
Grindr and OKCupid Sell Your Data, but Twitter’s MoPub Is the Real Problem - jrepinc
https://www.eff.org/deeplinks/2020/01/grindr-and-okcupid-sell-your-data-twitters-mopub-real-problem
======
dreamcompiler
One more time, what mobile phone owners need is an intermediary layer in the
mobile OS where they can either manually or programmatically (via e.g. a
random number generator) _lie_ to higher-level application layers about the
phone's data. It's not enough to just turn off permission to access this data
(because then the apps will often just refuse to work); it's essential to be
able to lie to these apps in a way that they cannot tell the data is fake.
This is a perfect opportunity to build weaponized AI that acts on behalf of
users against adtech.

~~~
badrabbit
Think of these apps as malware,after all they are hostile. In dynamic malware
analysis, virtualized and emulated environments are used to run malware
samples to analyze their behavior. It's like a tom and jerry cat and mouse
game with the jerry always winning (like the show!).

It's trivial to detect virtualized environments , not only that, the samples
can afford to be patient and meticulous,and test themselves against existing
analysis methods before deployment. That's why real hardware is the best place
to study malware.

Your disadvantage here is that fingerprinting is a game of accuracy, where the
adversary gains accuracy at basically a logarithmic(or geometric?) scale for
every additional data point they have about your device, sometimes they only
need one data point,such as a shared file system,let me explain: most apps
need storage access right? Like you want them to read existing files or write
files to be accesses by other apps. App1 writes a file with a random name or
random content, app2 through appN in their affiliate network check that
location/file for the random value to track your device. The apps in this
network all collect various data points about you, let's say one app gets your
real name and address (payment and shipping),now all the apps know those two
things about you. Now they all know your zipcode and can infer things about
you based on that,your last name,etc...and even do background check like
lookups to know your past addresses aquaintances, cars you've driven,court
cases and so much more. Now let's say one of these apps needs to send you text
before it can function(most popular apps these days) , now all of them know
your phone,can get a ton of info about you,who else has you as contacts and
they can infer even more about if at least one of the people they track has
your number as contact and they basically opened up their lives to all apps.

You can add all the layers of abstraction you want. Apps need to talk to each
other and external sites/services need to reach you at a predictabl address
(including physical address and such). And even if what you said was
effective, it's incredibly hard to achieve without the user being very
cooperative towards their own privacy preservation, and evem then ,like I said
above, if anyone you have as contact reaches you using a predictable address,
a lot can be constructed about solely based on their choices.

My solution is legal. Make it a crime and start throwing people in prison. If
someone violates your consent to stalk you or creates public opportunities of
business or employment where consenting to stalking is a requirement, make it
a felony. And make privacy a core right for peoples of any society that calls
itself free.

Unlike with malware authors, we can easily find the execs behind stalkerware
and we can make them take responsibility (assuming people want liberty and
democracy more than political theatrics).

~~~
novok
Doesn't apple with it's ever tightening restrictions of what data you can ask
for, like no more MAC address, no more device UUID other than an apple
provided "ad id" that can be reset, along with 2 bits you store with apple,
aggressive always on location nag alerts, etc also accomplish something
similar bit by bit?

~~~
Nextgrid
Facebook is still in the store. Instagram is still in the store. Grindr (the
app in the article) is still in the store.

Facebook Messenger actually has a nasty dark pattern where they will display a
_fake_ pixel-perfect copy of a permission prompt where the only way to get
through is to tap Allow, and when you do they call the _real_ prompt (since
it's pixel-perfect you can't tell the difference besides the short animation
when it appears) and hope you also click Allow on the real one. If _this_ is
allowed then it's a lost cause.

Apple is doing fuck all about privacy on the App Store.

~~~
o-__-o
Brb going to test this wild claim

Edit: nope.

~~~
Nextgrid
Nope as in they don't do it anymore? I'd be very curious to see what's the
onboarding flow now.

------
widespace
Disclaimer: I used to work in this industry for about 4 years at various DSPs.
I've worked with Grindr as a client and bought a lot of Mopub inventory and
met with their employees several times.

DSPs get access to around 84 data points from the various SSPs that they work
with. This ranges from information around age, sex, city geolocation and what
apps are currently installed on your phone. It's scary to see just how
effective these 84 data points are in predicting user's likelihood to commit
certain actions.

My friends that are still in the industry are quite confident that Apple will
depreciate the IDFA in the coming year to fit more with their 'privacy that's
iPhone' stance. This will greatly reduce the ability for DSPs to target users
and all performance marketing on iPhones will be reduced to branding ads, that
have very little targeting.

As a consumer, I'm very happy with these changes and hope Google will follow
suit with the GAID. If you're using an iPhone I'd recommend to switch off your
IDFA in your privacy settings ("Limit Ad Tracking" toggle on). By doing this
DSPs will no longer be able to target you.

[https://foundation.mozilla.org/en/campaigns/privacy-thats-
ip...](https://foundation.mozilla.org/en/campaigns/privacy-thats-iphone-but-
is-it/)

~~~
dirtydroog
Odd, I've worked for a DSP for years too. These data points you talk about are
rarely all there. 99% of the OpenRTB spec is optional fields. I also never
seen a bid request that listed other apps on the phone - calling bullshit on
this one.

LMT does not hide your IDFA. You can reset it fine, but it's always there.

