Online advertising has been accused of meddling in the 2016 presidential election, maliciously sowing fears about immigrants, and enabling potential ad buyers to single out antisemites. It turns out, however, that the creepiness inherent in an ad targeting system capable of tracking digital movements on an individual level is just getting started.
In a recently published paper, researchers at the University of Washington demonstrate that practically anyone can spend a little cash and track, in relatively real time, the location of a human target. That’s digital surveillance, made available to any and all with money on hand, brought to the masses by your friendly neighborhood Silicon Valley disrupters.
The idea is straightforward: Associate a series of ads with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been.
“The first step to enable location tracking using ads is to obtain the target’s MAID [Mobile Advertising ID] by sniffing their network traffic (see below), which allows us to specify ads to only be served to the target device,” explain the study authors. “Then we create a series of ads, each targeted at that MAID, but each also targeted at a different GPS location. This creates a geographical grid-like pattern of ads. Then we can observe which of these ads gets served, and this indicates where the target actually was.”
It’s a surprisingly simple technique, and the researchers say you can pull it off for “$1,000 or less.” The relatively low cost means that digitally tracking a target in this manner isn’t just for corporations, governments, or criminal enterprises. Rather, the stalker next door can have a go at it as well.
But that’s not the only type of person that might seize on this morally dubious opportunity. The researchers speculate that so-called “ideological vigilantes” might exploit it as well.
“E.g., an anti-gay group could conduct target acquisition by serving ads in gay apps or location-targeting gay bars and extracting identifiers,” the study notes. “That information alone could be sufficient for the group’s purposes, e.g., if that information exposed the number of gay people at a specific location. The group could also use ADINT to gather more information about the targets prior to carrying out some other nefarious objectives.”
The researchers chose not to disclose which specific advertising network they used to purchase the ads involved in this study, writing that they essentially didn’t need to because the entire system is flawed. “Our results — both our experiments with one advertising network and our survey of many others — point to an an industry-wide issue.”
Which, well, is not exactly reassuring.
So what can you do to protect yourself, other than never use smartphone apps with ads? Refusing to click on the popups isn’t enough, as the person being surveilled doesn’t need to do so for this to work — simply being served the advertisements is all it takes.
Thankfully, the study authors have a few suggestions.
“Users concerned about the privacy risks we have identified in the course of our research should consider resetting their MAID,” they explain. “Users may also wish to turn off location access to apps on their phone.”
Regularly resetting your MAID is a bit of a pain, but both iOS and Android devices allow for it. If you’re concerned about being surveilled through mobile ad tracking, the reset process is a simple enough process to consider making it part of your weekly (or daily) phone hygiene. Also, unless an app specifically needs your location (think Lyft or Google Maps), there is no reason it should have location access in the first place. Disable it.
As the mobile ad business continues to boom — 87 percent of Facebook’s ad revenue, for example, now comes from mobile — it’s worth remembering that the advertisements being served to you are more than just an annoyance. They just might be a threat, as well.