A team of academics conducted an experiment to find out if someone “with devious intent” could use mobile ads to find out where someone might go for coffee, for example, or when they left their house.
With numerous surveys already showing widespread consumer concern about how their personal data is used, the results of the study are likely to add a worrying extra dimension to the ongoing debate about privacy in the digital age.
“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behaviour,” said Paul Vines, lead author of the report.
“We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them,” added co-author Franzi Roesner.
For their study, the research team tested ads on ten different apps installed on Android devices and, by serving ads to the apps, could find out what apps the user had installed.
According to the report: “That could potentially divulge information about the person’s interests, dating habits, religious affiliations, health conditions, political leanings and other potentially sensitive or private information.”
The University of Washington researchers further discovered that, under certain circumstances, an ad served to a particular location would tell them of the user’s arrival within just ten minutes.
So, by setting up a grid of these location-based ads, an “adversary” could track a mobile device user if he or she had opened an app and remained in a location long enough for an ad to be served.
Furthermore, the individual didn’t have to click or engage with the ad because the ad buyer could see where ads were being served and use that information to track the target. The research team found they were able to pinpoint a person’s location within about eight metres.
“To be very honest, I was shocked at how effective this was,” said co-author Tadayoshi Kohno. “There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision.”
More details about the research will be presented in a paper at a privacy workshop organised by the Association for Computer Machinery at the end of this month.
Sourced from University of Washington; additional content by WARC staff