Hello,
I have a curiosity question, related to privacy. I recently found that eBay was able to confidently identify me when I would not have expected. By the way, I work … (funda kabanzi)
Hello,
I have a curiosity question, related to privacy. I recently found that eBay was able to confidently identify me when I would not have expected. By the way, I work in tech, often dealing with security and basic privacy. I am well aware of "fingerprinting," but typically that is used to break up people into subsets, or cohorts, not individually identify the user. And of course, even when it does, it typically won't show/tell the user that it has successfully done so. Anyway, here's what happened:
1. I visited eBay using FF's "Private browsing" in "Strict" mode, over a VPN connecting to country "alpha". This was running directly on the host OS of Windows 10, with a non-default (but common) window size, and one very common browser plugin. eBay marked me as belonging to the country of my VPN endpoint, and set the region and currency accordingly.
2. I close the private browsing window, change VPN endpoint to country "beta", and re-connect to eBay. It still recognizes the previous region settings, even though my VPN endpoint is in a different country. Thinking maybe cookies were not wiped until the browser session was completely terminated, I go a little further;
3. Close all browsing tabs, go to settings, and manually clear all data (cookies, cache, etc.). Change VPN endpoint again.
4. Connect to eBay again. It still recognizes me. Note that I have not changed any other signals about the session. Browser window size has not changed, still the same OS, the same browser version, the same browser plugin. I did these tests in quick succession, which could also be a signal to them. But this session did not carry a cookie, and was coming from a different IP address. All cached data had been cleared (supposedly, at least).
Is eBay's fingerprinting just that good, that they actually identify me individually, without a cookie and coming from halfway around the world? Or is there some other tracker or signal they are able to follow me with, to re-identify me?
I was running FF on a transparent virtualization layer, so I just wiped all data stored by FF since the testing started, switched to another VPN endpoint, and just like that, eBay had no idea who I was again. But why didn't FF's Private browsing, or the built-in data wipe (cookies & cache) de-identify me? It can't see it having been advanced fingerprinting, or it would have seen through me wiping the virtualization layer.
Thank you!