Hacker News new | past | comments | ask | show | jobs | submit login
It Takes Just $1k to Track Someone's Location with Mobile Ads (wired.com)
292 points by AndrewDucker on Oct 18, 2017 | hide | past | web | favorite | 102 comments

Ads are not the main privacy issue any longer, since there’s client-side protection against them.

Now the issue is your ISP getting into the marketing/data-monger business, since they have the keys to your privacy kingdom and are becoming increasingly desperate for profits.


It's ironic that your citation is a Google AMP link... Not only does the AMP-proxy situation further disenfranchise the ISPs, it also funnels all that value to Google.

> Ads are not the main privacy issue any longer, since there’s client-side protection against them.

False. There is client-side protection in some browsers now, but this attack exploits native apps that submit precise geolocation when requesting location-targeted ads. It demonstrates how to essentially reverse engineer that precise location with a matrix of ads crafted for this purpose.

There's very real client-side protection: Do not have sleazy, add-supported apps installed, and - for what it's worth - keep your GPS and location services turned off except when explicitly needed.

It’s not clear if you believe all ad-supported apps are sleazy or if you think it’s clear to users when apps use precise geotargeted ads. Either way that doesn’t constitute “very real client-side protection” anymore than expecting folks to regularly disable basic functionality.

Better yet, don't use a smartphone when you care about your location being tracked.

Well, sure. If I'm ever going to go murder someone, I'll try to remember to leave it at home.

But I care some about it being tracked even when I'm not doing anything bad.

Well, OPSEC isn't all or nothing. And there's lots of other good advice.

There is a bit of an arms race between get a few $/c extra CPM by spoofing the geo location (the app needs to ask for this, and have reason to from App Store perspective, so not always available), and the data aggregators detecting said spoofing (all clients having the same geo / patterns in geo etc).

Reverse engineering will get you a PoC, but you can buy the cleansed data fairly easily (apparently..)

My phone (Android/LineageOS) blocks native ads too. There's adaway that does this nicely. Client-side protection exists.

The claim was not merely that client-side protection "exists." It was that ads are not a privacy issue any longer, implying a ubiquitous native solution, which is false.

It's great that some OSes are trying to solve it system-wide but host blocking isn't viable as ubiquitous protection against this attack. It would just break all ads all the time, which ultimately would make the platform untenable for ad-based apps. What you want is something like the machine-learning Intelligent Tracking Prevention that Safari just rolled out, but applied to native apps. That is non-trivial.

"It would just break all ads all the time"

Sounds like a feature not a bug.

Anyways I'm sure tech savvy folks who care about privacy and hate ads already have all the basic angles covered. I know I do!

also DNS66 helps

I don't think that there is much client-side protection against ads on mobile devices (outside of Firefox's browsers), at least on Android.

Firefox Focus is solving such a pain point for me. Browsing the web on mobile feels like 2002 desktop with all the flashing, scrolling, pop overs. It's a nightmare. The companies that rely on ads for revenue took the thing that made adblockers so commonplace and did it on mobile.

"anything on a unrooted mobile feels like 2002 desktop with all the flashing, scrolling, pop overs. It's a nightmare."

fixed it for you.

Stock rom without root was pretty decent for me. No ads at all. However, I only use free software apps mostly from F-Droid (and uBlock Origin takes care of the web). I knew that this was putting myself in a bubble, but I had not realized that the experience of using a phone for a lot of people must be that annoying. What a shame. Computers should serve humans, not the other way round!

I discovered Google Play's App Store on someone else's phone, that was painful and stressful. But what you are describing seems hellish.

I used to root the devices I got. Relying on CM supporting my device or totally breaking carrier updates got old though. I switched to Google Fi and am using a Nexus 6P (Android 8) and it's really nice.

I wanted to get a PCAP from an app a few nights ago, I was surprised it was possible without root. Now there are apps that can act as a VPN to sniff traffic. Having the most up to date firmware and Google Fi's international rates are worth giving up root to me.

It would be nice if they built in secure root access interface to Android though.

