
It Takes Just $1k to Track Someone's Location with Mobile Ads - AndrewDucker
https://www.wired.com/story/track-location-with-mobile-ads-1000-dollars-study
======
matt_wulfeck
Ads are not the main privacy issue any longer, since there’s client-side
protection against them.

Now the issue is your ISP getting into the marketing/data-monger business,
since they have the keys to your privacy kingdom and are becoming increasingly
desperate for profits.

[https://www.google.com/amp/s/www.forbes.com/sites/thomasbrew...](https://www.google.com/amp/s/www.forbes.com/sites/thomasbrewster/2017/03/30/fcc-
privacy-rules-how-isps-will-actually-sell-your-data/amp/)

~~~
JoshMnem
I don't think that there is much client-side protection against ads on mobile
devices (outside of Firefox's browsers), at least on Android.

~~~
nacs
iOS has a bunch of apps that do ad-blocking in the App store. It works well in
Safari.

~~~
vosper
Mozilla Focus does this - you don't have to use the Focus browser, just enable
it as a content blocker for Safari. Works great.

------
soared
Very interesting article, but there is an easy fix unlike the article claims.
Many platforms (like facebook) won't allow you to use a data pool if there is
less than 1000 users. I wasn't aware you could target specific device ids just
by knowing a single id, but that seems like an obvious flaw in the system.

If dsp/exchanges just required 1k or 500 users be in a retargeting pool (or
list of device ids) then this problem would be solved.

As for knowing how many users use a specific app in a location, that is an
extremely fuzzy number and I doubt the accuracy of it. Almost no exchanges
show you how many auctions you lost, so just finding out how many uniques you
served to is flawed and much smaller than the real number.

> "This is so easy and it's industry-wide," says Tadayoshi Kohno

Maybe across the spying/intelligence industry, but advertisers don't care
about individuals at all. This is an interesting experiment, but most
platforms don't enable this type of tracking and no advertiser would ever
need/want to do it.

~~~
PotatoEngineer
If the advertisers can see the MAID for each ad impression, then there's no
need to be too specific about who you target - it'll just cost you more. On
the other hand, if the advertiser doesn't get to see the MAID-per-impression,
then the easy solution is to supply your one target MAID, plus another 999
bogus MAIDs (or, if the platform verifies that MAIDs are accurate before
allowing you to use them, then you use 999 MAIDs from Liberia or some other
country that your target won't visit).

~~~
soared
Agreed, the platform would need some verification that you aren't skirting the
rules.

------
philipn
It's worth noting that this technique only works if the target user is using a
mobile app (not web) that's been granted persistent location sharing
permissions. The app also has to support one of the ad networks allowing the
targeting they used in the paper. They tested this with the Talkaphone app,
which requires (not requests) persistent location sharing.

I'm not sure, but iOS's anti-ad tracking function(s) may have an effect as
well ([https://support.apple.com/en-us/HT202074](https://support.apple.com/en-
us/HT202074))

~~~
dx034
Exactly, deactivating location sharing for apps that don't need it will help a
lot. Wifis can still be located but tracking over mobile network won't really
work. At least in London, IP geolocation of phone networks results in a large
radius, too large for anything but long-distance travel.

And then you can (and should) obviously still use a VPN. The ad network can
know it's a vpn and not necessarily present it as a location but they won't be
able to guess you're real one.

------
nobodyorother
Is this an inevitable consequence of our society, or is there a way to
actually do marketing ethically? What negative feedback loops actually apply
strongly and over the long term to this behavior and creating these sorts of
systems?

This is a pretty horrifying society we've built.

~~~
user5994461
It's a consequence of northern America.

Did you know that other countries don't allow ISP to do that.

~~~
djrogers
This has nothing to do with your ISP - it’s phone apps that are sending
location information to advertisers.

~~~
dx034
If they can. IP tracking doesn't work well in cities and you don't need to
give Facebook (and others) location access. The only apps that need it are
navigation and ridesharing and they only need it while you use the app.

------
setra
How are they targeting location at such a high resolution? IP targeting is
usually only accurate at the whole city level. In this they show tracking
across a bus path. That would require GPS. What am I missing?

