Yes, ISP's can still track but the other websites-that-are-not-the-ISP that depend on logging unique ip addresses for tracking can't identify you behind a CGNAT. My previous comment about how CGNAT can be another layer of privacy for things like torrents: https://news.ycombinator.com/item?id=38176079
EDIT reply to : >Sure except for the like 800 other metrics they use to track you besides IP lol. Advertisers
My comment was specifically talking about those websites that depend on ip addresses and not fingerprinting. Examples are torrent trackers, torrent honeypots, and Wikipedia articles' edits history where their server logs keep track of ip addresses instead of browser fingerprints. CGNAT will make users more anonymous in those situations. Lawsuits and subpoenas from RIAA and movie studios against torrenters for copyright infringements were filed against ip addresses and not browser fingerprints.
As for Google/Facebook sophistication levels of browser fingerprints tracking and surveillance, I'm not so sure how paranoid I should be about it because they still think I'm in Idaho because I happen to open my laptop in a hotel one time there 10 months ago.
No one “depends” on IP addresses. Wikipedia could very easily (and likely does) use browser fingerprints for some things. They don’t serialize to something human-readable, though, so I wouldn’t expect them to appear anywhere but debug interfaces.
IPs havent been a viable way to ban or identify people since the early 00’s. For sure with the launch AWS, and the ease of swapping IPs there. It’s been laughably easy to swap source IPs on requests for at least a couple of decades.
I think the only people you’re getting privacy from is people who didn’t really care enough to invade it in the first place.
>IPs havent been a viable way to ban or identify people since the early 00’s.
You are factually wrong. Copyright holders have successfully won lawsuits as recently as 2023[1] by starting the process via subpoena of ip addresses from ISPs. The steps are:
1) obtain the ip addresses of anonymous users torrenting your intellectual property. (Because the studios monitor torrent trackers for ip addresses.)
2) Connect a real name to that ip address by having a court subpoena the ISP to reveal the owner of the ip address. If the ISP subscriber on the account is not the actual infringer, ask the owner of the account (via a court deposition) to further identify the actual user (e.g. a spouse, a roommate, etc)
3) get a financial settlement or judgement against that person
That type of identity unmasking doesn't happen with CG-NAT or other shared NAT scenarios like libraries/airports because the torrent trackers logs only have granularity of ip addresses which is useless when a thousand people share it.
You just have to have the source port as well as IP instead of just the IP (which the MPAA et al surely gather). CGNAT is basically just port-based DHCP; it still has to keep an inventory of what ports are available, practically requiring the ability to tell who was using what port at what time.
Even from a first principle's perspective, if they can't identify subscribers for relatively benign things like piracy, they also can't do it for something like CP. Those logs 100% exist, if only so the telecom has something to turn over when the FBI comes looking for pedophiles.
And yet that very tooling will detect if a hard-blocked user tries to log in from a new IP address and block that new IP address. It's almost like IP address blocking doesn't work very well...
You're of course free to do what you want, but it seems naive to me to assume that anyone operating even a moderately popular site isn't browser fingerprinting. Even if the site isn't, CloudFlare will if they use CloudFlare (and I wouldn't be surprised if other CDNs).
Yes, CGNAT can't give you any protection against state actors.
But if you are NOT under criminal investigation, having an IPv6 lets every single server on earth know who you are so they can correlate and profile you. That's happening with or without IPv6 of course, but is much less reliable through CGNAT - and essentially useless through a CGNAT if you have proper fingerprinting/cookie/js/3rd party protection. But if you HAVE IPv6, there is nothing you can do to remain anonymous except e.g. Tor.
I got kind of curious how UDP works with CGNAT, and in my travels I found this on the Wikipedia page [1]:
> STUN does not work with symmetric NAT (also known as bi-directional NAT) which is often found in the networks of large companies. Since the IP address of the STUN server is different from that of the endpoint, in the symmetric NAT case, the NAT mapping will be different for the STUN server than for an endpoint. TURN offers better results with symmetric NAT.
Not sure if that's related or if you're even having issues, but figured I'd drop it since I found it.
As for the privacy aspect, are you CGNAT'ed? My understanding is that bidirectional UDP streams generally don't work with CGNAT unless your ISP adds a proxying service that can construct "sessions" out of those packets. E.g. for DNS, you can proxy it across the CGNAT by having the DNS proxy record the transaction ID and the internal IP/port that requested it, and then looking for that txid in UDP packets coming to the DNS relay to forward it.
The solution I usually see for getting UDP across CGNAT is TURN, but then you're making a TCP connection which can be tracked by port easily.
I just can't see any way for an ISP to proxy UDP packets without knowing which subscriber they're going to. It seems like trying to make a router route without any routing tables; I just don't see how your ISP can forward that packet to you without knowing it's going to you.
For many people, that’s true. But not for those who care. The other metrics are under my control, and I actively scramble them to uselessness. An IP address … I can’t do much about.
For every ISP serving my area, it is indeed a "per customer, immutable" prefix. IIRC, some have a 96-bit prefix, some have a /64, but that's the kind of thing that a "maxmind" style database of prefix length per isp lets you nail down easily -- if those databases don't already exist today, they will soon.
Yes, ISP's can still track but the other websites-that-are-not-the-ISP that depend on logging unique ip addresses for tracking can't identify you behind a CGNAT. My previous comment about how CGNAT can be another layer of privacy for things like torrents: https://news.ycombinator.com/item?id=38176079
EDIT reply to : >Sure except for the like 800 other metrics they use to track you besides IP lol. Advertisers
Yes, browser fingerprints and "device behavior" heuristics etc demonstrated at https://amiunique.org/ and https://fingerprint.com/blog/browser-fingerprinting-techniqu... ... also exist but that's not what my reply was about.
My comment was specifically talking about those websites that depend on ip addresses and not fingerprinting. Examples are torrent trackers, torrent honeypots, and Wikipedia articles' edits history where their server logs keep track of ip addresses instead of browser fingerprints. CGNAT will make users more anonymous in those situations. Lawsuits and subpoenas from RIAA and movie studios against torrenters for copyright infringements were filed against ip addresses and not browser fingerprints.
As for Google/Facebook sophistication levels of browser fingerprints tracking and surveillance, I'm not so sure how paranoid I should be about it because they still think I'm in Idaho because I happen to open my laptop in a hotel one time there 10 months ago.