Mobile ads enable location tracking for as little as $1,000

Our usual image of online advertising is that we are one of millions whose data is being examined by a large, remote organisation - a government or major company. Research from the University of Washington has found that anyone equipped with time, determination, and a relatively small budget of $1,000 can exploit mobile advertising networks to track a specifically targeted individual. Researchers Paul Vines, Franzi Roesner, and Yoshi Kohno, who presented their work at ACM's Workshop on Privacy in the Electronic Society, created a mobile banner ad and a website to serve as the landing page when someone clicked on the ad. They used ten Moto G Android phones for testing their tracking efforts.

The $1,000 was the minimum deposit to place orders with an advertising platform they did not identify that, like many others, allows ad buyers to specify criteria such as where the ad appears, in which apps, and for which unique phone identifiers. They set the ad to appear on the calling and texting app Talkatone whenever someone running the app was at one of the location coordinates they had specified among a grid of such locations around a 3 square-mile section of Seattle.  Any time the ad appeared, the researchers were charged 2 cents and received confirmation of where, when, and on which phone the ad was shown. The stream of this information enabled them to track their test phones to within 25 feet with a time delay of as little as six minutes. After seven days, they could easily identify each person's work and home addresses based on travel and stopping patterns.

While the tactic has limitations, these are relatively easily overcome, particularly for those who are already close to their targets such as domestic abusers or anyone nearby at a wifi-enabled coffeeshop or a protest. Disabling it is difficult without the cooperation of the advertising networks to either detect and block such targeted attacks or adopt encryption to protect unique phone identifiers from interception.

For individuals, the choices are to move to premium versions of apps that don't carry advertising, be more selective about the apps they install and run, and learn to think of apps as two-way mirrors: if you can see them, they can see you.
Writer: Andy Greenberg
Publication: Wired
Publication date: 2017-10-18