How the Pentagon Learned To Use Targeted Ads To Find Its Targets (wired.com) 55
An anonymous reader quotes an excerpt from a Wired article: In 2019, a government contractor and technologist named Mike Yeagley began making the rounds in Washington, DC. He had a blunt warning for anyone in the country's national security establishment who would listen: The US government had a Grindr problem. A popular dating and hookup app, Grindr relied on the GPS capabilities of modern smartphones to connect potential partners in the same city, neighborhood, or even building. The app can show how far away a potential partner is in real time, down to the foot. But to Yeagley, Grindr was something else: one of the tens of thousands of carelessly designed mobile phone apps that leaked massive amounts of data into the opaque world of online advertisers. That data, Yeagley knew, was easily accessible by anyone with a little technical know-how. So Yeagley -- a technology consultant then in his late forties who had worked in and around government projects nearly his entire career -- made a PowerPoint presentation and went out to demonstrate precisely how that data was a serious national security risk.
As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. This was possible because of the way online ad space is sold, through near-instantaneous auctions in a process called real-time bidding. Those auctions were rife with surveillance potential. You know that ad that seems to follow you around the internet? It's tracking you in more ways than one. In some cases, it's making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.
Working with Grindr data, Yeagley began drawing geofences -- creating virtual boundaries in geographical data sets -- around buildings belonging to government agencies that do national security work. That allowed Yeagley to see what phones were in certain buildings at certain times, and where they went afterwards. He was looking for phones belonging to Grindr users who spent their daytime hours at government office buildings. If the device spent most workdays at the Pentagon, the FBI headquarters, or the National Geospatial-Intelligence Agency building at Fort Belvoir, for example, there was a good chance its owner worked for one of those agencies. Then he started looking at the movement of those phones through the Grindr data. When they weren't at their offices, where did they go? A small number of them had lingered at highway rest stops in the DC area at the same time and in proximity to other Grindr users -- sometimes during the workday and sometimes while in transit between government facilities. For other Grindr users, he could infer where they lived, see where they traveled, even guess at whom they were dating.
Intelligence agencies have a long and unfortunate history of trying to root out LGBTQ Americans from their workforce, but this wasn't Yeagley's intent. He didn't want anyone to get in trouble. No disciplinary actions were taken against any employee of the federal government based on Yeagley's presentation. His aim was to show that buried in the seemingly innocuous technical data that comes off every cell phone in the world is a rich story -- one that people might prefer to keep quiet. Or at the very least, not broadcast to the whole world. And that each of these intelligence and national security agencies had employees who were recklessly, if obliviously, broadcasting intimate details of their lives to anyone who knew where to look. As Yeagley showed, all that information was available for sale, for cheap. And it wasn't just Grindr, but rather any app that had access to a user's precise location -- other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable. The report goes into great detail about how intelligence and data analysis techniques, notably through a program called Locomotive developed by PlanetRisk, enabled the tracking of mobile devices associated with Russian President Vladimir Putin's entourage. By analyzing commercial adtech data, including precise geolocation information collected from mobile advertising bid requests, analysts were able to monitor the movements of phones that frequently accompanied Putin, indicating the locations and movements of his security personnel, aides, and support staff.
This capability underscored the surveillance potential of commercially available data, providing insights into the activities and security arrangements of high-profile individuals without directly compromising their personal devices.
As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. This was possible because of the way online ad space is sold, through near-instantaneous auctions in a process called real-time bidding. Those auctions were rife with surveillance potential. You know that ad that seems to follow you around the internet? It's tracking you in more ways than one. In some cases, it's making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.
Working with Grindr data, Yeagley began drawing geofences -- creating virtual boundaries in geographical data sets -- around buildings belonging to government agencies that do national security work. That allowed Yeagley to see what phones were in certain buildings at certain times, and where they went afterwards. He was looking for phones belonging to Grindr users who spent their daytime hours at government office buildings. If the device spent most workdays at the Pentagon, the FBI headquarters, or the National Geospatial-Intelligence Agency building at Fort Belvoir, for example, there was a good chance its owner worked for one of those agencies. Then he started looking at the movement of those phones through the Grindr data. When they weren't at their offices, where did they go? A small number of them had lingered at highway rest stops in the DC area at the same time and in proximity to other Grindr users -- sometimes during the workday and sometimes while in transit between government facilities. For other Grindr users, he could infer where they lived, see where they traveled, even guess at whom they were dating.
