For only $1,000, someone with “devious intent” can purchase online advertising and use it to track the location and mobile habits of other individuals

Security researchers at the University of Washington’s (UW) Security and Privacy Research Lab discovered how online ad infrastructure could be exploited for personal surveillance.

Lead author, Paul Vines, and doctor graduate from UW’s School of Computer Science and Engineering said:

Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behaviour.

The team behind the research wants to raise awareness of this threat of online ads tracking. It comes in the same week that it was revealed by non-profit organisation Privacy International that UK intelligence agencies are monitoring the social media accounts of potentially millions of people.

Protecting your privacy online has never appeared more imperative.

How can ad purchasing lead to surveillance?

The team at UW discovered that an individual ad purchaser can see when a person visits a predetermined sensitive location within 10 minutes of that person’s arrival, in theory. That could be a hospital where someone might be receiving treatment or a suspected spot for an affair.

As well, they could track a person’s movements across the city during a morning commute by serving location-based ads to the person’s mobile phone.

This also allowed them to discover they could see what type of apps the target was using.

This type of information could divulge a person’s interests, religious or political affiliations, health conditions and other sensitive and private information.

How does online ads tracking happen?

If a person wanted to track someone else’s movements, they can use the mobile advertising ID (MAID) for that person’s mobile phone.

This ID is what marketers use to serve ads to people based on their interests. The identifiers get sent to the advertisers and other parties whenever a person clicks on the ad.

3 Things That Will Change the World Today

Customers of advertising services can purchase hyperlocal ads that will only be served to that particular phone when its owner opens an app in a particular spot.

An ad purchaser could set up a grid of these location-based ads and track a particular device if the target opens the app and remains in the location long enough for an ad to be served. This only takes around four minutes.

The target doesn’t even need to click or engage with the ad, they just need to see it on an app. Using this information, the team could pinpoint someone’s location within eight metres.

Online ads tracking

An example of the types of tracking that can be done through online advertising (via University of Washington)

Co-author, Tadayoshi Kohno, who studies security vulnerabilities, said:

To be honest, I was shocked at how effective this was. We did this research to better understand the privacy risks with online advertising. There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precious. It is important to understand both the benefits and risks with technologies.

How can you stop this from happening?

As an individual, you can disrupt the simple types of location-based attacks that the UW team carried out.

You can do this by resetting the mobile advertising ID on your phone, or by disabling location tracking within individual app settings.

The UW team is going to continue its work in this area with the university’s Tech Policy Lab to explore the legal and policy questions raised by this type of potential intelligence gathering.

Franzi Roesner, who also working on the study, said:

We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them.