After multiple EU-based users complained about not being able to access Threads app through VPN, Meta confirmed it is blocking such efforts.
It would be interesting to see exactly how Meta is managing to block VPN users. Is it simply a matter of looking up instagram or facebook account related to email addresses used to sign up? Is it evaluating some sort of browser fingerprint? That’s assuming VPN users are doing so via desktop, if it’s an Android device for example is the OS itself providing information that’s not getting obfuscated by the VPN?
I think Meta has very complex fingerprint service in their backend after all these years. They know what you are doing even when you are not using their service. Their tracking in bundled up in long chains of tracking services over many websites. As long as you use a non vanilla browser to access their service, they might have you in their database from a previous tracker that trapped you on one of the many websites that are selling/trading tracking fingerprints. Since a decade it is not about the IP anymore. You can data-triangulate personas and pinpoint them to an existing user-profile with a very high accuracy. It should be possible to visit the threads service with a VPN and a heavy neutered browser. But then again, if your request is to suspicious in its request (thinking tor-browser, command-line browser, etc.) they might put you as well on a detour for a captcha/recognizer that will look harmless in the fronted (“click all the cars!”) but its actual task is processing/scraping a fingerprint from your display-device (browser) that then again can be connected with this suspicious request for the future. I am sure that their VPN block is not 100% blocking Europeans, but will block most of the unsophisticated request from normal users that will just give up after some tries.
Here are some vectors for identifying users (via browserleaks): IP, JavaScript, WebRTC, Canvas, WebGL, Installed Fonts, Geolocation, Feature Detection, SSL certs, content filter.
Edit: I might get some downvotes for this, but iOS has some good protections build into their OS layer (so they say) to make it harder for advertisers to track you. See also this very well done 1 Minute ad showcasing how the modern internet ad industry works.
Not that I’d ever want to touch Threads with a ten-foot pole, but what options would there be to circumvent that sort of intrusion?
Browser containers. Not sure if chrome does it, but Firefox has separate containers that are sandboxed from one another. Make a “Meta” container and only access it from there.
One of the topics I’ve seen become more prevalent in recent years is the idea of limiting your use of privacy addons and softwares, with the aim of trying to prevent your fingerprint becoming too unique.
For example, there are probably a billion users with 21 inch monitors, running Windows 11, browsing on Google Chrome. Providing them with that information just makes you one more in the bunch, but if you stack up privacy addons you end up creating a more easily identifiable picture of yourself through the hole you created by hiding information.
Not really. You have to use browsers that are feature-poor (then again, that makes you ironically again very identifiable). You could use command line browsers that do not leak agents or fonts or stuff like that. Again: Makes you more sus to the ad networks. The best thing - as far as I read about it - is to be a chameleon. Have garbage data that is plausible but vague enough to always stay in a big group of possible profiles. Looks as much as possible like the biggest group of people so you can blend in with the mass, while not raise suspicious behavior. And that continue sly with every request you make to every mainstream website you make. You can see how this is hard enough already. I think there are people out there that might can give you a better answer than me. I try to block as much as possible wherever I go via uBlock Origin and Pi-Hole. But this is only a thin veil. In the end, they have me in their database already since years. But as long as I do not see the actual ad, I hope that I get ranked very low in the bidding process as they must know that I do not see/click those. The average instagram user without a adblocker is much more interesting for them.
Sounds interesting. Do you have a source, or further reading for any of this?
There is a lot out there. You could just start by the wiki entry and then go down the rabbit hole from there. I already linked to browserleaks, that lets you test all the vectors in their uniqueness on your machine. The thing is, that the companies that use those technologies not wish to show their hand, you know. Those things are hidden from the public eye and until now have not leaked in whole. The ad-industry is heavily using those techniques to auction off your page views to the highest bidder. You ever noticed when you go on a website and it takes the ads a second or two to load? That is the time frame where your fingerprint was determined and connected to a profile and then is offered to the ad-services "I have a male, white, mid-30, high income, from new york, looking for past interests [a,b,c], … " and then ad-systems bid against each other to get the spot as they betting on being able to lure you in with their offer and will bet on their chance of converting their bid into a sell of a product. That all has nothing do to with just an IP. This goes waaay beyond that. Just google for this topic or “Fingerprint Analysis” in detail and you can find a lot of stuff. Check out the privacy boards of lemmy to find out more and how to protect yourself - if possible at all.
In 2010, Electronic Frontier Foundation launched a website where visitors can test their browser fingerprint.[14] After collecting a sample of 470161 fingerprints, they measured at least 18.1 bits of entropy possible from browser fingerprinting,[15] but that was before the advancements of canvas fingerprinting, which claims to add another 5.7 bits.
If I’m understanding that correctly, that would give ~14.6 million unique fingerprints just based on your browser. That’s a lot, but also tiny compared to the billions of Meta users. I’m a little skeptical that they would be able to determine a user is from the EU without using IP or cookies.
Edit: If they block users who’s fingerprint matches an EU user, and their IP comes from a known VPN service, then they could likely get pretty good accuracy. I wonder if there are any North Americans getting blocked while using a VPN.
Dont take this the wrong way, but this data is from 2010. It is 13 years old. The iPhone came out in 2007. Android in 2008. The internet and tracking advanced MASSIVELY since then. Google announced in 2020 that they no longer will support 3d party cookies in their own Chrome Browser. You can be sure, that they have advanced their system to a equally/more advanced system that they were doing this step. Allegedly based on advanced Fingerprints. And yes, an IP is still one parameter in tracking. But its not the only datapoint anymore since many years.
There’s only so much information you can get with hardware though. No doubt the software in tracking fingerprints, and matching similar ones has become very sophisticated. However, I wouldn’t be surprised if device fingerprints hasnt increased in diversity much.
On the other hand, maybe they’re using a spectre/meltdown attack to get a MAC address or something. In that case, we’re fucked.
Probably by just looking at the IP address, either due to the IP addresses of the VPNs being public or by the fact that many users are accessing the service through a single IP address
I imagine they just have a blocklist of IP ranges owned by major VPN providers.
Are they afraid of legality and doing something so fishy that there’s no way it would fly in EU?
Or is it just that this day and age it’s expected that VPNs are blocked? Like with Netflix etc.
Facebook isn’t interested in complying to EU’s privacy laws at this point, so they’re blocking it off entirely
