Slashdot Mirror

← Back to Stories (view on slashdot.org)

For Under $1,000, Mobile Ads Can Track Your Location (mashable.com)

Posted by EditorDavid on from the I'll-be-seeing-you dept.

"Researchers were able to use GPS data from an ad network to track a user to their actual location, and trace movements through town," writes phantomfive. Mashable reports: The idea is straightforward: Associate a series of ads with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been... It's a surprisingly simple technique, and the researchers say you can pull it off for "$1,000 or less." The relatively low cost means that digitally tracking a target in this manner isn't just for corporations, governments, or criminal enterprises. Rather, the stalker next door can have a go at it as well... Refusing to click on the popups isn't enough, as the person being surveilled doesn't need to do so for this to work -- simply being served the advertisements is all it takes.
It's "an industry-wide issue," according to the researchers, while Mashable labels it "digital surveillance, made available to any and all with money on hand, brought to the masses by your friendly neighborhood Silicon Valley disrupters."

29 of 52 comments (clear)

  1. HTML5 GEO Function can be abused? *GASP* by Anonymous Coward · · Score: 1

    Seriously everybody said this would happen if it was made available and sure enough it has been.

    1. Re:HTML5 GEO Function can be abused? *GASP* by Z00L00K · · Score: 2

      And did someone pay attention to what happens to the URL of the linked article when you open it?

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:HTML5 GEO Function can be abused? *GASP* by wyHunter · · Score: 1

      And 'privacy and civil liberties experts are concerned!' ooohhh, I feel so much better.

  2. And advertisers wonder... by Whatsmynickname · · Score: 5, Insightful

    ...why adblocking is so popular?

    1. Re:And advertisers wonder... by hcs_$reboot · · Score: 1

      Geo location is not the main reason people use ad blockers (not sure most people would even care about that).

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:And advertisers wonder... by Z00L00K · · Score: 2

      But it's an added bonus.

      $1000 for locating a certain individual seems expensive if you follow what's in the article.

      I suspect that the cost of a single tracking is less than $1. It's the use of a tracking ad that costs $1000, but then you can target more than one individual, more likely 1000 individuals several times.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  3. Nothing To... Hmm... by mentil · · Score: 2

    Apps given access to your GPS can pass that data on to advertisers. Evil Stuff (tm) can then be done with that data. I would say "nothing to see here" but I'm surprised that ads can be customized to only be shown to devices with a specific ID at a specific GPS location. The chances someone will sniff your MAID, and know the ad networks of the apps you leave running that have location access, seems really low though. I imagine the more reputable (i.e. common) ad networks will/already prohibit such specific targeting.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Nothing To... Hmm... by jarkus4 · · Score: 2

      From the whitepaper:
      "Cookies/MAID. Every DSP allows targeting users based on cookies
      or mobile advertising ID (MAID). Either of these could be obtained
      by an ADINT attacker if the user ever clicks on their ad.
      They can also be obtained from sniffing network traffic. Finally,
      active ad content (see below) can be used to potentially acquire
      either identifier."
      Also Facebook allows targeting by email with minimum of 20 addresses.
      "(...) these minimums can be
      circumvented; we conducted a preliminary experiment and found
      uploading 19 entirely spurious email addresses (not even connected
      to fake Facebook accounts) allowed us to target ads at a test user"

    2. Re:Nothing To... Hmm... by phantomfive · · Score: 4, Insightful

      I imagine the more reputable (i.e. common) ad networks will/already prohibit such specific targeting.

      No. I've worked in ad-tech, and I can tell you the answer is no. There is absolutely no motivation for ad companies to even think about this problem beyond a token effort.

      Ad companies have every motivation, indeed they have people paying them to give them as much information about a person as possible. This isn't even a new thing: decades ago you could buy mailing lists with names, addresses, gender, and income.

