Well that's terrifying

Edit - this is in DuckDuckGo, which has an option to enable App Tracking Protection (Android only feature). In the past hour it's blocked hundreds of attempts from Google to track my data from non-Google apps. I won't tell you what the data is because it's genuinely horrifying, but you can find it in the thread below.

@TheBreadmonkey

Install the duckduckgo app and enable app tracking protection.

Then watch in horror as it tells you exactly what apps are trying to collect your info, what info and how often.

For example, looking at it right now, 1842 tracking attempts from just 3 apps in the last 7 days.

453 attempts just from my banking app in the last 24hrs... sending info to google and adobe. When you look at what kind of info... here's a list sent to google that was requested 240 times in the last 24hrs.

Device boot time
Gender
Device orientation
Postal Code
Device Model
Unique identifier
App name
Network connection type
Last Name
First Name
Address
Device Name
OS build number
State
Local IP address
Device memory
app version
City
Device brand
Advertising ID
Available storage
GPS co-ords
Headphone status
App install date
System volume
Screen resolution
Timezone
Country
Charging status
Battery level
Cookies
Network Carrier

That's 32 pieces of information sent to google constantly.

Adobe only want about 20 pieces of that information, but asked for it 213 times in the last 24hrs. Most of it the same as above but also requesting your email address, language settings and not so interested in device charging or battery level.

That's 1 app... in 24hrs.

It's worth noting that, this is the number of attempts that were blocked... not the actual times that info was sent. The DDG app blocks it, and my VPN app also has app tracking blocking.

@Anomnomnomaly

Jesus fuck

@TheBreadmonkey time to install Tails OS again, methinks @Anomnomnomaly
@TheBreadmonkey I've mentioned it on fedi before, but I had my personal info posted on Doxbin, and that's what got me into privacy tools!  @Anomnomnomaly

@CatsWhoCode @TheBreadmonkey

I've worked in IT for 25yrs, from starting out doing customer support, to gaming development, and with various software companies... I got to see behind the curtain briefly and was horrified what I saw.

It's why I am so anti social media and refuse to use it... and a huge advocate for blocking all tracking where possible.

I can't stop it all, but I can make what's collected next to worthless... poisoning the well so to speak.

@Anomnomnomaly @CatsWhoCode @TheBreadmonkey

Don't forget to enable blocking of some apps that won't be blocked by default. (And check if they still function)
All browsers don't seems to be a problem. It even blocks trackers that apparently come through websites.

@Anomnomnomaly @CatsWhoCode @TheBreadmonkey but you’re using Mastodon?
@JonChevreau @Anomnomnomaly @CatsWhoCode @TheBreadmonkey I suspect they mean corpo social media. Mastodon, in fairness, tracks very little.

@gavin57 @JonChevreau @Anomnomnomaly @CatsWhoCode

I'm tracking you all. I'm triangulating all of your signals.

@TheBreadmonkey yeah, it sucked but I was secretly like "I'm that notorious?!"  @Anomnomnomaly

@CatsWhoCode @TheBreadmonkey

I don't use my real name anywhere on social media... there's only a handful of people who are even aware of my real name and even then it's just my first name.

I use different email address across different sites, I also have @duck.com and @proton email address that forward emails and strip out trackers... very handy for online sign ups.
I literally have email address that are thisisaspamtrapaddress@ and gonnagetspaminmyspamtrap@ address that I use.

I have 2 gmail address... I use neither of them aside from netflix when I signed up to that 12yrs ago before I started seriously trying to poison the well.

@Anomnomnomaly @CatsWhoCode

Ben's not even my real name. I'm called........... Nick. And my real account is @Nickiquote, although I'll never admit to it on that account and will probably say something like 'no Ben's being stupid I'm not Ben I'm Nick', but know that I'll be lying to protect my identity. Feel free to hurl facts about Evita the musical at me, because that is my very favourite thing in the world. 👍

@TheBreadmonkey @Anomnomnomaly @CatsWhoCode @Nickiquote at birth my mother was adamant that I wasn’t Phil Collins.
@TheBreadmonkey that's really you?? I definitely will. @Anomnomnomaly @Nickiquote
@CatsWhoCode @TheBreadmonkey @Anomnomnomaly Yes, I am Ben. please remit one million pounds to me immediately for bread-related activities
@TheBreadmonkey @Anomnomnomaly @CatsWhoCode @Nickiquote Did you know that the working title for one of the infamous songs from Evita was Don't Cry For Me, Ballymena?

