Privacy concerns have long swirled around how much information online advertising networks collect about people鈥檚 browsing, buying and social media habits 鈥 typically to sell you something.
But could someone use mobile advertising to learn where you go for coffee? Could a burglar establish a sham company and send ads to your phone to learn when you leave the house? Could a suspicious employer see if you鈥檙e using shopping apps on work time?
The answer is yes, at least in theory. New , to be presented in a Oct. 30 at the Association for Computing Machinery鈥檚 , suggests that for roughly $1,000, someone with devious intent can purchase and target online advertising in ways that allow them to track the location of other individuals and learn what apps they are using.
鈥淎nyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual鈥檚 behavior,鈥 said lead author a recent doctoral graduate in the UW鈥檚 Paul G. Allen School of Computer Science & Engineering.
The research team set out to test whether an adversary could exploit the existing online advertising infrastructure for personal surveillance and, if so, raise industry awareness about the threat.
鈥淏ecause it was so easy to do what we did, we believe this is an issue that the online advertising industry needs to be thinking about,鈥 said co-author , co-director of the and an assistant professor in the Allen School. 聽鈥淲e are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them.鈥
The researchers discovered that an individual ad purchaser can, under certain circumstances, see when a person visits a predetermined sensitive location 鈥 a suspected rendezvous spot for an affair, the office of a company that a venture capitalist might be interested in or a hospital where someone might be receiving treatment 鈥 within 10 minutes of that person鈥檚 arrival. They were also able to track a person鈥檚 movements across the city during a morning commute by serving location-based ads to the target鈥檚 phone.
The team also discovered that individuals who purchase the ads could see what types of apps their target was using. That could potentially divulge information about the person鈥檚 interests, dating habits, religious affiliations, health conditions, political leanings and other potentially sensitive or private information.
Someone who wants to surveil a person鈥檚 movements first needs to learn the (MAID) for the target鈥檚 mobile phone. These unique identifiers that help marketers serve ads tailored to a person鈥檚 interests are sent to the advertiser and a number of other parties whenever a person clicks on a mobile ad. A person鈥檚 MAID also could be obtained by eavesdropping on an unsecured wireless network the person is using or by gaining temporary access to his or her WiFi router.
The UW team demonstrated that customers of advertising services can purchase a number of hyperlocal ads through that service, which will only be served to that particular phone when its owner opens an app in a particular spot. By setting up a grid of these location-based ads, the adversary can track the target鈥檚 movements if he or she has opened an app and remains in a location long enough for an ad to be served 鈥 typically about four minutes, the team found.
Importantly, the target does not have to click on or engage with the ad 鈥 the purchaser can see where ads are being served and use that information to track the target through space. In the team鈥檚 experiments, they were able to pinpoint a person鈥檚 location within about 8 meters.
鈥淭o be very honest, I was shocked at how effective this was,鈥 said co-author , an Allen School professor who has studied security vulnerabilities in products ranging from automobiles to medical devices. 鈥淲e did this research to better understand the privacy risks with online advertising. There鈥檚 a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there鈥檚 also the opportunity for adversaries to begin exploiting that additional precision. It is important to understand both the benefits and risks with technologies.鈥
An individual could potentially disrupt the simple types of location-based attacks that the UW team demonstrated by frequently resetting the mobile advertising IDs in their phones 鈥 a feature that many smartphones now offer. Disabling location tracking within individual app settings could help, the researchers said, but advertisers still may be capable of harvesting location data in other ways.
On the industry side, mobile and online advertisers could help thwart these types of attacks by rejecting ad buys that target only a small number of devices or individuals, the researchers said. They also could develop and deploy machine learning tools to distinguish between normal advertising patterns and suspicious advertising behavior that looks more like personal surveillance.
The UW Security and Privacy Research Lab is a leader in evaluating potential security threats in emerging technologies, including telematics in automobiles, web browsers, DNA sequencing software and augmented reality, before they can be exploited by bad actors.
Next steps for the team include working with experts at the UW鈥檚 to explore the legal and policy questions raised by this new form of potential intelligence gathering.
The research was funded by The National Science Foundation, The Tech Policy Lab and the Short-Dooley Professorship.
For more information, contact the research team at adint@cs.washington.edu.
Grant number: NSF: CNS-1463968