How individuals can use online ad buying to spy on you

We’re used to corporate ads following us around – from a brief visit to the online flip-flop emporium to Facebook to Slashdot to “will you please get out of my face, retailer who’s clinging to my flirtation with rubber footwear?”

It’s more annoying than scary. Who takes it personally? They’re only soulless corporations behind those ads, right? Yes, tracking from advertisers grows more and more granular all the time, but it’s not like they’re stalking our physical location or winkling out our secrets by looking at where we go and the apps we use, right?

Maybe not, but it’s actually quite doable, by stalkers as easily as corporations.

Researchers have set themselves the task of stalking individuals by using an advertising network to track people and extract information about them, including their location. They succeeded. It cost them a measly $1000. That’s all an attacker needs, plus a website for ads to direct to.

In a paper (PDF) put out by the Security & Privacy Lab at at the University of Washington’s Paul G. Allen School of Computer Science & Engineering, researchers describe how somebody can use a targeted advertising system to conduct physical and digital surveillance of targets that use smartphone apps with ads.

Which targeted advertising system? All of them, pretty much. From the team’s FAQ about their research:

Our results – both our experiments with one advertising network and our survey of many others – point to an an industry-wide issue. We therefore choose not to single out the specific advertising network through which we purchased our ads.

The researchers bought targeted ads on what’s known as a demand-side supplier (DSP) – in other words, an advertising platform such as AdRoll, Choozle, MediaMath, MightyHive, Tapad, Google AdWords, Facebook, MediaMath or Centro. That’s where the $1000 went to: it was a deposit with a DSP.

All of those platforms give ad buyers the ability to deliver targeted ads to individuals. But that delivery is a two-way street: they also suss out an incredible wealth of data about a targeted device, including when the ad is viewed. Also, all but one of the DSPs the researchers looked at allow some form of location-based targeting, be it basic (restricted to city and ZIP code) or more granular.

Sixty percent of DSPs use what’s called “hyperlocal” location targeting. The DSP they chose could get as close to their surveillance targets as four to 11 meters, depending on latitude.

The researchers used ten Moto-G Android smartphones and concocted new-user accounts for fake 27-year-old female users. They connected the devices to local Wi-Fi networks, downloaded the apps that would display the ads, and also downloaded apps to capture the devices’ network and GPS data.

The app they focused on was the most popular one that the researchers could serve ads to through their DSP: Talkatone, a free calling and texting app. Then, they made location-targeted ad buys in a grid around a 3-mile square section of Seattle that would display through Talkatone.

Whenever one of their target phones had Talkatone open near one of the coordinates set on their grid of ad buys, the ad popped up, the researchers would be charged 2 cents, and the DSP would send confirmation of approximately where, when, and on which phone the ad had been shown.

With that method, they found that they were able to follow their test phones’ locations within a range of about 26 feet any time the phone user left an app open in one location for about four minutes, or if they opened it twice in the same location during that time span.

Over the course of a week, the University of Washington researchers found they could easily identify a target’s home and work address, based on where they stopped. They could also, of course, detect what apps the ads are served on.

Some of those apps can be sensitive. The researchers only tested the gay dating app Grindr, but this type of surveillance – they call it ADINT, similar to SIGINT in signals intelligence – can be done with a host of other sensitive apps, including other dating apps, torrent apps, or those affiliated with religions, such as Quran Reciters.

In order for this tracking method to work, the target has to have a certain app open on their phone at the time they’re being tracked. Otherwise, the ad won’t show up. Ad-buying spies also have to know a phone’s unique advertising identifier, which is known as a Mobile Advertising ID (MAID).

But the researchers say that those limitations are simple to bypass. All it would take to surmount the first limitation would be to buy ads on a range of popular apps, which would at least increase the chances that somebody might have one of the apps open when they get within range.

There are also multiple ways to get a phone’s MAID: an attacker can get the identifier if a target clicks on any of their earlier ads; it can also be potentially exfiltrated via JavaScript; or it can be purchased online.

Wired offered a few potential, theoretical attacks:

A domestic abuser could, for instance, obtain a spouse’s MAID from their home network, and then use it to closely track him or her by placing ads in apps he or she uses frequently. A person on a laptop at the next table over at the Starbucks could steal your MAID when you connect your phone to Wi-Fi, or a co-worker could do the same in the office, and then either could receive periodic pings of your location whenever you see an ad they’ve placed. Or an ad buyer could use active-content ads to gather the MAIDs of the people at a specific location, like a protest, or users of a potentially sensitive app like gay-dating apps or religious apps – plus other demographics provided by ad networks – and then track those targets’ movements.

If somebody has $1000 to spend on spying on you they likely have better options. Nevertheless academic research like this tends to do just enough to make its point and, understandably, doesn’t concern itself with refining or optimising the attack into something more practical.

They have succeeded in pointing out a weakness others might exploit or build upon though.

So, if you’re concerned, how can you protect yourself? The researchers say that if you care about your privacy, you should consider resetting your MAID. Here’s how to do it on an iPhone, and here’s how to do it on an Android. Also, you may want to turn off location access to apps on your phone: here’s how on iPhone, and here’s how on Android.

Wired had another good option: think about ponying up the money for a premium, ad-free experience.