I want to preface this by saying that yes, I know that Instagram is bad. I am planning to get rid of it in the future but as of now I have to keep it for communication with people who are only on that platform.
So I have grapheneOS, use protonvpn (free version), use mull as my browser, and do not have google play services enabled on my phone. I do have some apps downloaded through aurora store such as Instagram, whatsapp, mychart, and mint mobile, but the rest came from f-droid.
I have noticed multiple times that after having private conversations on matrix, I get Instagram content in my feed that is scarily accurate to the conversation I had on the other platform immediately after. I know that things discussed in Instagram direct messages and group chat will give suggested content based on those conversations, but I get stuff that that is very specific to what I have ONLY discussed on matrix and didn’t look up via my browser.
So my question is how is Instagram doing this and what can I do to mitigate the spying it’s doing on my other apps. Thanks.
IG is on the primary profile.
You’ll want to consider isolating IG from your primary profile, to start. The above user’s suggestion hits the nail on the head.
Once the profile ks created, and you’ve installed IG, you’ll want to deselect the option in your Manage Profiles settings on GrapheneOS to ‘Allow running in the backgroud.’ This way, you can ensure the app is entirely stopped until you want it open.
Another consideration may be to turn off your Bluetooth when it’s not in use, as well: BT emits an ‘address’ of sorts that, if another IG user has enabled BT access on their IG app, may be able to detect your phone and track a conversation knowing you are in the other user’s vicinity.
This will be able to do cross site (apps) information collection within other sites (apps) in this profile. The way this works is one of many, and complicated so: https://blog.mozilla.org/en/products/firefox/cross-site-tracking-lets-unpack-that/
The idea of profiles is to stop this behaviour and other behaviours through isolation. Along with other practices makes up a privacy-in-depth (layered) approach. It doesn’t solve everything.
For example if you are in the same house sharing an internet connection, it is possible to say “at least one outstation in this house (IP) are interested in ‘x’ and therefore I should target everyone in that house because people who live together are interested in similar things”. Even if you isolate, you could still teach a data hoarding company like meta you like something simply by them by necessity needing your IP to communicate.
Some people try to say ‘I’ve got a VPS with a VPN to communicate all traffic through’ but that doesn’t add any privacy, your exposed VPS with its IP is an IP only for you and still all collected information about you would be able to be thumbprinted to that IP across many services (eg instagram whatsapp and Facebook). A public VPN provider in this case adds a layer of obfuscation since you can change your IP rapidly and it’s an IP that’s shared with other unrelated users. Which is exactly why many services like reddit are banning access from them under the guise of “oh training data leaks from VPN, and we want to sell it” bs.
Anyway it’s a tough world out there to be private. I’m at an age where after 10 years without Facebook and I never had instagram, everyone knows I’m contactable via sms. It’s not secure, it’s barely private, but I don’t really “chat” except at the pub. So that’s where they ask me to visit. Lol.