The main problem with rooting my phone is that a number of apps I use will stop working, including the de facto standard mobile payment app in my country.

If you rein in the notifications (ie. switch them all off), use Firefox with uBlock Origin (or Firefox Focus) and avoid using apps with obnoxious ads (or switch to the paid versions), Android as of 2017 is quite nice.

If you root your phone, you can modify the hosts file to blackhole any address you please. That will affect every part of the system that attempts to dial out to those addresses, including native apps.

On behalf of the Linux community, no need to thank us, you're welcome.

Adguard android app does full-device ad blocking including __native apps__ by setting up a local VPN. It's a proprietary app, and there are some open source alternatives such as MinMinGuard or DNS66, but the difference is that Adguard inserts their js into html, effectively running a browser extension.

iOS has a bunch of apps that do ad-blocking in the App store. It works well in Safari.

Mozilla Focus does this - you don't have to use the Focus browser, just enable it as a content blocker for Safari. Works great.

What percentage of users have client side protection active on mobile? I'm guessing it's currently very low.

Yeah, it's too bad that knowing the physical position of your customers is a technical requirement for the wireless ISP industry. That said, knowing their identity is not a technical requirement.

I wonder if it's feasible to construct an ISP that still must know where all it's customers are, but can't distinguish between them.

Networking and behavioral analysis will probably render such obfuscation useless for most subjects.

I think the whole “ISP data” issue is a red herring. Google, Facebook, etc already gather everything about you unless you go to extreme measures.

The only reason those tech companies are against ISP tracking is that it hurts their revenue model...significantly.

Don’t by in to the easy explanation - look at their motivations.

> Ads are not the main privacy issue any longer, since there’s client-side protection against them.

Not really, though, at least for ios. On android there are at least firefox + extensions, but there's nothing quite capable/available on ios at the moment.

What? There have been iOS ad blockers for ages, with official APIs and support since iOS 9.

Right, and none of them come close to a well-configured ublock install. I happen to use purify (after choosing it over others) and regularly see both ads and tracking network requests.

Very interesting article, but there is an easy fix unlike the article claims. Many platforms (like facebook) won't allow you to use a data pool if there is less than 1000 users. I wasn't aware you could target specific device ids just by knowing a single id, but that seems like an obvious flaw in the system.

If dsp/exchanges just required 1k or 500 users be in a retargeting pool (or list of device ids) then this problem would be solved.

As for knowing how many users use a specific app in a location, that is an extremely fuzzy number and I doubt the accuracy of it. Almost no exchanges show you how many auctions you lost, so just finding out how many uniques you served to is flawed and much smaller than the real number.

> "This is so easy and it's industry-wide," says Tadayoshi Kohno

Maybe across the spying/intelligence industry, but advertisers don't care about individuals at all. This is an interesting experiment, but most platforms don't enable this type of tracking and no advertiser would ever need/want to do it.

Regarding the pool size for facebook, it wasn’t always like this. The half amusing half creepy story here shows what it was like before the change was made :http://ghostinfluence.com/the-ultimate-retaliation-pranking-...

If the advertisers can see the MAID for each ad impression, then there's no need to be too specific about who you target - it'll just cost you more. On the other hand, if the advertiser doesn't get to see the MAID-per-impression, then the easy solution is to supply your one target MAID, plus another 999 bogus MAIDs (or, if the platform verifies that MAIDs are accurate before allowing you to use them, then you use 999 MAIDs from Liberia or some other country that your target won't visit).

Agreed, the platform would need some verification that you aren't skirting the rules.

> Maybe across the spying/intelligence industry, but advertisers don't care about individuals at all. This is an interesting experiment, but most platforms don't enable this type of tracking and no advertiser would ever need/want to do it.

I disagree. If a company selling an extremely expensive implementation of something could serve ads directly to only the decision makers in that type of product, it would be a very valuable target and absolutely worth pushing ads to a single individual.

True except these are display ads and cost $1000, which would be 10x more effective if spent on another channel. I suppose 0.0001% of advertisers might use this.