Intelligence agencies have a long and unfortunate history of trying to root out LGBTQ Americans from their workforce, but this wasn't Yeagley's intent. He didn't want anyone to get in trouble. No disciplinary actions were taken against any employee of the federal government based on Yeagley's presentation. His aim was to show that buried in the seemingly innocuous technical data that comes off every cell phone in the world is a rich story -- one that people might prefer to keep quiet. Or at the very least, not broadcast to the whole world. And that each of these intelligence and national security agencies had employees who were recklessly, if obliviously, broadcasting intimate details of their lives to anyone who knew where to look. As Yeagley showed, all that information was available for sale, for cheap. And it wasn't just Grindr, but rather any app that had access to a user's precise location -- other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable. The report goes into great detail about how intelligence and data analysis techniques, notably through a program called Locomotive developed by PlanetRisk, enabled the tracking of mobile devices associated with Russian President Vladimir Putin's entourage. By analyzing commercial adtech data, including precise geolocation information collected from mobile advertising bid requests, analysts were able to monitor the movements of phones that frequently accompanied Putin, indicating the locations and movements of his security personnel, aides, and support staff.
This capability underscored the surveillance potential of commercially available data, providing insights into the activities and security arrangements of high-profile individuals without directly compromising their personal devices.
"The Grindr account is work-related." (Score:5, Funny)
Re: (Score:2)
"I'm working undercover"
This should surprise absolutely no one here. (Score:5, Insightful)
Pain in the patootie? Most definitely.
Re: (Score:3)
Not me... (Score:2)
Re: (Score:2)
One has to wonder how you managed to post your comment then? Astral projection?
Re: (Score:2)
One has to wonder how you managed to post your comment then? Astral projection?
New proprietary technology for which the Slashdot post was a teaser?
Re: (Score:2)
>One has to wonder how you managed to post your comment then?
Have you *seen* today's dishwashers?
Let alone the washing machines.
For crying out loud, there are now cooktops with internet connections.
Re: (Score:2)
Either at work on his company's machine, using a friend's machine, or at a library.
Re: (Score:2)
Re: (Score:2)
I think a few people didn't get the sarcasm.
These days, how does one do anything without connecting to the big mainframe. Access to banks? Nope. Abe to buy things at a supermarket? Nope. Get a driving licence? Nope. Do school tests? Nope.
Re: (Score:2)
Re: (Score:2)
I think we need a sarcasm HTML tag, if anything, to make screen readers do a better job. It also makes things more clear for slower or literal minded people.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
https://brax.me/ [brax.me]
Re: (Score:2)
I have seen something similar (Score:5, Interesting)
While it was not what I was there for, I pushed the information up their chain of command. It seems to have worked. At this point, when I visit that base, no one shows up when I search for users near me. Many times it is just a matter of making people aware of the security risks that some of these apps pose.
Re:Yeeeaaah it’s no coincidence (Score:5, Informative)
this guy chose grindr, cause the US never, ever, singled out LGBT people for suspicion in the past, eh?
From the story:
Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable.
Emphasis mine.
Re: (Score:3)
Grindr is normally going to run with location access, often with GPS turned on. Can you think of any other apps that are so popular and leak precise location data with advertiser IDs?
Re: (Score:1)
Probably Tindr or whatever, but really the entire thing is silly.
Either these people were already 'out' or they were out and did not know it. The entire rasion detre for hook up apps is to essentially advertise! You can't reasonably be using one of these things and not expect someone a few enough degrees of separation from your other social circles to spot you.
There is no harm here, other than what people may have already done to themselves.
Re: (Score:2)
I don't think Tinder shows third party ads. Most dating apps probably don't, since they want to sell their own premium "points", and they engineer it so you think you won't actually meet anyone unless you pay. (Whether this is true or not I can't say.)
A dating app with ads is a good dating app! Because it's not engineered to fail until you fork out increasing amounts of cash.
Re: (Score:1)
Those are just the apps declaring their use/sharing of location data, there are hundreds of apps not declaring their data capture & sharing. A few quick exa
Re: (Score:2)
As for popular apps, I'm sure you are right about weather apps. That might not apply to a military situation though. I don't know but I have to keep an open mind.
As for dating apps, I only have experience with Tinder, but I don't recall it showing any third party ads. So any such app is automatically ruled out. And other apps like QR scanners are not often opened, are not allowed to access location data unless explicitly allowed, and can't even run/start in the background on most Android phones. (The last p
It's about blackmail, idiot. (Score:2)
... the guy is either a) hostile to LGBTs or b) spectacularly ignorant of both current events and US history, completely tone deaf, and just HAPPENED to choose the dating app that gays use.
What he is implying, and what everyone else would have plainly understood, is that closeted gays working in national security positions would be ripe targets for blackmail by foreign agencies. This is neither hostile or tone deaf. It's simply alluding to an obvious security concern.
Re: (Score:2)
“Closeted gays”
What century do you live in? Nowadays, when a gay person is outed, we no longer tar and feather them while chasing them out of town ringing bells and yelling “shame”. Even most conservative families barely even care if the gay aunt or uncle attends family thanksgiving. Remember when the US congress passed the law legalizing gay marriage? No? That’s because literally nobody cared. Society had put th
Re: (Score:3)
What century do you live in? Nowadays, when a gay person is outed, we no longer tar and feather them while chasing them out of town ringing bells and yelling "shame";. Even most conservative families barely even care if the gay aunt or uncle attends family thanksgiving. Remember when the US congress passed the law legalizing gay marriage? No? That's because literally nobody cared. Society had put that issue to bed a decade previously. Even the republicans couldnt bring themselves to gripe about it, and that's a group that will shut the government down if anyone even so much as looks at them crosseyed. Nobody in the US except for a super-tiny fringe of religious fanatics cares anymore.
