It Takes Just $1,000 to Track Someone’s Location With Mobile Ads
When you consider the nagging privacy risks of online advertising, you may find comfort in the thought of a vast, abstract company like Pepsi or Nike viewing you as just one data point among millions. What, after all, do you have to hide from Pepsi? And why should that corporate megalith care about your secrets out of countless potential Pepsi drinkers? But an upcoming study has dissipated that delusion. It shows that ad-targeting can not only track you at the personal, individual level but also that it doesn’t take a corporation’s resources to seize upon that surveillance tool—just time, determination, and about a thousand dollars.
A team of security-focused researchers from the University of Washington has demonstrated just how deeply even someone with modest resources can exploit mobile advertising networks. An advertising-savvy spy, they’ve shown, can spend just a grand to track a target’s location with disturbing precision, learn details about them like their demographics and what apps they have installed on their phone, or correlate that information to make even more sensitive discoveries—say, that a certain twentysomething man has a gay dating app installed on his phone and lives at a certain address, that someone sitting next to the spy at a Starbucks took a certain route after leaving the coffee shop, or that a spy’s spouse has visited a particular friend’s home or business.
“Regular people, not just impersonal, commercially motivated merchants or advertising networks, can exploit the online advertising ecosystem to extract private information about other people, such as people that they know or that live nearby,” reads the study, titled “Using Ad Targeting for Surveillance on a Budget,” which will be presented at the Workshop on Privacy in the Electronic Society in Dallas later this month.
The University of Washington researchers didn’t exploit a bug or loophole in mobile advertising networks so much as reimagine the motivation and resources of an ad buyer to show how those networks’ intentional tracking features allow relatively cheap, highly targeted spying.
“If you want to make the point that advertising networks should be more concerned with privacy, the bogeyman you usually pull out is that big corporations know so much about you. But people don’t really care about that,” says University of Washington researcher Paul Vines. “But the potential person using this information isn’t some large corporation motivated by profits and constrained by potential lawsuits. It can be a person with relatively small amounts of money and very different motives.”
The research team used 10 Moto G Android phones for testing, a mobile banner ad they created, and a website that served as the landing page if someone clicked on the ad. Then they spent the minimum $1,000 deposit to place orders with a so-called demand-side platform—think Facebook, Google AdWords, MediaMath, Centro, Simpli.fi, and others—that allows ad buyers to specify criteria like where their ad appears, for which unique phone identifiers, and in which apps. (They declined to reveal which specific DSP they tested, arguing that nothing about that platform was more intrusive than many others in the industry.)
They then used that DSP to place a geographic grid of location-targeted ad buys around a 3-mile-square section of Seattle, which for their tests they set to appear on the popular ad-supported calling and texting app Talkatone.
Every time a target phone had Talkatone open near one of the coordinates the researchers had set on their grid of ad buys, the ad would appear on it, the researchers would be charged 2 cents, and they’d receive confirmation from the DSP of approximately where, when, and on which phone the ad had been shown. With that method, they they were able to follow their test phones’ locations within a range of about 25 feet any time the phone user left an app open in one location for about 4 minutes or opened it twice in the same location during that time span. They registered just a 6-minute delay in the ad network’s real-time reporting of the phone’s location. Following a human test subject carrying each test phone over seven days, they were able to easily identify the person’s home and work address, based on where their target stopped. (See the map above.)
“You’re using whether or not your ad gets served as an oracle to tell you whether or not an event happened: that this particular device was at this location,” Vines says. They note that the DSP they used never flagged their behavior as unusual or cut off their account for attempting targeted surveillance.
That tracking method has a couple of serious limitations. The target would have to have a certain app open on their phone at the time they’re being tracked, so that the ad can appear. And to track a specific phone, any ad-buying spy would have to know a unique identifier of the target phone, known as a mobile advertising ID, or MAID.
“It’s not a particularly high bar to entry for a very, very highly targeted attack,” says Adam Lee, a professor at the University of Pittsburgh who reviewed the University of Washington study.
‘It’s not a particularly high bar to entry for a very, very highly targeted attack.’
Adam Lee, University of Pittsburgh
A domestic abuser could, for instance, obtain a spouse’s MAID from their home network, and then use it to closely track him or her by placing ads in apps he or she uses frequently. A person on a laptop at a nearby table at Starbucks could steal your MAID when you connect your phone to Wi-Fi, or a coworker could do the same in the office, and then either could receive periodic pings of your location whenever you see an ad they’ve placed. Or an ad buyer could use active-content ads to gather the MAIDs of the people at a specific location, like a protest, or users of a potentially sensitive app like gay-dating apps or religious apps—plus other demographics provided by ad networks—and then track those targets’ movements. (The researchers found that their DSP did in fact allow them to place location-based ads on the most popular gay-hookup app, Grindr, though they didn’t test whether it implemented other protections to prevent continuous location tracking of users. Grindr didn’t immediately respond to WIRED’s request for comment on the researchers’ work.)
Even without obtaining a MAID, some broader spying remains possible. The researchers say they were able to count the number of people with the Grindr app or the Muslim-focused app Quran Reciter installed at a target location without knowing any unique identifiers.
There’s no simple fix for the targeted surveillance that mobile ad networks enable, the Washington researchers say, without reducing ad networks’ fine-grained tracking ability in general. But they hope that their findings will at least draw attention to the surveillance capabilities of ad networks, beyond the amorphous notion of companies gathering data about users en masse.
“This is so easy and it’s industrywide,” says Tadayoshi Kohno, a computer science professor at the University of Washington who worked on the study. “We want to enable a broader conversation about the risks of online advertising when anyone can become the adversary.”
DSPs could, perhaps, attempt to detect and block advertising that’s targeted at the individual level or that seems designed specifically to track a particular user. More ad networks need to collect MAIDs over encrypted connections, protecting them from interception, they say. And more experimental tools like differential privacy could make it possible to collect data from large groups of users while masking the sensitive details of any one person.
And in the meantime, for users who’d rather not become a target of that individualized ad-spying? Perhaps consider which ad-supported apps you use, when you use them, and what they reveal about you. It may be worthwhile to pay for the premium version of that gay-hookup app rather than allow it to be populated with ads that can potentially track your sexual orientation and location. Every ad that you see on your smartphone, after all, can in some sense see you too—and so can the unknown entity that paid for it.