WOAH - WTF?! How did FB do this? VPN sold me out?

Ok I am shocked, and can’t see how on earth this happened but hoping someone in here can help explain.

I want a FB account to contact someone on FB who I have no other way of contacting. I LOATH FB so I avoided it for weeks, but really have to make contact now.

I went into Windows 7 on a VM running on my machine. I cleared all temp data and cookies using clear browsing data Firefox extension). I installed these extensions:

Ublock Origin, Privacy Badger, HTTPS Everywhere, Adblock Plus, WebRTC Disabled, Random User Agent.

I am using Private Internet Access VPN and connected to Hungary throughout the whole process (connected before starting Win VM)

I opened a private browsing window and went to facebook.com. I never use this win vm for any browsing or for anything else really, it’s just installed in case I need windows (i am on a mac). I went to facebook.com and signed up for a new account. I used my real first name but random second name, random date of birth and I used my protonmail email address (which has only been set up a month or two and is rarely used).

I got the verification code, verified the account in Firefox private browsing window (same window/tab as used to create account) and it took me to my profile page to start ‘adding friends’ and all that BS. Here is where I had a heart attack…

It offered me “suggested groups” and they are all my local TOWN. I live in a very remote place, so CLEARLY FB KNOWS WHERE I AM. WTF?!

Grateful for any suggestions as to how the hell they where I am! The only answer I can think of is PIA. I have done leak testing and my IP doesn’t leak as far as I know. I am totally confused, and more paranoid than before!

PS - I have resisted using Tor browser because I really don’t want to get flagged or watched, I don’t do anything illegal (by TODAY’s laws anyway, who knows about tomorrow!) - but now I am wondering about using it routinely. Having said that, would THAT even have prevented this happening?!

4 Likes

I’ve seen similarly creepy things.

My work computer is never ever used for personal stuff. I had to watch a YouTube video my work published for “don’t commit rape training” and YT clearly knew it was me, suggesting that I watch defcon, security, and linux distro reviews for the distro I run at home.

Creepy ass google.

Yeah, creepy isn’t the word. I spent half an hour setting up every possible block. I just can’t see how it’s possible. Unless PIA are a bunch of swines who pass along the IP, but I can’t see that being possible or they would have been outed by now!
I am completely stumped, and FB being FB, it now wants a phone number and it take a running jump. But without logging in again I can’t delete account, so that info is stored for EVER. Bastards

I have zero experience of Facebook, so I’m just throwing something in case it sticks.

Long before you created that account, Facebook was, in all likelihood, tracking you. Any website with a Facebook button (meaning, most of them) would track you silently, even if you had no Facebook account. Unless, I suppose, you had very effective anti-tracking measures in place.

So I would suggest you were identified through fingerprinting. What do you think ?

1 Like

I advise you to try tor browser, and use tenminute mail for sign up.

4 Likes

Hi, thanks for the input. I’m familiar with the evil tracking of FB, and of browser fingerprinting. I don’t use any browser without all those plugins installed, but FB probably found a way around those UBlock type plugins by now. I also don’t use FB.

Yes I am tempted by Tor but I was planning on setting up a separate machine for proper incognito browsing using Tor. This machine is more a work machine. I also don’t fancy the idea of downloading TBB only to be added to a watch list (which I am convinced does exist). Although I know you can get it another way (like ask a friend to download and post me a CD!)

tenminutemail - I haven’t heard of that but I used a mail forwarding service (33mail) and FB rejected it saying “invalid email address”. I thought “It’s Perfectly effing VALID, you just don’t like it because you want my real one you evil Mo********ers!” :slight_smile: I therefore wonder if tenminutemail might be barred too. I will take a look though thanks for the heads up

1 Like

About your watch list fear, this blog post of mine might interest you:https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-1-myth-busting-tor

especially this part:
Tor will get me on a watch list! The claim that using Tor gets you on a watch list in a western society makes no sense at all. Not because it won’t ever happen, but because it would be useless in the case they did it. Analysis shows that the Tor network gets as many as 2 million users a day. That’s a huge list, big enough that targeted surveillance is no longer possible, and governments would have to rely on mass surveillance. Hey, mass surveillance, wasn’t that already happening somewhere? Oh yeah, it’s called the internet! The only place where using Tor could be dangerous is in nations with an oppressive government, but in that case a VPN is just as likely to arouse suspicion and get you on “the list”. Also with Tor, one can try to avoid detection by using bridge relays, which are entry nodes that are not publicly listed. Finally, it is worth considering what use of Tor protects you from, and whether that is more important than what the theoretical list would expose you to. It’s a little like thinking that using HTTPS will get you on a list, so you will no longer use HTTPS to protect yourself.