Holy fuck you are oblivious. Nobody cares about being someone being outed? How about the person being outed themself? Do you think every user of Grindr is openly gay, or wants to be? Can you not conceive that there are gay people not OK with being outed, for any number of personal reasons?
Re: It's about blackmail, idiot. (Score:2)
Summary? (Score:3)
Just me, or should a summary actually be a summary, with a link to a story we can read if we want, rather than a verbatim quote of pages of text?
Wired articles are always so flowery, there's plenty of scope for cutting it down to a paragraph and letting us get on with our lives.
From the not-that-important-but-it-bothered-me-enough-to-comment department.
Re: (Score:2)
Re: (Score:2)
This summary just seemed to go on for ages compared to other stories. As I said, not important.
Please (Score:3)
Because only LGBT people use hookup apps? Sure... (Score:2, Insightful)
> Intelligence agencies have a long and unfortunate
> history of trying to root out LGBTQ Americans from
> their workforce, but this wasn't Yeagley's intent. He
> didn't want anyone to get in trouble. No disciplinary
> actions were taken against any employee of the
> federal government based on Yeagley's
> presentation.
Yet.
With the massive resurgence of anti-LGBT hate that's being stoked and propagated for political purposes these days, this scumbag just placed a lot of people at-risk; possib
Re: (Score:2)
When was there ever a campaign to deny hetro people government jobs or fire them from the ones they already have? Rhetorical question, of course; because there's never been one. Whereas there have been MANY such campaigns against LGBT people, as recently as in the wake of DeSantis' don't-say-gay campaign and trumps attempt to terminate transgender federal employees.
And, for that matter and to be perfectly fair, it's not just from the right. I'd forgotten until now, but when googling for examples I found
Re: (Score:2)
In am sure (Score:1)
Not too different from the Fitbit debacle (Score:2)
Anyone remember the story not too long ago where people were uploading their jogging info and you could see who was in the military by where they were jogging, especially in the Middle East.
Re: (Score:2)
Re: Fitbit (Score:1)
They already knew (Score:2)
I'm sure the "national security establishment" already knew about this and was already using it. Using targeted ads for this purpose is old news. [huffingtonpost.co.uk]. He just wasn't cleared for it.
You're assuming competence (Score:2)
As the old saw says: 'Never ascribe to malicious intent what is best explained as a cock up'. Yes, it would nice to believe that those clever people whom we assume to exist are surprised by this...
Re: (Score:2)
Old news. Very old. Identifying members of your intelligence organization by performing a link analysis with other, known members is as old as the hills.
When Dick Cheney outed Valerie Plame (a NOC [wikipedia.org] agent), numerous foreign intelligence agencies undoubtedly went through her telephone calling history (all available to anyone with a checkbook) to see who also called the same numbers. Calling in sick, for example, to your cover organization. That probably exposed dozens or maybe hundreds of other CIA agents. Pe
Re: (Score:2)
OPSEC is the term used to cover most of that. There are a lot of provisions that are more honored in the breach than the observance. You'll get told to remove badges entirely rather than concealing them by shoving them in a pocket or whatever. But then people lose badges...this is a simplistic example. The bottom line is that your associates at work are difficult to conceal under the best of circumstances. Noting down license plates heading on and off post is a pretty commonplace thing. Having someone
Re: (Score:2)
The bottom line is that your associates at work are difficult to conceal under the best of circumstances.
But we all work for the American Literary Historical Society. Until someone outs one of us as CIA, it's not important to maintain OPSEC.
Noting down license plates heading on and off post is a pretty commonplace thing.
Which is why most NOCs don't report to headquarters. They have a cover employer. And if that location's cover is blown and the enemy guns down everyone else in the office while I'm picking up our lunch order, they were all expendable anyway.
Re: (Score:2)
That person that works in ad tech assured me... (Score:2)
I was told by a person in ad tech that he couldn't use the data available to him to target any one specific person, making it specifically useless for stalking, and here you are telling me this? I sit here shocked that the person in ad tech was either clueless as to the actual capabilities of his employer or a liar.
People know this (Score:2)
When a app is installed in Android OS, it literally asks to track you 1) this time only (This option frequently not available), 2) when using this app, 3) all the time. People repeatedly and blithely click on "all the time". I get it, most people have the short-sighted idea that nothing bad can happen from the simple truth. (The same people then probably watch prime-time dramas where honest people are interrogated, belittled and blackmailed by the police.) But when your job involves hiding a lot of tru