      --
      "First they came for the slanderers and i said nothing."
  4. Ad-blockers can't prevent 'em from tracking you by Anonymous Coward · · Score: 2

    Believe it or not, they can track you _even_ if you have ad-blocker installed

    The ad does not have to appear fully on screen , (or be successfully downloaded in full)

    All it needs is to have the GEO function invoked (with the help of your smartphone's embedded GPS feature) to send back your _current_ location before the ad-blocker wakes up, and block it

  5. Re: How associate ad with someone? by lucm · · Score: 2

    Ip address of phone downloading the unviewed ad.
    Or nearest fell tower.
    Browser fingerprinting and cookies do the rest.

    The ip address, browser fingerprinting or cookies don't give the actual user location. As for the nearest "fell" tower, you don't get that information from ads.

    There's the HTML 5 api but it will pop in your face telling you that XYZ is asking for your location.

    So as it's indicated in the summary, the only context where this "hack" could work would be in native apps when the user has given permissions to get his location. If someone allows ad-supported apps to track them, they deserve to be stalked.

    --
    lucm, indeed.
  6. Re:You realize... by lucm · · Score: 3, Informative

    As for me, I think I'm going back to a dumb-phone, or at the very least, switching to airplane mode whenever I'm not actively using the internet.

    If you look at the F-Droid repo, you'll find plenty of open-source apps that can help you control this kind of thing. For instance: https://f-droid.org/en/package...

    --
    lucm, indeed.
  7. Re:How associate ad with someone? by jarkus4 · · Score: 1

    from whitepaper (Mobile Advertising ID):
    -"sniff network traffic of target devices to obtain the MAID, which is often sent to ad-exchanges
    unencrypted"
    - "attacker can also obtain the MAID if the target clicks on any of the attacker’s earlier ads"
    - "exfiltrated via JavaScript in ads in some major ad-libraries"

  8. Tracking is totally the problem with ads by evanh · · Score: 4, Insightful

    Tracking in general is certainly the reason for me. Binning the actual ads is incidental except for the whole personalised aspect of ads. This is the tracking part in action of course.

    What's wrong with simply making the ads subject related rather than that who is looking? What the user is looked for/at at that moment should be more than enough to make a targeted ad without it being personalised.

    1. Re:Tracking is totally the problem with ads by drew_kime · · Score: 1

      What the user is looked for/at at that moment should be more than enough to make a targeted ad without it being personalised.

      Targeted, but not effective. I recently searched for new bike pedals. For the last three weeks I keep seeing ads for pedals, and shoes, and gloves, and ... Hey wait, I do need some new gloves. That price looks pretty good.

      They do it because it works.

      --
      Nope, no sig
  9. Apps already take part in huge tracking system by Kopp · · Score: 1

    French startup Teemo (formerly Databerries) already provides accurate tracking to ad companies, by teaming up with a few app distributors (mostly newspaper / news sites apps, so to sum it up, useless apps that provide the same content as their website, with the added benefit of being tracked). Apps send location data every 3 minutes, and thoses are related to IFDA for Apple phone (don't know about android) They pretend it take them only a few minutes for their team to locate you with only your phone number, or your address, work address, They also claim it's quite easy for them to track french president Macron as he is a fan of one of the apps, and always followed by many other smartphones. Well, I guess turning off localisation data and refusing access to this info to apps that don't need it (everything but gps/maps app, imho) would ruin that system. Also, not using stupid apps.

  10. That stalker... by thegarbz · · Score: 1

    And just how is this supposed stalker supposed to target the individual phone ID? In the advertising world the individual's ID is the goose that lays the golden eggs for the advertiser service provider. You would need to carefully profile the target and then hope no one else fitting the profile is in the location that you're targeting since Google et al, would never hand over or let you target the ID itself.

    At which point, why not just stalk the traditional way. Cost is not the issue here, it just seems like a ludicrously stupid way of tracking someone.

    1. Re:That stalker... by Gavagai80 · · Score: 1

      Stalking is certainly more easily and thoroughly done the traditional way regardless. This might be useful for a professional burglar, though -- build a profile of what hours a certain device is actively browsing the web from a certain house, and plan a break-in accordingly.