~~~
bagacrap
Ad networks allow advertisers to target based on fine-grained location which
is presumably matched against the location reported by the phone's location
services. That is, an app with GPS privileges displays a Geo targeted ad, then
that display is reported to the advertiser. So yes, this is using GPS after a
fashion.

~~~
Ajedi32
So this has nothing to do with browsers or ISPs; it's a result of apps with
GPS permissions transmitting that information to advertisers without the
user's consent?

~~~
FridgeSeal
And/or users handing over consent for the app (and included ad-tech) to use
GPS data without thinking through/caring enough about the consequences.
Additionally, predatory apps that demand certain permissions to work can
function to force the user to give up GPS data.

~~~
Ajedi32
Maybe after the user declines a permission and the app prompts again, there
should be a checkbox on the permissions prompt that makes Android pretend the
permission was granted and just spoofs the relevant data.

------
482794793792894
Ad-blocker for Android:
[https://f-droid.org/app/org.jak_linux.dns66](https://f-droid.org/app/org.jak_linux.dns66)

~~~
Multicomp
I second this, it blocks a surprising amount of ads without fuss or system
resource usage.

------
brokentone
The article / study only seemed to consider specific ad buys though very
particular conditions -- particular app / ad network and waiting till targets
showed up in a geofence.

It seems that an even simpler method would be basic retargeting. You can buy
traffic individually, either by watching the requests back to your origin and
locating IPs, or any location data coming back from basic DMP's it would seem
this could be done.

~~~
abalone
No, IP geolocation is vastly less precise than this attack. This has a
resolution of 25ft.

------
jaryd
Here's a link to the actual research paper that the article summarizes:
[https://adint.cs.washington.edu/ADINT.pdf](https://adint.cs.washington.edu/ADINT.pdf)

------
lucb1e
That missing comma in the title made me think it was $10 000 instead of $1
000. I was unhappily surprised when reading the article. Could we edit that
back in?

------
djrogers
This is just one reason I don't grant random apps access to my location.
Unless there's an obvious reason an app needs to know where I am, or a non-
obvious reason is explained before I'm prompted (for example my bank recently
added the ability to use my phone location to help detect credit card fraud),
then you don't get my location.

~~~
tspike
Keep in mind providing access to photos does the same via geotagging.

~~~
djrogers
No, that’s a different thing from what the article is talking about. If you’re
aware of an ad provider using geotag info to send real-time location data to
it’s advertisers then you should probably write that up somewhere.

------
bagacrap
The part that surprises me is the unique identifier for the ad recipient
(MAID) being reported to the advertiser. What is the legitimate business
purpose of this and is it really a common feature of all ad platforms?

~~~
abalone
This is addressed in detail in the article.

 _> the researchers suggest a variety of ways to obtain that MAID, including
placing an "active-content" ad that uses javascript to pull the MAID from a
phone at a certain location... MAIDs can also be intercepted by someone on the
same Wi-Fi network as the target phone._

 _> "It’s not a particularly high bar to entry for a very, very highly
targeted attack," says Adam Lee... A domestic abuser could, for instance,
obtain a spouse's MAID... or a co-worker could do the same in the office... Or
an ad buyer could use active-content ads to gather the MAIDs of the people at
a specific location, like a protest, or users of a potentially sensitive app
like gay-dating apps or religious apps..._

~~~
dx034
You talk about illegitimate purposes, not legitimate.

I guess they're intended to show ads multiple time for a user. Ads often only
work if you've seen them often enough. A coke ad once will not change your
behaviour but seeing it three times a day over a week could.

------
hedora
Has anyone set up an always on phone VPN + host-based blocking? That would
help a lot with this.

Also, has anyone carefully looked into the recent changes apple made to mobile
ad identifiers/etc in ios 11?

~~~
jstanley
It's surprisingly easy to set up an always-on phone VPN.

Get a VPS, install OpenVPN on it, install "OpenVPN for Android" on your phone,
and click through the settings.

DigitalOcean have a good writeup of the VPS side of things:
[https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-
openvpn-server-on-ubuntu-16-04)

~~~
xur17
I'm curious what the battery life impact of running this 24/7 is.

~~~
cisanti
On Android with openvpn app it's bad... Maybe the native VPN support has
better battery life, or I need to fiddle more with openvpn app settings.

------
anigbrowl
How well would this work with ads targeted through popular platforms like FB
and Twitter, I wonder?

------
dsfyu404ed
Not surprising but deserving of more mainstream attention nonetheless.

