Your phone is an incredibly powerful tool — not just in your hands, though, as practically anyone can use the same channels that advertisers use to place localized ads to also figure out not only where you are at any given time but also what you’re sites and apps you’re using, all for as little as $1,000.
In order to help raise concerns about the privacy issues connected to technology, a team of researchers from the University of Washington in Seattle have shown in a new paper how easy it is for someone to exploit the current online advertising infrastructure to potentially devious ends.
The researchers found that anyone looking to purchase ads for mobile apps can access through advertising service providers the mobile advertising identification (MAID) attached to any particular mobile phone and, by buying up local ads through that service can essentially track a person’s movements and learn where and when certain apps have been opened on that phone.
The ease with which such personal information was gained (by paying $1,000 for the hyper-localized ads) was a revelation to the new study’s authors, researchers with the Paul G. Allen School of Computer Science & Engineering at the University of Washington.
“To be very honest, I was shocked at how effective this was,” said co-author Tadayoshi Kohno in a press release. “There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision. It is important to understand both the benefits and risks with technologies.”
The team found that they could use targeted ads to uncover when a person was using a specific application, including apps that may potentially have negative or controversial ramifications for an individual (for example, the researchers were able to count the number of Grindr (a gay online dating app) users at a particular address or the number of users of Quran Reciters, a religious app).
An increasing wired world of gadgets is also a greater privacy threat, say cybersecurity experts. Last year at the University of Toronto, researchers looked at eight different versions of fitness trackers and found that in addition to some sending medical information such as heart rate and movement data across the Internet without encryption, devices such as the Fitbit and Garmin Vivoactive Smartwatch can be tracked through their bluetooth ID’s, which the majority of devices do not make private.
The U of Washington researchers say that more emphasis needs to be placed on gauging the potential security threats posed by emerging technologies. “Given the potential privacy implications of advertising-based intelligence, its capabilities, and its ease of use by low-budget adversaries, we encourage additional research discussions around ad intelligence, not just within the computer security community, but within the policy and regulatory communities as well,” say the study’s authors.
The new research is to be presented at the October 30th meeting of the Association for Computing Machinery in Dallas, Texas.