@artnacrea @Anomnomnomaly @CatsWhoCode @Nickiquote

I thought it was about the TOWIE/Made in Chelsea crossover with James Argent and Tina Stinnes

@TheBreadmonkey

i am not too bothered.

i assume they are trying to sell me shit.

it won't work.

i am to tight.

however when we go full fash i will be the first up against the wall.

but don't want to live in that world anyway.

@Anomnomnomaly @CatsWhoCode @Nickiquote

@Anomnomnomaly @TheBreadmonkey What does the app do that a Pi-hole doesn't? I've also got ublock origin and privacy badger for FF, but that doesn't help for apps. I guess the duckduckgo app can break it down by app, which is more interesting for rooting out the culprits.

@davep @TheBreadmonkey

A pi-hole is only protecting you when you're at home and I've not looked into a pi-hole setup (keep meaning to, along with running home assistant on it) so don;t know how good it as blocking all of those things.

@Anomnomnomaly @TheBreadmonkey
Hmm, has in-app purchases. I'm probably better off sticking with Firefox using ublock origin and privacy badger (and my Pi-hole, I work from home).

@davep @TheBreadmonkey

It's mostly suggestions to sign up to the ddg vpn and anti theft measures that come with the DDG Privacy Pro version.

But at £9.99 a month or £99.99 a year... No thanks.

@Anomnomnomaly @davep @TheBreadmonkey one additional point is that a pi-hole doesn’t prevent apps from using other means to resolve IP addresses (eg. using their own DNS servers). I don’t think DDG is any different there other than being able to inspect what’s in the payload of what it detects.

Pi-hole is good (I run one) but it is another thing to keep updated, vs something like DDG which presumably has updates pushed to it more regularly.

@Anomnomnomaly @davep @TheBreadmonkey Unless you use your phone over a VPN to your home network, which isn't a bad shout if the alternative is raw dogging public WiFi.

What does the app do that a Pi-hole doesn't?

Run on the client device, that is what it can do that Pi-hole (generally) doesn't.

DDG's ATP just runs on the same device that you wanna filter on; generally Pi-hole is setup on home networks. It can also more easily break it down per-app as it (ab)uses android's VPN APIs to get access to (and filter) network traffic, and as such it can easily track which application(s) a given request came from

@alexia @TheBreadmonkey @davep

I really need to read up on setting up a pi-hole. I think I've become a little lazy about learning new tech stuff as I get older.

I want to use a Pi for home assistant too, mainly to trigger charging cycles for my solar batteries to take advantage of cheaper rates on their agile tariff... I can charge when it's under 10p and export for 15p per kwh.

But it requires me to get of my arse and do it... plus the expense of buying the hardware.

@alexia A similar app I have been using for a long while on Android is Rethink. Its an independent project who also runs their DoH/DoT relays too.

I haven't used DDG ATP to know its features but I find Rethink to be more flexible because I can put my Wireguard configs in it, or use a proxy like Orbot, get traffic overview, completely isolate apps and use custom DNS blocklists when I want to. Pretty great really.

@alexia
As an alternative, you can run #Blokada on your phone. The advantage is that it can use multiple blocklists simultaneously, not just #DuckDuckGo's. The disadvantage is that it doesn't tell you which app tried to track you, and so it's harder to identify and remove apps that don't respect your privacy.

#tracking #surveillance #advertising

@Anomnomnomaly @TheBreadmonkey Ok, I've installed the Duckduckgo browser and enabled App Tracking Protection. I guess it's a sort of proxy. I hope it doesn't take over DNS from my Pi-hole though.
@Anomnomnomaly @TheBreadmonkey
Interestingly, Alibaba and AliExpress didn't trigger anything, but my EV charging app did. I like this functionality 👍
@Anomnomnomaly @TheBreadmonkey As does my trading app, grr (not that I have any shares).

@Anomnomnomaly @TheBreadmonkey There's about 10 apps that are transferring data in the background. I highly recommend disabling this unless you really need notifications.

This is a great health check tool, thanks.

@Anomnomnomaly @TheBreadmonkey I've just enabled it for Firefox (which is an exception by default). The ones in the screenshot got past ublock origin and privacy badger.

I also enabled it for the Play Store, WhatsApp and Signal and haven't seen any issues so far.