I wasn't commenting on the cost, just the statement that it had no value. But... I do think $1,000 to find out who + $2.00CPM to bombard a CFO about a $50mm financial software investment for years would be a massive ROI.

It would just help the sales team make it work.

Definitely worth it in rare situations, but the cpm to hit 1 person is massive - hundreds or even thousands of dollars.

But that doesn't matter because you'd only be targeting a single person and they're only going to generate at most a few hundred impressions, so your bill is going to be super cheap.

Think political campaigns, global product pushes etc.

If you can bulk push near-individual custom ads tailored to highly specific target groups, you potentially gain much more than just blanket advertisement

Well if you want to spend $4000 (media costs, campaign management, creative, etc.) to acquire a user, I guess. But you can already tailor ads to incredibly specific groups, no need to get to an individual level. For global-size campaigns or political campaigns this level of granularity is needlessly expensive.

> no advertiser would ever need/want to do it.

No, the article details many such advertisers: abusive spouses who want to track their spouse, for example. The whole point of the attack is this high-precision geo-targeting mechanism can be exploited by attackers.

And clearly some platforms do enable this type of tracking, because the experiment worked.

My intent was to argue against the quote, not the article. He is implying that the advertising industry uses this, which is not true and could easily be converted into scary clickbait ('Advertisers now have the ability to track your every move - why does coco cola know where you buy coffee?' )

I do wish they would've said what dsp or exchange they used, I'm not familiar with any that could do this.

The pool size restrictions can be worked around too:

Put 999 Indian IDs in your pool and 1 from your target in the USA.

Then run your campaign targeting USA only.

There's other work around like this, but I think you get the idea.

Which can be easily identified and blocked..

"If <10% of users in the pool are actually being served ads, block that pool" "If other rules w/in the campaign exclude x% of the pool, block that pool"

If your targeting is machine learning driven and linked to other databases so you can create 100k+ ads with optimized variations all linked to A/B style tests then that targeting is extremely useful. Maybe peoples responses give you enough to then followup with cold calls/direct mail etc.

Frankly there is way too much that can be done by combining different data and ML that the traditional way we think about preserving privacy is insufficient.

I don't really understand how half of the time people claim display ads are completely inneffective, while other times they can argue spending $1k on a user for display ads is worth it.

It's worth noting that this technique only works if the target user is using a mobile app (not web) that's been granted persistent location sharing permissions. The app also has to support one of the ad networks allowing the targeting they used in the paper. They tested this with the Talkaphone app, which requires (not requests) persistent location sharing.

I'm not sure, but iOS's anti-ad tracking function(s) may have an effect as well (https://support.apple.com/en-us/HT202074)

Exactly, deactivating location sharing for apps that don't need it will help a lot. Wifis can still be located but tracking over mobile network won't really work. At least in London, IP geolocation of phone networks results in a large radius, too large for anything but long-distance travel.

And then you can (and should) obviously still use a VPN. The ad network can know it's a vpn and not necessarily present it as a location but they won't be able to guess you're real one.

Is this an inevitable consequence of our society, or is there a way to actually do marketing ethically? What negative feedback loops actually apply strongly and over the long term to this behavior and creating these sorts of systems?

This is a pretty horrifying society we've built.

It's a consequence of northern America.

Did you know that other countries don't allow ISP to do that.

This has nothing to do with your ISP - it’s phone apps that are sending location information to advertisers.

If they can. IP tracking doesn't work well in cities and you don't need to give Facebook (and others) location access. The only apps that need it are navigation and ridesharing and they only need it while you use the app.

The problem is that platforms enable this kind of behavior. Once it's the open, someone will take advantage of it, and then others would only put themselves at a disadvantage by not doing it too. The real question is, how did our infrastructure become so exploitable?

That's not to say there aren't companies that don't play this kind of game. But on a spectrum of care and don't care, most are in the middle.

>Once it's the open, someone will take advantage of it, and then others would only put themselves at a disadvantage by not doing it too.

The answer to that problem in every other industry is regulation, either self imposed or more commonly through government intervention. But folks in the tech community, rightly or wrongly, don't take too kindly to the idea of regulating the Internet.

