Today around 12:00pm EDT, a post was uploaded to r/whenthe by u/concussionmaker_91 about how despite their multiple privacy measures, Reddit was still able to ping their location and show them an ad about a business in close proximity to their house. Then, in less than 2 hours after the post when live, their year old account was permanently banned. 
Redditors in the comment section used a website called SnooSnoop to see if this account has done anything malicious in the past that may be grounds for a ban only to find nothing. 
I don’t think this is a mere coincidence and some comments I read on the post may be there to dismiss the situation.
I’m currently working on archiving the post and comments in case Reddit decides to try and erase this entire situation from the web, I’ll attach the files when I do.
They are likely fingerprinting their browser.
That identifies the user sure, not location. More likely, the VPN was off at one point and reddit logged their known location. Just ignore the IP and take the last known personal location.
Guys logged in so fingerprinting isn’t needed. They already got the guy. They’re still fingerprinting though
Or it’s just a bakery they’ve looked at online, and that has been packed into their advertiser profile.
So might not have anything to do with location. Also, most VPNs are data brokers. Which is why Israel’s Kape Technologies has been buying them up.
True. Weird a supposed privacy conscious dude doesn’t have an arblock and/or a tracker blocker to minimize that risk.
Ublock, Firefox, and Ghostery are friends
Not ghostery. uBO is fine by itself.
If they can identify the user’s computer, they can cross reference against all the other tracking metadata available. Since they know the browser down to the individual, they also know the predominant IP of said browser and can link your actions from before and after the vpn/proxy account was created.
As long as javascript is running they can track your mouse movement, which is similar to people’s gait when they walk. it’s unique, it’s identifiable. You can probably fuck with them by using a trackball on one profile, but once they link that trackball movement to your profile with other metadatas then the cat is out of the bag and you’re permanently known to Reddit and whoever it sells it’s data to.
As much as people will claim “just disable javascript!” - you’ll find that you practically cannot use the internet without it… and having JS disabled makes your fingerprint even more unique as few disable it carte blanche.
Basically, once they have a shadow profile of who you are it’s just a matter of time for them to link any account created to it. I suspect almost everybody’s shadow profile is quite complete.
Good thing I have never looked at anything questionable on Reddit…
Gonna need a source or a reference for that second part. Yes, I’m very aware that your mouse movement can be tracked, so we can skip that part.
Just look up mouse fingerprinting.
This was one of the first results for me.
The rest were companies selling user deanonimization solutions that use mouse fingerprinting.
^ Not to mention that considering how privacy conscious the OOP was there’s a good chance they had some way to limit IP tracking. When I verify log-ins for 2FA the approximate location shown in emails is rarely in my city much less close enough to pin any business near my home.
Edit: I skipped over the part where they had proxies active. Which leads me to my next question: If they had proxies active wouldnt they cover their tracks if the VPN fails?
deleted by creator
It just takes one time logging in without having VPN enabled for your account to be associated with a location. Their ad network probably filters out known VPN IPs, or IPs from countries where there are no ads to serve up, which might leave the only valid IP address associated with their account to be used.
It can identify the user and their hobbies, schedule, device, and all sorts of info depending on how careful the user is. Not too far of a leap to match it to a non vpn fingerprint with a known ip and location.
It IDs the user which is then matched to the last known location of that user.
Unless they’re spoofing their MAC address, hardware fingerprinting is much more reliable and predictable. It’s easy to watch a MAC bounce all over the country/world in a matter of minutes.
At this point in history, it’s too late to implement identity protections. Your profile is already built, stored, and backed up. They even know your deleted edgelord MySpace account and that you unfriended Tom (you monster). I guess if you were born in a ditch without a SSN, and never signed up for anything, not even a house/apartment, you could go under the radar.
MAC addresses don’t leave your home network, they are layer 2
I’m speaking from the point of view of the app you willingly installed that tracks your MAC address. Part of the reason iOS11 implemented built in spoofing, but I can tell you right now, I know Tim Apple ain’t on the users side anymore.
Never has been.
i was going to say something along these lines and also that the data they have on you has life long implications.
i used to work for a data broker and the tricks that their data scientists were able to cook up to track and predict people’s behavior was really unnerving to me.
the company’s clientele was mostly high end retail & real estate and geared towards predicting the likelihood of your next “lifetime milestone purchases” (that’s what they called it). i had access to the product; so i looked up its portfolio for me and it predicted that i was ever going to buy a house or car.
i chuckled at it back then because my salary as a software engineer at the time was a very comfortable 6 figures so it didn’t seem likely to me. 8 years later i’m scraping by working for a local non-profit, i’m still driving the same car and home ownership has never seemed further away.
MAC address is in the data link layer of the networking stack, and would only be seen by other devices on the same network as you. This isn’t visible to websites you visit (unless you’re on the same subnet), and as TCP packets go through network hops, the MAC address is replaced with with the routers MAC address for each hop.
The reason for MAC address randomization (standard on iPhone and Android) is not for anonymity to the websites you visit, but is there to anonymize the wifi broadcasts in your general vicinity, like a 30 meter radius. The MAC address is randomized so that broadcasts to check wifi networks while you’re out and about can’t be used to track your physical location.
I’m speaking from the point of view of the app you gave permissions to collect your hardware data. Y’all are talking like I think a MAC is transmitted over tcp. I don’t need an intro to OSI. Those apps use the hardware data to know if you’re using Samsung, LG, Apple, etc and they store large databases of MAC addresses on individuals. They can even build a local hardware profile to see if you sold your device, to whom, and what device you replaced it with.
At this point there are 100 easier ways to track users. They probably signed up with a personal email address.