@davep @Anomnomnomaly @TheBreadmonkey
I saw this exchange yesterday and immediately turned out on.
Loads and loads of info blocked from going out, but I believe (hope) it's not as bad as it looks.
Among the apps being blocked is my banking app. Info is going to Google.
But what it says is that Google is *known for* collecting the following data: ...
I'd be pretty pissed if my banking app sends me email to Google on a regular basis. I would hope there's a less nefarious explanation.
@MennoWolff @davep @Anomnomnomaly @TheBreadmonkey what makes you believe that?
@StOnSoftware @davep @Anomnomnomaly @TheBreadmonkey
Because it's says "known to collect:" and then the same 34 items.
The number of attempts per app is different, but it's the same number of data items for Google all the time. Same for Adobe and other places.
Note that DDG says they're known to collect.... Not "they tried to collect the following items from you".
@MennoWolff @StOnSoftware @Anomnomnomaly @TheBreadmonkey Yeah, I noticed that too. The numbers are always the same for Google or whatever, from different apps (and even the browser if you enable it, which can't send all this info, IIRC).

@MennoWolff @StOnSoftware @davep @TheBreadmonkey

I guess the only question that then prompts me to ask is.... Does it matter how often they ask for it?

The only reason it's asked for is to build a larger/better/more accurate profile of you for advertising... and as some one who actively seeks out and blocks ALL ads and will actually be put off products that are forced in front of my eyeballs... Their attempts are utterly worthless to them because they have zero effect on me.

@Anomnomnomaly @StOnSoftware @davep @TheBreadmonkey
Agreed. But all I'm saying is it might not be the case that all these apps send each of those information morsels to those companies. But you can bet that Google wants to know the unique advertising identifier for every app, so they know that the user of this phone uses this particular set of apps. So all they need is to get my email from one of them and they know everything about me.

@MennoWolff @Anomnomnomaly @StOnSoftware @TheBreadmonkey Yup.

I posted this yesterday by the way, which may be of some use https://infosec.exchange/@davep/114456034554470939

David Penfold :verified: (@davep@infosec.exchange)

Ooh, I just noticed you can now delete your Android Advertising ID. No idea when this appeared or if it's geofenced to the EU. Edit: Settings->Security & Privacy->Privacy Control->Ads 👍

Infosec Exchange

@davep @MennoWolff @StOnSoftware @TheBreadmonkey

UK here, if I go to that setting, I can turn of everything under ads privacy (which I did years ago) and I can 'get a new advertising ID'

But there's no option to delete... maybe I no longer have one because everything is turned off... or it's just not an option outside of the EU because xenophobic fuckwits here listened to billionaire fuckwits who wanted to protect their hidden tax haven assets.

@Anomnomnomaly @MennoWolff @StOnSoftware @TheBreadmonkey I asked for one again and then got the option to delete again. I guess it *is* an EU thing.

@davep @MennoWolff @StOnSoftware @TheBreadmonkey

I just tried it, got a new ad id and then immediately deleted it... so it's not just the EU... I must have deleted mine the same time I turned of all add privacy options... along with all location options and as much as I could for everything else.

@davep
It has never caused an issue on my setup, which also includes a PiHole and uBlock etc. Just another layer of protection, especially when away from Wifi.
@aaron Yeah, it's great. Currently disabling background usage for the apps sneakily trying to exfiltrate data.
@davep @Anomnomnomaly @TheBreadmonkey just like many other (I use #TrackerControl, mentoined elsewhere), it creates a pseudo VPN, so all apps, HTTP/S or not, are impacted.
@Anomnomnomaly Who do you use for VPN, if you don't mind my asking? I used to use one but it didn't seem to make much difference.

@SueDiOh

I used anonine (Swedish based) for 10yrs without any issues. But they started to go downhill a bit in the last couple of years.

I switched to Proton a couple of months ago. So far, no problems... A little bit more expensive, but a 2yr sign up deal for around £68 was too good to pass up.

I also check with the torrentfreak news website as they do in depth interviews with VPN providers every year.

@Anomnomnomaly Thank you very much!
@Anomnomnomaly Just saw your response. Thank you!
@LavenderPawprints @Anomnomnomaly @TheBreadmonkey I've never heard of this and I'm now interested. does it work on IOS? is it screen reader friendly?
@BlinkWithAKink iOS settings let us block all tracking, so the equivalent list of apps is empty.
@Anomnomnomaly @TheBreadmonkey also watch in horror as your RAM gets cooked by the ddg app
@johnglass @Anomnomnomaly @TheBreadmonkey I was a bit worried about this. Do you have any data on it?
@davep just personal experience.
@johnglass I've disabled background usage of apps that were sending data when not in use, this should help avoid intensive use of Duckduckgo.
@johnglass I think you're right. There's been a noticeable decrease in battery life.