3 Likes

Have you told the address to anyone who might have imported it to Facebook through address book importing or could have added it to their phone contacts and given Facebook a permission to constantly upload it?

I don’t know your situation, but could you have asked someone who is a Facebook user to send them a message for you asking for their email or phone number so you could contact them outside of Facebook?

1 Like

Adblock Plus isn’t needed with uBlock O, plus i do not trust that developer at all and the add-on is inferior to uBO

regarding PIA VPN, i think a lot of people have gripes with them - many seem to suggest Mullvad and they do seem to be a more ethical outfit (i’m using Nord, but i don’t particularly recommend them) - that said, i can’t imagine PIA gave up your IP

in addition to the FF add-ons, there’s a lot of privacy hardening that can be done - see the ghacks user.js - i wonder if a default FF setting was the cause of this issue

is there possibly someone with the name you used on FB that lives in your area? check the phone book

as far as FB phone verification, if you want to delete the account, i’m pretty sure there are web services that provide disposable phone numbers, or at least text messaging? however, i don’t know that i’d bother since whatever info FB has is probably minimal - i TOTALLY GET your frustration and i’d be REALLY PISSED myself, but i’m not sure trying to delete the account would accomplish anything - for one, they likely don’t delete the info, only hide it from public view

next time use a disposable email address too - as someone else said, maybe that was the common denominator???

lastly, i hate when the only method people provide to contact them is social media

1 Like

oh, and i should add … if you ever used that email address to sign up for, or purchase anything, that very possibly could’ve given your identity away

Thanks Blacklight. That’s an excellent blog post (both of them). It sounds logical what you say, completely logical. However, it assumes that being on a “watch list” means they will want to do surveillance on them. I don’t think that happens, for the reasons you explained well in that article. However, you are just using logic (and good logic too) to make a rational guess about it. I do think they may just take NOTE of those downloading TBB. Various reasons why that’s my deduction/opinion:

  1. Past experience and contacts of mine. I can’t say with authority for a fact that downloads are monitored, but I am as sure as I can be that they are.
  2. It also passes the logic test in my view, i.e… Most people who START using Tor will continue to use it. ONCE they have it, they are much harder to watch, or even know about. So it stands to reason (for me) that IF the state (or G, or FB, or anyone else like that, basically they are still the “state”!) had ONE chance to know who is using Tor, at the download stage (many people probably download it via G!) then why wouldn’t they take a note of it if they could? At least just an IP. Maybe they can’t do anything once that person is on Tor, maybe they can’t find them (except in extreme cases, maybe not even then), but if they can easily note who is downloading it then I think they will, and are.

Considering it’s not hard to get a copy without downloading it on my browser, I think it makes sense to do so. If you’re right in thinking they don’t monitor even the downloads, I lose nothing. But if I am right in thinking that they do, then I avoid at least that step giving me away. I want privacy for privacy’s sake, I don’t commit crime etc, so I doubt they will ever have any interest in me. Therefore I think downloading it under their nose makes me MORE likely to be watched than I would be without, as no investigation would lead them anywhere near me. However, they don’t KNOW I just want it for privacy and am not a criminal, so it’s possible they could wonder if I am one of the criminals downloading it!

Your post was brilliant by the way.

Edit: I still can’t suss out the quotes thing!

Mikaela - Now that’s got me thinking!!

Firstly no I couldn’t ask someone else to send the message, it has to be from me.

Secondly… I have only communicated with a few people via proton, but yes one of them I believe has facebook and probably has the app. He certainly is on FB. Is it really that clever? Jesus, I just get more scared every time I do anything lately.

