New research at the University of Washington reveals how you can track a person's location and app use by serving ads in mobile applications. The conclusions of the research are astonishing. It is possible to track a person's location by purchasing app advertising within specific apps.
The research team purchased a series of ads that targeted specific locations and apps. Next, they checked which mobile subscribers matched their targeting. All research was conducted on Android devices. 10 different apps were tested and included Imgur, Words with Friends, and Grindr. The ad networks used were common and widely available. The research team was able to locate a test subject within 25 feet, simply by purchases app ads.
When the team purchased and then served advertising content to a test subject's apps, the team learned what apps the test subject had installed. In some instances the information revealed was sensitive. Religious affiliation, sexual orientation, gender, and age range were some of the private details ad networks revealed to ad buyers.
The research team was also able to discover when a targeted user visited a specific location. By ad-targeting a location, ad networks would notify ad buyers when a user arrived, usually in under 10 minutes.
The study, Using Targeted Advertising for Personal Surveillance, will be presented in Dallas, Texas at the Workshop on Privacy in the Electronic Society on October 30, 2017.
"If you want to make the point that advertising networks should be more concerned with privacy, the bogeyman you usually pull out is that big corporations know so much about you. But people don't really care about that," said Paul Vines of the University of Washington research team. "But the potential person using this information isn't some large corporation motivated by profits and constrained by potential lawsuits. It can be a person with relatively small amounts of money and very different motives."
The research team used an Android 10 Moto G for testing. They created a mobile ad banner and a temporary website that served as a landing page if their ad banner was clicked on. They spent the minimum required, which was $1,000. They were then allowed to buy ads on various mobile ad networks and specify criteria for when their ad was to appear. The research team has thus far declined to reveal what criteria they tested and which ad networks they used.
Next they created a geographic grid of Seattle, and location-targeted ad buys around a 3 square mile section. When an ad displayed, they were notified by the ad network. They received confirmation of when, where, and on what phone the ad was displayed. They were then able to track test subjects within their grid. The reporting delay from the ad network varied between 5 and 10 minutes.
A test subject's trip around Seattle that researchers tracked with ads via the app Talkatone. The dotted lines show the user's actual path. The red dots show where ads were delivered to the user's phone and revealed his/her workplace, bus stop, home and local coffee shop. (The users's real home location has been obscured for privacy.)
UNIVERSITY OF WASHINGTON
UNIVERSITY OF WASHINGTON
"It's not a particularly high bar to entry for a very, very highly targeted attack," said Adam Lee, professor at the University of Pittsburgh who reviewed the University of Washington research study.
University of Washington researchers say there is no simple fix for this sort of targeted surveillance. They hope their research and findings will draw attention to the topic, and dispel common myths that ad networks only gather and share non-identifiable en masse data. The personal data mobile ad networks collect and use is very targeted and can be exploited.