Anyone with £760 can use mobile adverts to track you
Mobile advertising and the privacy concerns associated with it have been a topic of discussion for a long time. We know large companies have a lot of data on their customers. But when it comes to how much information a company knows about you, as an individual, the specifics are not what you might think.
A new study by the University of Washington has found it is not just big businesses with millions of customers that can gather data on someone. Anyone with $1,000 (£760) to spare can use mobile ads to track someone’s specific location.
“Regular people, not just impersonal, commercially motivated merchants or advertising networks, can exploit the online advertising ecosystem to extract private information about other people, such as people that they know or that live nearby,” the study says.
Targeted advertising works in a range of ways. Ads can be specifically tailored to gender, age, or to the person’s device using their IP address, location or operating system.
“Advertising can be used by the individuals buying ads to track a target’s location in relative real-time,” the authors said in an online Q&A about the study. For only $1,000, someone can buy a variety of advertising services, and some of these can also be used to track which apps the person is using – if those apps have ads.
The experiment worked by buying adverts that were then reported back when they had been ‘served’ to the customer, which means being displayed on the screen. The network used in the study told the buyer which apps had been used to display the ads, meaning they could work out which apps the individual was looking at.
The authors also described a way to work out someone’s GPS location. First they had to work out the individual’s unique Mobile Advertising ID (MAID), then target ads at that MAID only. Then they asked for location-specific adverts. Each time an advert was served, they could work out the device’s location, to within eight metres, and which app was being used, as long as the device had been there for five minutes.
In one case, the team was able to track an individual’s commute across Seattle using ads placed at four locations; their home, a bus stop, a coffee shop and their office.
While the paper used a particular advertising network for this experiment, the authors would not disclose which one was used.
“We experimented with one advertising network, and then surveyed many more,” said the authors. “Because we believe that our findings suggest a privacy risk that is industry-wide, we do not name the specific advertising network that we experimented with.”
But the implications of this are important. If one person really wanted to learn where someone they know is at all times, or if they want to know what kind of apps they use, they can do so. “We recommend that advertising networks do more vetting of the parties that wish to purchase ads,” the authors say.
“It’s not a particularly high bar to entry for a very, very highly targeted attack,” Adam Lee, a professor at the University of Pittsburgh who reviewed the University of Washington study, told Wired. If the technique got into the wrong hands, a domestic abuser, stalker or criminals targetting a specific property, it could be dangerous for any individual.
“Users concerned about the privacy risks we have identified in the course of our research should consider resetting their MAID,” they added. This is how to do so on an iPhone, here is how to on an Android. You may also wish to turn stop apps having location access on your phone. This how to do so on an iPhone, this how to on an Android phone.