon
I recently had an interesting observation concerning the Instagram app and the account matching algorithm(s) that Facebook uses and would like to ask for your opinions.<p>Following scenario:
I have an iPhone X running iOS 11.3.1 with FB Messenger and Whatsapp installed, but not the Facebook app. Messenger doesn&#x27;t have access to my contacts but WhatsApp does. A couple days ago I installed Instagram from the App Store and created an IG account using an email like this &lt;lots_of_gibberish&gt;@&lt;domain&gt;.com (I have a catch-all setup for this domain). I didn&#x27;t give IG access to my contacts, didn&#x27;t provide my phone number nor connected it to Facebook.<p>At first the suggestions for new contacts in IG were completely random. However, after about 20-30 seconds the list of suggestions updated and showed me IG accounts of friends on Facebook.<p>I repeated this experiment, deleted &#x2F; installed the app, checked the iOS privacy controls, made sure not to enter the phone number or allow access to contacts, and again, I got the same account suggestions from FB friends.<p>I don&#x27;t undestand how Facebook &#x2F; Instagram is able to pull this off. The Instagram account email hasn&#x27;t been used at all before, the app doesn&#x27;t have access to my contacts and doesn&#x27;t know my phone number. AFAIK iOS apps are sandboxed and can&#x27;t fingerprint the device nor access each others cookies? So that leaves matching by IP and &#x2F; or location, however in a large building that would be quite inaccurate?<p>So how does Facebook do this?
======
ecesena
Probably your device id, or the so-called advertiser id, which might be at the
company level, and thus shared across FB services.

~~~
insta_anon
See the other reply, if "Limit Ad Tracking" is enabled, this should not be
possible, right?

------
parliament32
Your device has a several unique IDs that can used by apps to link your
"profile" across unrelated services. Most likely
[https://developer.apple.com/documentation/adsupport/asidenti...](https://developer.apple.com/documentation/adsupport/asidentifiermanager)

~~~
insta_anon
I just checked and "Limit ad tracking" was indeed turned off (thus enabling
the unique identifier). However, I turned it off and reset the ID, reinstalled
IG, created a new account and it _still_ showed FB contacts.

~~~
Rjevski
Since iOS 11 (I believe) the "keychain" persists across app reinstalls. Shitty
apps thus put a tracking ID in there to guard against app reinstalls.

If you reinstall your entire device (thus clearing the keychain) you should be
able to break the link.

There's also the issue of App Groups, which means that apps from the same
developer (Facebook) can share data between them, so if you have Facebook or
WhatsApp installed along they can all talk together and figure out what your
other accounts are.

~~~
insta_anon
Thanks, I actually never heard of App Groups before. But this totally explains
it.

------
rockoo
Most likely some sort of fingerprinting of your device..

Since you use three different facebook services as well providing the access
to phone number of the device to whatsapp, facebook has a pretty solid idea
who the device belongs to.

This is an opinion not a fact but is something that is extensivly used to
identify returning users (on i.e. different browsers / devices etc.) To
services

------
pookeh
Your wifi id, private ip and public ip.

