Privacy impact of Google Apps from Aurora (anonymous login)

Creepy :cold_sweat:

Thanks for this thorough response. So using Google Translate via the web-page interface would be safer then? At least it won’t check (1), (4) and (5)?

Yes, on a web page it won’t have access to (1), (3), (4), (5) and will have limited access to (2) as it will only show your phone name, but the default browser on /e/ also hides the device, it only shows “Unspecified device”. It also doesn’t show the exact Chromium version nor the correct Android version, so all devices using /e/ have the same user agent to blend more.

Other browser will have different behaviour, Vivaldi shows your device name but it present itself as the default Chrome browser so you can’t really tell it’s Vivaldi. Privacy Browser default user-agent is only “Privacy Browser/1.0” but since few people use it you’ll be very different from the swarm of users, so the best option would be to choose the “Chrome on Android” user-agent as it presents as Chrome on Pixel 5.

Can you share where this can be accomplished in the settings?

Also interested in this. If I actively utilize different VPN servers (all have different IP addresses) day to day how does Google, or in your example Matomo, still ID me directly with the said various IPs? Is this only done using methods 1-5 as outlined by an application installed at the OS level? I appreciate the response so I can learn more. Thanks!

Edit: Also, wouldn’t sandboxing these apps hide the apps/info in the non-sandboxed profile?

THIS may be of help as well to see what device info your browser knows.

1 Like
  • Settings
    • Apps & Notifications
      • See all # apps
        • <App info> (You can get here by long pressing the app in your launcher or the titlebar of the app switcher)
          • Mobile data & Wi-Fi
            • <Disable “Background data”>

The IP is merely one bit of the fingerprint and it’s used mostly to group users, like “they live together” or “this probably is the phone of this computer”. Consider a household with 2 persons, each with a phone and a laptop, all those devices share the same IP, but you can clearly know which is which because there’s a lot other stuff to fingerprint.

For a software installed on the OS, like a phone app, using (1) to (5) is enough to be pretty sure it’s the same user no matter the IP, but most apps won’t use those because they can simply generate a UUID, which is a unique id for that installation. Everytime the app phones home they send this Universally Unique ID along to tell which user it’s coming from, constantly reinstalling the app won’t help either because (1) to (5) plus your IP and other possible information they can harvest can be used to know that new UUID is from the previous UUID, they can also create ways to make sure the UUID generated ends up the same when reinstalling.

Now for websites, look at the link you just sent from deviceinfo, there’s a lot of information there, each of those is one thing to build a unique fingerprint.
Do all your devices have the same OS?
The same browser at the same version?
The same graphics card at the exact same driver version?
Do they all have only stock fonts installed?
Do they have the exact same screen resolution and DPI?
Do they all have a browser with stock UI settings? (I can detect if you have the favourites bar)
Do they all have the browser always maximised? (if not I can know the exact size and this size is hardly equal across users)
Do you always keep CapsLock enabled?
Do they all have a CPU with the same core amount and the same architecture?
And what about the device itself, are they all equal? Even if they are, small differences on the chips of the CPU, motherboard, graphics and audio cards as well as their combination and drivers installed can give different results for Canvas and AudioContext fingerprint. Canvas fingerprinting consists of crafting a special image that with different CPU, GPU and drivers it can create different images and when you create a hash (a fingerprint of the image) it’s unique for that combination. AudioContext is the same but with a crafted audio sample. These are not 100% unique, but mixed with all of the above it creates one.

All of these web fingerprints can also be available for the apps on your phone.

The best approach for confusing the algorithms is to use multiple different browsers and devices and each browser/device is tied to a different service. On all of them block everything that is not from the website itself, like block Facebook like buttons, Twitter feeds, etc. So, let’s say you need Facebook, keep it tied to a single device and browser. Never access it on another device or browser. If some connection to Facebook occurs on the other devices and browsers the maximum they can get is that it could be from a different computer on the same network.

Using a VPN only on one device will help not create an association with the other devices on the same network. But you must never ever login to Google, Facebook, Microsoft, or other BigTech on this VPN’ed device, otherwise you just linked everything together. This is exactly the same for Tor, and a reason I always tell people to NOT USE TOR ON BRAVE OR ANYTHING OTHER THAN THE TOR BROWSER. The anonymity on Tor comes from both Tor AND the Tor Browser, other browsers will share all the fingerprinting they have and you become unique, Tor Browser prevents all that fingerprinting. That “super private window with Tor” from Brave is complete bullshit and useless, never use that for God’s sake, specially if you need to be anonymous.

