Not really. It's only true if the bits are uncorrelated, and you can acquire additional bits of information. I don't see how you can go from "this guy on the internet lives near Albuquerque, New Mexico" to "this guy is Walter Hartwell White, and lives at 308 Negra Arroyo Lane, Albuquerque, New Mexico, 87104" without massive opsec failures.
If you want to extend the analogy, Gus Fring's threat model for RFP contractors at the superlab required flying people into the United States and driving them for days before reaching the final destination. i.e. If you aren't selected for the final proposal, the most you should know is the lab is "somewhere reachable by driving from the United States".
Locating the superlab to within 800 miles would break Gus' threat model.
Combined with the information the police have, which is that a new form of "blue meth" is spreading across the American southwest, a reasonable conclusion would be that the "underground superlab" is where the meth is being manufactured. It's independent corrobation of a major manufacturing operation occurring in the United States in the exact region where a new drug is taking off.
This is useful, since it helps rule out the meth being smuggled in from Mexico. It also makes the lab a high priority target, because a DEA agent investigating doesn't need to liaise with a foreign government, and you can secure a domestic prosecution + American prison time instead of attempting to extradite the cooks.
It also allows me to send a detailed memo about the superlab to ASAC Schrader's office in Albuquerque telling him about a threat in his jurisdiction, rather than circulating a brief summary about this superlab in the weekly intelligence briefing sent to all high-ranking DEA officials they probably don't read.
You can plot the timestamps of every message, read receipt and emoji reaction, which gives you the timezone and hints at work schedule, commute duration and vacations.
Often people will post photos or have profile pictures.
Say you have a photo taken at a random mcdonalds. That'd be 36'000 locations. Imagine cloudflare location and timezone help you narrow it down to new mexico. That's 80 locations. Small enough that you can look at every single one using street view and check where the photo actually was taken.
Now you can subpoena the McDonald's cctv footage and figure out who sent that picture.
You can almost certainly narrow down the McDonalds with a wide variety of things - this example is fairly contrived.
If you can see outside of the McDonalds for street view to be usable, you're almost certainly able to determine what country it is in, and potentially the exact location, depending on what is visible outside.
If it's a picture that shows the menu, well, street view isn't likely to be super useful, but you'd have a trivial time figuring out what country it is in at that point - menus vary from country to country, even when they are still in English.
New Mexico has relatively few McDonald's restaurants because New Mexico has a fairly low population - only 2.1m for the whole state. With that in mind, it seems unlikely that that Cloudflare has a close enough POP for you to be able to specifically decide it's NM.
If I can see enough for Street View to be able to confirm location, it seems like I can just search via the data there and get far more narrowed down results. If I can see a Burger King and a Best Buy outside from the picture, I can just use one of the many mapping services with APIs to get a list of all McDonalds locations within a tenth of a mile of a Burger King and Best Buy and look through a smaller list. If I'm confident of the time zone, like you suggest we should be able to be, then that's an even smaller list.
I'm not saying this attack is useless by any means, but I don't see a world where the sharing of the pictures to begin with isn't the most significant opsec failure and doesn't open you up to being de-anonymized in a myriad of other ways.
>Often people will post photos or have profile pictures.
>Say you have a photo taken at a random mcdonalds. That'd be 36'000 locations. Imagine cloudflare location and timezone help you narrow it down to new mexico. That's 80 locations. Small enough that you can look at every single one using street view and check where the photo actually was taken.
Sounds like the bigger opsec failure is posting the pictures, and the leaking the cloudflare POP only makes the search slightly easier.
Repeat the attack daily for a few weeks and you might get a pattern of movement. Of course if the target hasn’t left their general area then this won’t help. But if you’re a nation state watching a target move between multiple international locations, you could match this up with passport travel data to significantly reduce the anonymity set.
Seems contrived. What type of a person cares about deanonymization attacks and nation-states trying to find him, but doesn't have an always-on VPN? Even without this attack, not using a VPN means you're 1 wrong click/tap away (if you accidentally clicked on a link) from leaking your IP.
Right, agreed that VPN is the primary mitigation against this from a user perspective. But opsec is hard, especially when the attack can be triggered by a notification when the victim might not be expecting it and might not have VPN enabled (e.g. maybe they only enable VPN when using Discord).
(But notifications are already a bad idea for opsec anyway.)
That's why the attack is contrived. If you have poor opsec you don't need need this attack at all. You can probably get the victim's exact IP by getting him to click on a link, or sending him an email. If he has good opsec he's going to be using a VPN that renders this attack useless. For this attack to be valuable you need a guy who has such good opsec that you can't get his location any other way, but for whatever reason isn't using an always-online VPN.
