For Under $1,000, Mobile Ads Can Track Your Location (mashable.com) 52
"Researchers were able to use GPS data from an ad network to track a user to their actual location, and trace movements through town," writes phantomfive. Mashable reports:
The idea is straightforward: Associate a series of ads with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been... It's a surprisingly simple technique, and the researchers say you can pull it off for "$1,000 or less." The relatively low cost means that digitally tracking a target in this manner isn't just for corporations, governments, or criminal enterprises. Rather, the stalker next door can have a go at it as well... Refusing to click on the popups isn't enough, as the person being surveilled doesn't need to do so for this to work -- simply being served the advertisements is all it takes.
It's "an industry-wide issue," according to the researchers, while Mashable labels it "digital surveillance, made available to any and all with money on hand, brought to the masses by your friendly neighborhood Silicon Valley disrupters."
It's "an industry-wide issue," according to the researchers, while Mashable labels it "digital surveillance, made available to any and all with money on hand, brought to the masses by your friendly neighborhood Silicon Valley disrupters."
HTML5 GEO Function can be abused? *GASP* (Score:1)
Seriously everybody said this would happen if it was made available and sure enough it has been.
Re: (Score:3)
And did someone pay attention to what happens to the URL of the linked article when you open it?
Re: (Score:1)
Re: (Score:3)
Ip address of phone downloading the unviewed ad.
Or nearest fell tower.
Browser fingerprinting and cookies do the rest.
The ip address, browser fingerprinting or cookies don't give the actual user location. As for the nearest "fell" tower, you don't get that information from ads.
There's the HTML 5 api but it will pop in your face telling you that XYZ is asking for your location.
So as it's indicated in the summary, the only context where this "hack" could work would be in native apps when the user has given permissions to get his location. If someone allows ad-supported apps to track them, they deserve to be stalked.
Re: (Score:2)
I use a hosts file began with a seed file from http://someonewhocares.org/hos... [someonewhocares.org] it takes a bit of work. With an Android one can't use a host file without being rooted.
What I do is watch the traffic on my router (Asus AC66U), then use robtex.com to verify for a block. Yet this only works for local networking on Android. I find using airplane mode when playing a game effective - I'm old school and my security now days appears paranoid to many.
Re: (Score:2)
I find using airplane mode when playing a game effective - I'm old school and my security now days appears paranoid to many.
Of course after a program I go to the apps settings and force stop it or it will continue to run in the background.
Re: (Score:2)
from whitepaper (Mobile Advertising ID):
-"sniff network traffic of target devices to obtain the MAID, which is often sent to ad-exchanges
unencrypted"
- "attacker can also obtain the MAID if the target clicks on any of the attacker’s earlier ads"
- "exfiltrated via JavaScript in ads in some major ad-libraries"
Re: (Score:2)
In the past, people have received letters [jsonline.com] indicating their car was seen in an area known for prostitution, this could be an interesting tool.
And advertisers wonder... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
But it's an added bonus.
$1000 for locating a certain individual seems expensive if you follow what's in the article.
I suspect that the cost of a single tracking is less than $1. It's the use of a tracking ad that costs $1000, but then you can target more than one individual, more likely 1000 individuals several times.
Tracking is totally the problem with ads (Score:5, Insightful)
Tracking in general is certainly the reason for me. Binning the actual ads is incidental except for the whole personalised aspect of ads. This is the tracking part in action of course.
What's wrong with simply making the ads subject related rather than that who is looking? What the user is looked for/at at that moment should be more than enough to make a targeted ad without it being personalised.
Re: (Score:2)
What the user is looked for/at at that moment should be more than enough to make a targeted ad without it being personalised.
Targeted, but not effective. I recently searched for new bike pedals. For the last three weeks I keep seeing ads for pedals, and shoes, and gloves, and ... Hey wait, I do need some new gloves. That price looks pretty good.
They do it because it works.
Re:You realize... (Score:4, Informative)
As for me, I think I'm going back to a dumb-phone, or at the very least, switching to airplane mode whenever I'm not actively using the internet.