That doesn't mean that we should avoid all regulation - government action is sometimes the only way forward when dealing with certain situations, especially given the industry's reluctance to self-regulate. Regulatory capture is a concern, but it's something that we should be actively trying to fight, as opposed to avoiding regulation entirely.

Yes. It just suggests that regulation is _hard_ to get right, and what might on the face of it look like a good idea might not be.

The people with the money and lawyers and accounts often find away around regulations.

Every time this comes up as an excuse I have to ask: how is no regulation at all any better? Sure the regulation might get fucked up by "special interests" but at least you have some voice in it through the political process. Right now you have none.

I completely agree. The analogy I often use is a lock on your front door. Sure, the lock can be picked or someone can batter down the door. If someone robs your home exploiting one of these weaknesses you will probably respond by purchasing a more complex lock or stronger door. You aren't just going to leave your door unlocked from then on out because your previous attempt at protection failed.

Non-targeted and non-interactive marketing can be done ethically (if you grant that any marketing can be ethical). Perhaps we are all just waking up to the true nature of marketing, and seeing its unbridled ugliness for the first time.

How are they targeting location at such a high resolution? IP targeting is usually only accurate at the whole city level. In this they show tracking across a bus path. That would require GPS. What am I missing?

Ad networks allow advertisers to target based on fine-grained location which is presumably matched against the location reported by the phone's location services. That is, an app with GPS privileges displays a Geo targeted ad, then that display is reported to the advertiser. So yes, this is using GPS after a fashion.

So this has nothing to do with browsers or ISPs; it's a result of apps with GPS permissions transmitting that information to advertisers without the user's consent?

And/or users handing over consent for the app (and included ad-tech) to use GPS data without thinking through/caring enough about the consequences. Additionally, predatory apps that demand certain permissions to work can function to force the user to give up GPS data.

Maybe after the user declines a permission and the app prompts again, there should be a checkbox on the permissions prompt that makes Android pretend the permission was granted and just spoofs the relevant data.

That still means that you're safe if you don't use those apps. I just checked, none of the apps on my phone have location services always on, apps such as Facebook have it set to never. And I can't remember Facebook ever bothering me with it (as long as I don't post something at least).

This is explained in the article. Apps use high-precision geolocation when requesting location-targeted ads, and you can target ads to specific locations, so if you blanket an area in ads you can indirectly track movement through the grid.

> They then used that DSP to place a geographic grid of location-targeted ad buys around a three-mile square section

The game the target installed that is snitching GPS coordinates to an ad exchange near you.

How else did you think localized advertising works?

OpenRTB has supported GPS location since October 2012, proprietary exchanges longer than that.

> One test subject's commute across Seattle that the researchers tracked with ads in the app Talkatone. The dotted lines show the subject's real path, while the red dots show where the ads were delivered to the subject's phone to reveal his or her workplace, bus stop, home and local coffee shop. (The subject's actual home location has been somewhat obscured for privacy.)

It's not tracking across a bus path; that's their actual path. The red dots are the tracked locations.

Look at the red dots it places down. Two of the dots are within 1/8th of a mile. All of the dots are within 4 miles. 1/8th of a mile resolution is extreme and not IP level.

I second this, it blocks a surprising amount of ads without fuss or system resource usage.

DNS66 is great. The list of ad servers included in DNS66 by default don't include many mobile advertising services though(e.g adjust.com, ironsource).

The article / study only seemed to consider specific ad buys though very particular conditions -- particular app / ad network and waiting till targets showed up in a geofence.

It seems that an even simpler method would be basic retargeting. You can buy traffic individually, either by watching the requests back to your origin and locating IPs, or any location data coming back from basic DMP's it would seem this could be done.

No, IP geolocation is vastly less precise than this attack. This has a resolution of 25ft.

Here's a link to the actual research paper that the article summarizes: https://adint.cs.washington.edu/ADINT.pdf

That missing comma in the title made me think it was $10 000 instead of $1 000. I was unhappily surprised when reading the article. Could we edit that back in?