Yes, sandboxing won’t show the apps installed outside the sandbox, but (2), (3) and (4) are still available with the exact same info from outside of it. (5) might be different because the sandbox uses another internal network, but I haven’t tested, it could be the exact same information.


Thank you for taking your time to reply and help educate. I was aware of the basics of fingerprinting but I now see more. I would think GAFAM has their AI working overtime doing exactly what you have outlined. To avoid all tracking seems near impossible for a regular privacy focused user like me. Nevertheless I would like to stay as private as possible.

Edit: Appears the TOR browser is the way to go. Just too slow for me to use regularly. Best utilized for when one wants to be sure fingerprinting tactics won’t work.

Never used a “Private” tab in my life. :slight_smile:

Can you share any insight on your view of ORBOT?

Thanks again.

*Seems to me fingerprinting is still possible by apps, do you see otherwise?

Maybe Brave has DIALED BACK? Seems pretty open about it, no?

Tor applies on what I said about keeping things per device/browser. What you do on Tor stays on Tor. I.e. you never login on Tor with something you created outside it, nor you login outside Tor with something you created in Tor. Tor should not be kept running for too long too, the chances of figuring out who you are increases the longer you keep the session open as more information for cross-checking starts to pile up. Anonymity on Tor Browser works because of Tor and the anti-fingerprinting of Tor and the auto-cleanup of everything when you close Tor Browser. As you keep running Tor Browser it start to accumulate cookies, localStorage, invisible pixels; closing Tor Browser to clean all that is necessary for anonymity.

For example, let’s say a Tor user is navigating on multiple pages, some of those pages have google connections like google analytics. Google Analytics saves cookies in your browser to let them know it’s the same person across multiple pages with google analytics, they don’t share with the site owners that this Tor user has visited all those different websites, but they sure know it. As this user access more sites google is constantly building a profile and the more sites the users navigates the better the profile. Then this person decides to access multiple news sites from Australia, boom, the profile now has a country for that person. Looking too many news from New South Wales? We got a state. Canberra news? We got a city. Now all the traffic in the session has a country, province, city and probably even the gender and much more. If the user now closes Tor Browser it’s all gone, the next session they’ll just look like any other Tor user.

A ridiculous example to probably better illustrate is: I create a bomb, take a picture holding it next to my face, sign the photo and glue it on the bomb. Now I put the bomb to be delivered to the Eiffel Tower in a postal service that doesn’t require me to identify in any way, I don’t even need to be on the place they get the package, I just drop it in a hole that has no cameras around and even their delivery guys are just randoms that just drop the package randomly until it reaches the destination. Is the bomb in the Eiffel Tower anonymous? Of course not, my face and signature are there to prove I’m the author of the bomb, using an “anonymous postal service with random deliverers” didn’t change anything.

Orbot is useless except for some rare occasions, as I just explained your anonymity on Tor requires the minimum amount of information going into Tor. If you put everything to go through Tor you are giving more opportunities to fingerprint you, every app that uses some known tracker you don’t block will allow profiling the device, even if it doesn’t include a known tracker it might track you and sell to the best bidder. Unless you have a 100% degoogled phone that you have disabled GPS completely, don’t have a single app from play store or with trackers and don’t have a SIM card inserted then it won’t really improve anything. You’ll just have a slow experience while still being fingerprinted and profiled. But now worse because you have a false sense of security.

It can also be used as a free VPN to “sandbox” the device, but you must apply the each service into a single device philosophy as I explained before.

Yeah. I guess the old marketing staff was the normal “we have no idea how it works or what it does, but you totally need it”. Or maybe it was the new developer who don’t have knowledge of how anonymity and security truly works and thinks slapping “Encryption”, “FLOSS” and “Tor” auto-magically make it anonymous and secure.

To explain how Brave on Tor doesn’t really help it’s because it still sends all the same fingerprinting you can see on deviceinfo on both normal and private/tor windows. The only difference the site will see is the different IP. It might be enough to trick the dumb local site that doesn’t really want to track you, but not even close to even start tricking Google. Even with Brave fingerprinting protections you are still leaking a lot of them, as I said before, even your screen resolution and window size are a fingerprint part, a reason why Tor Browser starts not maximised and the screen size only changes in steps.