      --
      This space intentionally left blank
    2. Re:That stalker... by Antique+Geekmeister · · Score: 1

      The cell phone services, mapping services, and various vendor profiling tools already have identifiable information of your phone number, your cell phone SIM ID and your MAC address. See https://ssd.eff.org/en/module/... for some sense off the variety of tracking information already shared by portable devices.

  11. Re:And i wonder... by sheramil · · Score: 1

    Why would an advertiser spend $1000 to learn that i never leave my bedroom?

  12. The ideal "Age of Google" by Qbertino · · Score: 1

    Everyone can watch everyone.

    These days we are closer to this than we are to ultimate privacy.

    --
    We suffer more in our imagination than in reality. - Seneca
    1. Re:The ideal "Age of Google" by drinkypoo · · Score: 2

      Everyone can watch everyone.
      These days we are closer to this than we are to ultimate privacy.

      We are no more meaningfully closer to one than the other. You cannot watch what the wealthy do, because they can hide behind a big wall of money. But they get to watch what you do, because they can literally afford to pay someone to bug your house.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  13. Re:And i wonder... by Mashiki · · Score: 2

    So they can market adult diapers and ensure to you of course.

    --
    Om, nomnomnom...
  14. Re:You realize... by esonik · · Score: 3, Interesting

    A lot of data leaks can be prevented by using a browser instead of apps. There are browsers that are made for users, not advertisers: https://www.mozilla.org/en-US/...
    Apps are basically trojan horses on your device. The purpose of the majority of apps is to collect data about their users. So, instead of the amazon app, use their mobile web page (it's actually good). Instead of Facebook app, use their web page (or better don't use fb at all), etc.

    When selecting a browser, try not to choose from a company whose main business is advertising. http://www.investopedia.com/ar...

    Practical tips:
    Some browser addons I consider a basic necessity:
    1) ad blocker (obviously)
    2) tracker blocker, like Ghostery (FF now comes with its own built-in tracker blocker)
    3) NoScript

    For messaging I recommend https://threema.ch/
    Yes, you pay 3 CHF, but only once.

    It has become difficult to find apps that don't sell your data. Since everybody wants apps for free the app developers have to resort to other revenue channels and selling your data is a fairly obvious one. https://www.go2mobi.com/sell-u...

  15. Specific location? by 14erCleaner · · Score: 1

    "Tracking" isn't very useful, if you have to predefine the GPS coordinates. I suppose a divorce lawyer could use this to see when a cheating spouse was visiting a particular house, but in general, $1000 per location would get kind of pricy for general surveillance.

    --
    Have you read my blog lately?
    1. Re:Specific location? by Actually,+I+do+RTFA · · Score: 1

      It's not $1000 per location. It's $1000 in total.

      --
      Your ad here. Ask me how!
  16. Re: How associate ad with someone? by Trax3001BBS · · Score: 1

    I use a hosts file began with a seed file from http://someonewhocares.org/hos... it takes a bit of work. With an Android one can't use a host file without being rooted.

    What I do is watch the traffic on my router (Asus AC66U), then use robtex.com to verify for a block. Yet this only works for local networking on Android. I find using airplane mode when playing a game effective - I'm old school and my security now days appears paranoid to many.

  17. Re: How associate ad with someone? by Trax3001BBS · · Score: 1

    I find using airplane mode when playing a game effective - I'm old school and my security now days appears paranoid to many.

    Of course after a program I go to the apps settings and force stop it or it will continue to run in the background.

  18. Re:How associate ad with someone? by pnutjam · · Score: 1

    I wonder how easily adapted this would be to, for example, identify everyone attending a strip club, or maybe collect data from everyone in an area known for prostitution or drug use.
    In the past, people have received letters indicating their car was seen in an area known for prostitution, this could be an interesting tool.

    --
    Cheap storage VM.