Say for example that you're an investigating agent in regular contact with someone.
A single data-point wouldn't mean anything. However, a sequence of daily image retrievals might tell you that they spend 90% of their time in WA and 10% of their time elsewhere.
That information alone still might not mean anything, but if you also have a specific suspect in mind, it may help confirm it. Or if you have access to the suspected person directly, if you're able to also befriend their "clean" profile, you might be able to pull the same trick and correlate the two location profiles.
De-anonymisation isn't about single pieces of information, but all information helps feed into a profile to narrow suspects or confirm suspicions.
( By "agent" I just mean a person, not an AI agent nor Law enforcement, who could presumably just get the information more directly from cloudflare. )
There's probably at least a few instances where you send someone you think is American a picture but it gets cached in Moscow, or vice versa. Or you post a meme to a Californian left-wing group and it gets cached in DC. Not hard to imagine situations where getting an unexpected rough location could be a valuable signal.
>Or you post a meme to a Californian left-wing group and it gets cached in DC. Not hard to imagine situations where getting an unexpected rough location could be a valuable signal.
Not really. Any public meme group is inevitably going to be monitored by intelligence agencies, and you should assume as such. Even if it isn't, I can imagine agitators from the other side joining the group with a Russian VPN to poison the well. If there's a private group of people that you supposedly trust, any competent mole is going to be using device/network level VPN to cover their tracks. Otherwise they're 1 click away (eg. if someone shared a link) from an opsec fail.
I would bet money almost no public meme groups are monitored by any intelligence agencies. And the few that are mostly only are just in the sense of being casually co-opted by state-sponsored trolls with almost no attention from actual intelligence agency staff (in the way this thread implies, with investigations and deanonymization and such).
I'm sure they're "monitored by intelligence agencies" in the sense of having a line in a database/report somewhere (that probably no-one reads). If the technique mentioned in TFA can be used automatically (and I see no reason it shouldn't) then it will probably be incorporated in due course (if it hasn't been already) - it doesn't have to be 100% accurate, it's just one more datapoint to add to the mix.
you don't have to "befriend" them. you send a friend request because that defaults to a push notification for users with the discord app on their phone. Now, with signal, i don't use it so i don't know how initial chats start, or whatever. The discord one is 0-click because the PFP in the friend request is the payload delivered via PUSH.
And to someone else's point - they had to block the request on their end with a MITM to do the 1-click version on signal. No such MITM is needed with the friend request.
As an aside, one time i got doxxed hard in an IRC channel with several hundred active users. I had a suspicion of who it was, and i knew they lived in chicago. So i "accidentally" sent a link to "screenshot proof" that was hosted on one of my domains. there was 1 immediate click. instant. Chicago. "accidentally" because it looked like i pasted an email body.
Packed the real screenshot and a complaint to the ircadmin. they said "and so you dox them back?"
Say for example that you're an investigating agent in regular contact with someone.
A single data-point wouldn't mean anything. However, a sequence of daily image retrievals might tell you that they spend 90% of their time in WA and 10% of their time elsewhere.
That information alone still might not mean anything, but if you also have a specific suspect in mind, it may help confirm it. Or if you have access to the suspected person directly, if you're able to also befriend their "clean" profile, you might be able to pull the same trick and correlate the two location profiles.
De-anonymisation isn't about single pieces of information, but all information helps feed into a profile to narrow suspects or confirm suspicions.
( By "agent" I just mean a person, not an AI agent nor Law enforcement, who could presumably just get the information more directly from cloudflare. )