1 Like

12b - Some great points there thanks.

Adblock - I didn’t know that, thanks. I will uninstall. I thought it was probably overkill to keep it after installing UBO

PIA - Yes I keep meaning to move away but can’t afford a better one. However after tons of research I settled on the best one being Perfect Privacy. I have just been waiting until I could afford it.

ghacks - I am really not techie enough for github. Everyone and their dog is a programmer there, and I certainly am not! Is it installable without being a coder?!

FB Name - No that’s definitely not possible. It wasn’t a name which any human would have. Well, the first name was a real name, but the second one wasn’t.

Phone - Yes I have heard of ‘phone bounce’ and a few others. I wont be doing it though. I will just sign up again and see if I have the same experience after I try some hardening ideas. I only need it for single use contact then I wont log in again.

Disposable email - I think FB is onto all those. I used a mail forwarding service (anything@myusername.domain.com) and it rejected that.

Yes, one of the reasons I want to contact him is to tell him to get the F off FB (permanently), and contact me elsewhere!!

I haven’t purchased anything with the email, and I don’t think I have signed up for anything either. It’s POSSIBLE I signed up for Vimeo or something like that with it though.

I think Mikaela may have cracked it. What a sneaky horrible place the internet is now :frowning:

1 Like

Actually, NO! Mikaela - that couldn’t have happened (someone I contacted via protonmail having FB and uploading contacts). I just thought it through. I use a VPN ALL the time. I certainly make sure it’s running whenever I use ProtonMail in web browser. The contacts I have spoken to, only a few, DO NOT know where I live, nor even more than my first name. They are not friends of mine, just a few people I contacted about a few online services and such like. So even if one of them has FB app etc, all they could have on me is a first name (common) and my email, but NO location data.

So I am back to being fu**ing confused and even more paranoid :smiley:

1 Like

Facebook isn’t scanning the work email of the attorney above. But it likely has her work email address on file, even if she never gave it to Facebook herself. If anyone who has the lawyer’s address in their contacts has chosen to share it with Facebook, the company can link her to anyone else who has it, such as the defense counsel in one of her cases.

That data comes from a range of sources, said Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation. That includes brokers who sell customer information that you gave to other businesses, as well as web browsing data sent to Facebook when you “like” content or make a purchase on a page outside of the social network. It also includes data about you pulled from other Facebook users’ contacts lists, no matter how tenuous your connection to them might be.

What if you don’t like Facebook having this data about you? All you need to do is find every person who’s ever gotten your contact information and uploaded it to Facebook, and then ask them one by one to go to Facebook’s contact management page and delete it.

Would you like it to get worse?

2 Likes

I think it has to be the shadow profile, even if I am not certain how. Can the contact who has likely uploaded your email have any contact to your other friends or family enough to link the accounts together and thus Facebook knows it? We will never know for sure though, but my links probably give the idea.

I think maybe it might be fingerprinting also. Even with all those blocks, I think that as long as javascript is turned on it’s become pretty easy to identify individuals across the web. (I really hope that this doesn’t become possible with CSS also.) And I think that agent spoofers do not work at all if they can use JS on you. That is really quite something, though, that FB seemed to immediately know who and where you are. It doesn’t sound like your protonmail account gave you away.

whoa! i read your 1st post wrong - i assumed you started with a fresh instance of Firefox and a new profile - this could have been the cause

if you want to clear storage in Firefox, don’t rely only on an extension - select the clear history menu item, check all the boxes, then purge it - this will clear more storage than most cleaner add-ons will … but you need not do that - whenever you want to do something like you did with FB, just create a fresh profile (enter about:profiles in the address bar) - you need not install any add-ons as long as the site isn’t malicious (malware), but you certainly can

if you were using a previous profile, and had JavaScript enabled, that could have been the problem

Maybe because your Email ? i mean yeah its new from 2 months but whos know if its leaked & if you want to use social media do like me :stuck_out_tongue: i got android x84 on my virtual box & did fb/twitter with fake info & photo from https://www.thispersondoesnotexist.com/ & for now FB did not know its me but kinda twitter got me xD