Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Curiosity - tracked despite private bowsing, VPN, and manual browsing data wipe

  • 4 replies
  • 0 have this problem
  • 16 views
  • Last reply by Figure8565

Figure8565
Figure8565
more options

Hello, I have a curiosity question, related to privacy. I recently found that eBay was able to confidently identify me when I would not have expected. By the way, I work in tech, often dealing with security and basic privacy. I am well aware of "fingerprinting," but typically that is used to break up people into subsets, or cohorts, not individually identify the user. And of course, even when it does, it typically won't show/tell the user that it has successfully done so. Anyway, here's what happened:

1. I visited eBay using FF's "Private browsing" in "Strict" mode, over a VPN connecting to country "alpha". This was running directly on the host OS of Windows 10, with a non-default (but common) window size, and one very common browser plugin. eBay marked me as belonging to the country of my VPN endpoint, and set the region and currency accordingly. 2. I close the private browsing window, change VPN endpoint to country "beta", and re-connect to eBay. It still recognizes the previous region settings, even though my VPN endpoint is in a different country. Thinking maybe cookies were not wiped until the browser session was completely terminated, I go a little further; 3. Close all browsing tabs, go to settings, and manually clear all data (cookies, cache, etc.). Change VPN endpoint again. 4. Connect to eBay again. It still recognizes me. Note that I have not changed any other signals about the session. Browser window size has not changed, still the same OS, the same browser version, the same browser plugin. I did these tests in quick succession, which could also be a signal to them. But this session did not carry a cookie, and was coming from a different IP address. All cached data had been cleared (supposedly, at least).

Is eBay's fingerprinting just that good, that they actually identify me individually, without a cookie and coming from halfway around the world? Or is there some other tracker or signal they are able to follow me with, to re-identify me?

I was running FF on a transparent virtualization layer, so I just wiped all data stored by FF since the testing started, switched to another VPN endpoint, and just like that, eBay had no idea who I was again. But why didn't FF's Private browsing, or the built-in data wipe (cookies & cache) de-identify me? It can't see it having been advanced fingerprinting, or it would have seen through me wiping the virtualization layer.

Thank you!

Hello, I have a curiosity question, related to privacy. I recently found that eBay was able to confidently identify me when I would not have expected. By the way, I work in tech, often dealing with security and basic privacy. I am well aware of "fingerprinting," but typically that is used to break up people into subsets, or cohorts, not individually identify the user. And of course, even when it does, it typically won't show/tell the user that it has successfully done so. Anyway, here's what happened: 1. I visited eBay using FF's "Private browsing" in "Strict" mode, over a VPN connecting to country "alpha". This was running directly on the host OS of Windows 10, with a non-default (but common) window size, and one very common browser plugin. eBay marked me as belonging to the country of my VPN endpoint, and set the region and currency accordingly. 2. I close the private browsing window, change VPN endpoint to country "beta", and re-connect to eBay. It still recognizes the previous region settings, even though my VPN endpoint is in a different country. Thinking maybe cookies were not wiped until the browser session was completely terminated, I go a little further; 3. Close all browsing tabs, go to settings, and manually clear all data (cookies, cache, etc.). Change VPN endpoint again. 4. Connect to eBay again. It still recognizes me. Note that I have not changed any other signals about the session. Browser window size has not changed, still the same OS, the same browser version, the same browser plugin. I did these tests in quick succession, which could also be a signal to them. But this session did not carry a cookie, and was coming from a different IP address. All cached data had been cleared (supposedly, at least). Is eBay's fingerprinting just that good, that they actually identify me individually, without a cookie and coming from halfway around the world? Or is there some other tracker or signal they are able to follow me with, to re-identify me? I was running FF on a transparent virtualization layer, so I just wiped all data stored by FF since the testing started, switched to another VPN endpoint, and just like that, eBay had no idea who I was again. But why didn't FF's Private browsing, or the built-in data wipe (cookies & cache) de-identify me? It can't see it having been advanced fingerprinting, or it would have seen through me wiping the virtualization layer. Thank you!

All Replies (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Did you verify that the IP was changed ? SDid you use "Forget About This Site"? Does restarting Firefox work?

Helpful?

Figure8565
Figure8565 Question owner
more options

cor-el said
Did you verify that the IP was changed ?

Yes, the IP changed successfully.

Did you use "Forget About This Site"?

No, I went hamburger menu > Settings > Privacy & Security > Clear Data, and cleared all. The "Manage data" option indicated that there was nothing left after doing so.

Does restarting Firefox work?

Nope, restarting the browser did not work. I tried that after using FF's Clear Data feature, but forgot to mention that.

Modified by Figure8565

Helpful?

zeroknight
zeroknight
more options

Figure8565 said
I did these tests in quick succession

If you are too quick the VPN connection might not be ready yet. It's easy for a connection to momentarily go through the wrong endpoint unless you configure the browser to strictly use a specific endpoint at all times.

Helpful?

Figure8565
Figure8565 Question owner
more options

zeroknight said

Figure8565 said
I did these tests in quick succession

If you are too quick the VPN connection might not be ready yet. It's easy for a connection to momentarily go through the wrong endpoint unless you configure the browser to strictly use a specific endpoint at all times.

Good point, but I didn't mean *that* quick. In this case, the browser is only allowed to access the the VPN. Direct access to the WAN is blocked at the gateway, as well as by settings in the browser. I also verified that the WAN address had changed prior to each test.

Thank you for the tip, though.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.