Thanks for the reply. I see and understand how fingerprinting works much better!

Gosh… :neutral_face: that’s depressing.

I mean I recently switched to a de-googled phone and it’s a pain in the neck half of the time, but in the end I still need some commercial apps to go about my life, banking apps, transport and delivery applications, some commercial messaging app like Line App. Tracker Control does catch a bit. But some of these apps just run on and won’t work if blocked. Then there’s the browser finger printing and I am not even sure of how much data Duck Duck Go browser (which I chose) is able to block. Even then fingerprinting can help build a profile and that can’t be blocked (perhaps only spoofed). Then there’s all the logins (I’m using email aliasing everywhere to avoid linking accounts hoping it has some impact).

But then I wonder: is it really efficient? Is all the trouble worth the results? I’m not verse enough to even understand everything and need to take your word on it. Maybe in the end I’ll be caught by Google and the Zuck machine. So sometimes i ask myself why don’t I give in and install stock android and enjoy the pros?

Utilizing PRIVACYBREACHER I have verfied all this information is indeed obtained by apps with NO permission. Is there someway to block apps/websites from obtaining this data without permission? Say, app(s)/functionality that blocks this with root permissions? I am blown away at how this information is exploited to fingerprint people.

Yes it is. My parents have tracker blockers and ever since the ads, when they show up, are much less targetted and Google, Microsoft and Facebook slowed down on their “suggestions”.

When I still had a Google account (1 year ago? Though I was not using it for some years already) there was a place you could check what was your profile (I never gave them my real name, phone number, nothing) and the only thing the profile said was “woman 18~50 years old”, or in other words: “we have no idea, so we are just guessing the largest population demographic on Earth”.

Not that I know. It requires a change in the Android source code. The /e/ team might be able to create some circumvention mecanism where if you deny it, it responds with an empty response, but this is a huge effort that will take a long time to develop.

Disturbing… So no matter if I use a browser or applications all I can do is minimize my unique fingerprint. Pretty alarming. I hope more people wake up.

So last night I installed WebApps which seems to be sand boxing website each in their ownncontainets while providing a home shortcut. It seems to include tracker blockers and spoofing browser type. Though I’m not sure of what it does in action because it is not verbose about it like other browsers like Brave or DuckDuckGo or like Tracker Control.

  1. If you do really care about privacy be careful with PlayStore Ad-,Crap-,Spy-,Malware in /e/ served to you by Aurora. (Many serious Apps include unwillingly Spyware because they have been developed on trojanized developer tools. The providers of those tools make their living by selling the profiles of the users of their costumers, who use their tools…)

  2. If you have to use - or think you need - some of those Apps (many of them filled with trackers, and other spyware) make sure your rooted phone runs a well configured AFWall+. Or if you are more comfortable running an unrooted /e/ device install and configure carefully Blokada (Which simulates a VPN and thus spoils real VPN services… but is better than nothing). Sooner or later you will learn that you have to fight for your privacy on package level.
    (After a month or so do a detailed logging of the data streams these apps send and receive - wireshark is your essential friend and guide to privacy!)

  3. If you have learned that - have a look on the Xposed framework and things like XPrivacyLua. This opens the Android access for you - and if you have no clue others - to a new level.
    Keep logging and analyzing. Try to attack the ssl encryption of your apps by setting up prepared APs and analyze the packages.

  4. If you really need good privacy dump your iPhone, /e/ Android hardware and go for a Linux Phone (iptables, kill switches, and almost no apps…). Make sure it is open hardware and regularly compare fresh X-rays of your phone with reference X-rays the vendor provides. (Hello Andy!)
    “Just because your paranoid doesn’t mean that they are not after you.” :slight_smile:

Beeing paranoid on the Wiretap device you call “your” phone is usually justified. /e/ makes bad things less bad - but sadly is only a building block on your way to a less monitored world.


Some additional INFORMATION regarding canvas finger printing done through websites directly using HTML5 /JavaScript. Worth a read especially to understand another dimension regarding utilizing only websites via mobile browsers.


You can also install Microsoft Translator

to share data with more companies? :confused:

This topic was automatically closed after 8 days. New replies are no longer allowed.