If you look at the F-Droid repo, you'll find plenty of open-source apps that can help you control this kind of thing. For instance: https://f-droid.org/en/package... [f-droid.org]
Re: (Score:3, Interesting)
A lot of data leaks can be prevented by using a browser instead of apps. There are browsers that are made for users, not advertisers: https://www.mozilla.org/en-US/... [mozilla.org]
Apps are basically trojan horses on your device. The purpose of the majority of apps is to collect data about their users. So, instead of the amazon app, use their mobile web page (it's actually good). Instead of Facebook app, use their web page (or better don't use fb at all), etc.
When selecting a browser, try not to choose from a company who
Ad-blockers can't prevent 'em from tracking you (Score:2)
Believe it or not, they can track you _even_ if you have ad-blocker installed
The ad does not have to appear fully on screen , (or be successfully downloaded in full)
All it needs is to have the GEO function invoked (with the help of your smartphone's embedded GPS feature) to send back your _current_ location before the ad-blocker wakes up, and block it
Re:And i wonder... (Score:2)
Why would an advertiser spend $1000 to learn that i never leave my bedroom?
Re: (Score:3)
So they can market adult diapers and ensure to you of course.
Nothing To... Hmm... (Score:3)
Apps given access to your GPS can pass that data on to advertisers. Evil Stuff (tm) can then be done with that data. I would say "nothing to see here" but I'm surprised that ads can be customized to only be shown to devices with a specific ID at a specific GPS location. The chances someone will sniff your MAID, and know the ad networks of the apps you leave running that have location access, seems really low though. I imagine the more reputable (i.e. common) ad networks will/already prohibit such specific targeting.
Re: (Score:3)
From the whitepaper:
"Cookies/MAID. Every DSP allows targeting users based on cookies
or mobile advertising ID (MAID). Either of these could be obtained
by an ADINT attacker if the user ever clicks on their ad.
They can also be obtained from sniffing network traffic. Finally,
active ad content (see below) can be used to potentially acquire
either identifier."
Also Facebook allows targeting by email with minimum of 20 addresses.
"(...) these minimums can be
circumvented; we conducted a preliminary experiment and foun
Re:Nothing To... Hmm... (Score:5, Insightful)
I imagine the more reputable (i.e. common) ad networks will/already prohibit such specific targeting.
No. I've worked in ad-tech, and I can tell you the answer is no. There is absolutely no motivation for ad companies to even think about this problem beyond a token effort.
Ad companies have every motivation, indeed they have people paying them to give them as much information about a person as possible. This isn't even a new thing: decades ago you could buy mailing lists with names, addresses, gender, and income.
Apps already take part in huge tracking system (Score:1)
That stalker... (Score:2)
And just how is this supposed stalker supposed to target the individual phone ID? In the advertising world the individual's ID is the goose that lays the golden eggs for the advertiser service provider. You would need to carefully profile the target and then hope no one else fitting the profile is in the location that you're targeting since Google et al, would never hand over or let you target the ID itself.
At which point, why not just stalk the traditional way. Cost is not the issue here, it just seems lik
Re: (Score:2)
Stalking is certainly more easily and thoroughly done the traditional way regardless. This might be useful for a professional burglar, though -- build a profile of what hours a certain device is actively browsing the web from a certain house, and plan a break-in accordingly.
Re: (Score:2)
The cell phone services, mapping services, and various vendor profiling tools already have identifiable information of your phone number, your cell phone SIM ID and your MAC address. See https://ssd.eff.org/en/module/... [eff.org] for some sense off the variety of tracking information already shared by portable devices.
The ideal "Age of Google" (Score:2)
Everyone can watch everyone.
These days we are closer to this than we are to ultimate privacy.
Re: (Score:3)
Everyone can watch everyone.
These days we are closer to this than we are to ultimate privacy.
We are no more meaningfully closer to one than the other. You cannot watch what the wealthy do, because they can hide behind a big wall of money. But they get to watch what you do, because they can literally afford to pay someone to bug your house.
Specific location? (Score:2)
Re: (Score:2)
It's not $1000 per location. It's $1000 in total.