Also, hell hath no fury like a brand-safety conscious advertiser whose ad
appears next to dick pics on Grindr.

~~~
spbaar
Do you know why a request wouldn't contain a list of all the other apps on
your phone? Seems like a foolproof way to fingerprint a device.

~~~
dirtydroog
You don't have to fingerprint if you have the IDFA. But I suppose the main
reason is that that info is too intrusive and may be of limited use.

------
sebleon
To be clear, it sounds like MoPub/Grindr/OKCupid aren't selling people's data.
Instead, they reveal personal information (for free?) to hundreds of
advertising networks when hosting auctions for ad inventory.

That would mean that after getting approved as an ad-network on MoPub, you can
get all 1.5B users' data for free, just by participating in the auction
(without even having to win and spending money in auctions).

Does anyone on HN happen to have a sample bid request from MoPub that
demonstrates the actual data that's made available to ad networks (DSPs)?

~~~
hopfog
At my previous job we had a dormant bid server hooked up to MoPub for months,
receiving hundreds of bid requests a second that we just dropped or replied
"no bid" to.

~~~
dirtydroog
Only hundreds / sec? Amateurs!

------
mhils
It would be fantastic if policymakers could enforce traffic transparency for
mobile apps. I would love to just take my phone and see what is being
transmitted, but of course Android doesn't trust user-added Certificate
Authoritites for app traffic.

Being able to see one's own traffic doesn't magically fix things, but giving
average folks the ability to just inspect their traffic and write blog posts
about it would at least improve the current situation, without requiring major
technical changes.

~~~
SXX
Actually android is perfectly fine with you doing MiTM on your own traffic. If
you had issues with it then it's mean app developers intentionally implemented
certificate pinning to stop you from doing it. Yet Google / Android have
nothing to do with it.

~~~
0x0
No, recent androids will ignore user-installed CAs for app traffic except for
apps compiled in debug mode opting in to mitm: [https://android-
developers.googleblog.com/2016/07/changes-to...](https://android-
developers.googleblog.com/2016/07/changes-to-trusted-certificate.html)

~~~
SXX
Are you sure this wasn't reverted? I'm successfully used mitmproxy many times
to debug all kind of Android apps and only money-related one usually caused
issues.

Another possibility is that work differently in LineageOS and this it's always
worked for me.

------
ta3242341112322
Yes, lets talk about bandaids when we should be talking about the elephant in
the room. That'll help.

The whole economy of IT thriving off surveillance and cheap tricks is
sickening. I went into this field to try and help the flow of information, to
try and address the likes of Murdoch; turns out we're a shitty species that
shouldn't propogate.

~~~
hetspookjee
While it's reasonable to think cynically about the situation and conjure a
blanket statement like: All people are bad, I remind myself to proof it wrong
by doing something good myself. Thus at least one person does not suck and
hope is restored.

~~~
eeZah7Ux
That's far from enough. Extremely far.

------
thisrod
Interesting. I've always been suspicious about Grindr, because there is no
apparent reason for it to transmit so much data.

On the other hand, the ads I see there are poorly targeted. Either it's really
obvious, reminding gay men that they still make KY Jelly and so on, or I'm
surprised that anyone thought to make that stuff and that anyone buys it. This
high-tech ad market doesn't seem to work very well.

------
bilekas
Is there much merrit here for action on a VPN for the phone, instead of
actualy tyring to fight against the OS' iOS & Android etc, to bottle neck all
traffic through VPN and filter out everything.. Even depending on the Android
to allow self signed certs is too risky as they can flip descisions on a
whim..

I know it's not the best solution as it requires some loe from the user but I
have this configured and its just worth it. Because waiting on the vendors to
clean up their act is futile given how much money is being made..

------
dirtydroog
There is one OS out there that would have stopped this... Symbian. It was
locked down everywhere. It was also a bitch to develop for, but hey ho. The
source code is out there somewhere.

------
stilisstuk
Well. We kind of knew this. It's the reason I try very hard to use either
webapps or only f-droid. And you can say least rotate your add Id on Android.
But it shouldn't be like this. It's very clear that phone manufactures are
user hostile. There is no benefit here (maybe an edge case in support and
payed apps)

------
blackrock
This is just another case of companies behaving badly.

The public is going to get fed up with their antics, and they are going to
vote in politicians that will drop the policy hammer on these companies’
heads.

Like they say: This is why you can’t have nice things.

------
xfactor973
Is there a list of mopub apps so I can delete them?

~~~
Daktest
You would be hard-pressed to find a list anywhere. That being said, MoPub is a
significant player in the AdTech market – you'll most likely find that they're
integrated with most major apps that have in-app advertising. The only
foolproof way is to really delete any apps that serve you ads.

------
alharith
IIRC correctly, MoPub is a white-labeled version of Apache Druid.

~~~
directionless
No. MoPub is an entity in AdTech. Druid is an analytics platform

~~~
alharith
Ok well then the people I worked on an engagement with at an enterprise
offering of Druid flat out lied to my face then. Good to know.

------
excalibur
> Twitter’s suspension of Grindr’s ad account pending “investigation” is an
> attempt to deflect blame, and lawmakers shouldn’t be fooled.

Actually being fooled by special interest propaganda into enacting legislation
that benefits said interest at the public expense is the definition of a
lawmaker.

