so you think they are confident enough to link somebodies randomly created alias, let's say "InteretDude420" to a real name? What if opened a VR Arcade and owned 100 Oculus Quests and made 100 separate accounts?
>so you think they are confident enough to link somebodies randomly created alias, let's say "InteretDude420" to a real name?
After a certain amount of fingerprinting, absolutely. It's not as if they are solely relying on user-submitted information such as a handle to make that link. And if no link can be made right this second, they can just continue to collect data under "InteretDude420" until they reach a certain amount of confidence to link it to a real identity.
And, even if they get it wrong some % of the time, who would ever notice or find out? Eventually they just get more data and increase the confidence rating for the correlation.
It is surprising how little information (even "anonymized information") is needed to de-anonymize someone. Plenty of papers on the subject if you are curious.
Yes, zip code/geo-location plus a few other points of personal data are often enough to identify an individual. Then tie that to a browser fingerprint and you can tie together all their "anonymous" screen names.
I read recently (or heard in a podcast; can't find the source lamentably) that almost all people can be uniquely identified by the top three locations they spend most time at.
For many targeted / personalized ads purposes you don't really care about the real name. You mostly care about linking hardware / software identifiers (IDFA etc.) to some kind of profile that you attached information to (Likes technology, fashion, classical music,...).
If you make 100 separate accounts and open a VR arcade you are probably just filtered out as an anomaly. It's not about having a 100% coverage, it's about having good enough coverage of most users. Just like filter out bot or ad blocker users as there's still enough regular people.
Considering all the metadata they can collect over indefinite periods of time, with 100% certainty, unless you invest extraordinary effort to give them enough misleading data.
Facebook allegedly buys transaction data (you know like banks and payment processors etc. sell). So they have a browser fingerprint for you via cookies (you know that like and share button on every page on the internet) or just plain JS fingerprinting.
Matching all that data to the real information you just ran through paypal or other merchant (some merchants sell this data directly) is something an intern can do on their first day.
I thought they denied maintaining shadow profiles though? There seems to be some people at FB who actually care about getting this stuff right and doing the right thing but economic forces at this point appear to be pushing most of the company in a very different direction.
A massive number of sites have Facebook tracking built in, since FB pays them a fraction of a penny for each visit it monitors. They don't care what username you're using; they just need to correlative fingerprinting (IP addresses, browser/device profile, any data from other apps installed on the same device, etc).
If you opened that arcade, they'd probably recognize that through a couple hundred different datapoints and use that to further analyze user behavior (For example: Which FB/Instagram users went to your arcade, stayed for a significant amount of time, then left. Of those, which don't already own a Quest -- market to them).