This is just one reason I don't grant random apps access to my location. Unless there's an obvious reason an app needs to know where I am, or a non-obvious reason is explained before I'm prompted (for example my bank recently added the ability to use my phone location to help detect credit card fraud), then you don't get my location.

Keep in mind providing access to photos does the same via geotagging.

No, that’s a different thing from what the article is talking about. If you’re aware of an ad provider using geotag info to send real-time location data to it’s advertisers then you should probably write that up somewhere.

...if you have geotagging turned on.

Even if you don't grant location permission an app can still get location using geoIP at about a city-level.

That can work in some rural areas but good luck in cities like London. I just tested, all publicly available geolocation databases give me no granularity except London for my vodafone IP. My home broadband is a bit more accurate but it's still an area of ~200-300k people.

Which has nothing to do with the article....

The part that surprises me is the unique identifier for the ad recipient (MAID) being reported to the advertiser. What is the legitimate business purpose of this and is it really a common feature of all ad platforms?

This is addressed in detail in the article.

> the researchers suggest a variety of ways to obtain that MAID, including placing an "active-content" ad that uses javascript to pull the MAID from a phone at a certain location... MAIDs can also be intercepted by someone on the same Wi-Fi network as the target phone.

> "It’s not a particularly high bar to entry for a very, very highly targeted attack," says Adam Lee... A domestic abuser could, for instance, obtain a spouse's MAID... or a co-worker could do the same in the office... Or an ad buyer could use active-content ads to gather the MAIDs of the people at a specific location, like a protest, or users of a potentially sensitive app like gay-dating apps or religious apps...

You talk about illegitimate purposes, not legitimate.

I guess they're intended to show ads multiple time for a user. Ads often only work if you've seen them often enough. A coke ad once will not change your behaviour but seeing it three times a day over a week could.

Has anyone set up an always on phone VPN + host-based blocking? That would help a lot with this.

Also, has anyone carefully looked into the recent changes apple made to mobile ad identifiers/etc in ios 11?

It's surprisingly easy to set up an always-on phone VPN.

Get a VPS, install OpenVPN on it, install "OpenVPN for Android" on your phone, and click through the settings.

DigitalOcean have a good writeup of the VPS side of things: https://www.digitalocean.com/community/tutorials/how-to-set-...

I'm curious what the battery life impact of running this 24/7 is.

On Android with openvpn app it's bad... Maybe the native VPN support has better battery life, or I need to fiddle more with openvpn app settings.

It says it doesn’t try to help with anonymity. Is there some unadvertised ad blocker hiding in there?

Yes, algo ships with an option to setup Privoxy and dnsmasq for just this: https://github.com/trailofbits/algo/issues/14

If you look at the commits, it regularly downloads and concats a large number of host files that track ad/analytics/malware hosts.

The reason it does not help with anonymity is that you own the server that it is running on. It is moving who you trust with your traffic. Do you trust your ISP or do you trust Digital Ocean / Amazon / other hosting service it supports? Any VPN isn't going to provide you anonymity, as you are connecting to it from your IP (if someone is monitoring on the VPN side, they know who you are) and logging into services associated with your identity.

However, from the readme:

>Blocks ads with a local DNS resolver (optional)

Easy enough to set up a VPN on a cloud VM (I actually ran one for a long time via my home internet connection with a raspberry pi). Paired with something like Pi Hole (http://pi-hole.net/) would give you DNS level ad blocking wherever you go. They have a guide for configuring it together with OpenVPN on the Pi Hole github: https://github.com/pi-hole/pi-hole/wiki/Pi-hole---OpenVPN-se...

Use, a non-US based VPN, this is a good one: https://airvpn.org/?referred_by=287899 *yeah, that's a referral link, I'm a happy user

Well, this isn't a VPN service, but this app (combined with a hosts file) does ad-blocking.


How well would this work with ads targeted through popular platforms like FB and Twitter, I wonder?

Not surprising but deserving of more mainstream attention nonetheless.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact