Now the issue is your ISP getting into the marketing/data-monger business, since they have the keys to your privacy kingdom and are becoming increasingly desperate for profits.
False. There is client-side protection in some browsers now, but this attack exploits native apps that submit precise geolocation when requesting location-targeted ads. It demonstrates how to essentially reverse engineer that precise location with a matrix of ads crafted for this purpose.
But I care some about it being tracked even when I'm not doing anything bad.
Reverse engineering will get you a PoC, but you can buy the cleansed data fairly easily (apparently..)
It's great that some OSes are trying to solve it system-wide but host blocking isn't viable as ubiquitous protection against this attack. It would just break all ads all the time, which ultimately would make the platform untenable for ad-based apps. What you want is something like the machine-learning Intelligent Tracking Prevention that Safari just rolled out, but applied to native apps. That is non-trivial.
Sounds like a feature not a bug.
Anyways I'm sure tech savvy folks who care about privacy and hate ads already have all the basic angles covered. I know I do!
fixed it for you.
I discovered Google Play's App Store on someone else's phone, that was painful and stressful. But what you are describing seems hellish.
I wanted to get a PCAP from an app a few nights ago, I was surprised it was possible without root. Now there are apps that can act as a VPN to sniff traffic. Having the most up to date firmware and Google Fi's international rates are worth giving up root to me.
It would be nice if they built in secure root access interface to Android though.
If you rein in the notifications (ie. switch them all off), use Firefox with uBlock Origin (or Firefox Focus) and avoid using apps with obnoxious ads (or switch to the paid versions), Android as of 2017 is quite nice.
On behalf of the Linux community, no need to thank us, you're welcome.
I wonder if it's feasible to construct an ISP that still must know where all it's customers are, but can't distinguish between them.
The only reason those tech companies are against ISP tracking is that it hurts their revenue model...significantly.
Don’t by in to the easy explanation - look at their motivations.
Not really, though, at least for ios. On android there are at least firefox + extensions, but there's nothing quite capable/available on ios at the moment.
If dsp/exchanges just required 1k or 500 users be in a retargeting pool (or list of device ids) then this problem would be solved.
As for knowing how many users use a specific app in a location, that is an extremely fuzzy number and I doubt the accuracy of it. Almost no exchanges show you how many auctions you lost, so just finding out how many uniques you served to is flawed and much smaller than the real number.
> "This is so easy and it's industry-wide," says Tadayoshi Kohno
Maybe across the spying/intelligence industry, but advertisers don't care about individuals at all. This is an interesting experiment, but most platforms don't enable this type of tracking and no advertiser would ever need/want to do it.
I disagree. If a company selling an extremely expensive implementation of something could serve ads directly to only the decision makers in that type of product, it would be a very valuable target and absolutely worth pushing ads to a single individual.
It would just help the sales team make it work.
If you can bulk push near-individual custom ads tailored to highly specific target groups, you potentially gain much more than just blanket advertisement
No, the article details many such advertisers: abusive spouses who want to track their spouse, for example. The whole point of the attack is this high-precision geo-targeting mechanism can be exploited by attackers.
And clearly some platforms do enable this type of tracking, because the experiment worked.
I do wish they would've said what dsp or exchange they used, I'm not familiar with any that could do this.
Put 999 Indian IDs in your pool and 1 from your target in the USA.
Then run your campaign targeting USA only.
There's other work around like this, but I think you get the idea.
"If <10% of users in the pool are actually being served ads, block that pool"
"If other rules w/in the campaign exclude x% of the pool, block that pool"
Frankly there is way too much that can be done by combining different data and ML that the traditional way we think about preserving privacy is insufficient.
I'm not sure, but iOS's anti-ad tracking function(s) may have an effect as well (https://support.apple.com/en-us/HT202074)
And then you can (and should) obviously still use a VPN. The ad network can know it's a vpn and not necessarily present it as a location but they won't be able to guess you're real one.
This is a pretty horrifying society we've built.
Did you know that other countries don't allow ISP to do that.
That's not to say there aren't companies that don't play this kind of game. But on a spectrum of care and don't care, most are in the middle.
The answer to that problem in every other industry is regulation, either self imposed or more commonly through government intervention. But folks in the tech community, rightly or wrongly, don't take too kindly to the idea of regulating the Internet.
The people with the money and lawyers and accounts often find away around regulations.
> They then used that DSP to place a geographic grid of location-targeted ad buys around a three-mile square section
How else did you think localized advertising works?
OpenRTB has supported GPS location since October 2012, proprietary exchanges longer than that.
It's not tracking across a bus path; that's their actual path. The red dots are the tracked locations.
It seems that an even simpler method would be basic retargeting. You can buy traffic individually, either by watching the requests back to your origin and locating IPs, or any location data coming back from basic DMP's it would seem this could be done.
> "It’s not a particularly high bar to entry for a very, very highly targeted attack," says Adam Lee... A domestic abuser could, for instance, obtain a spouse's MAID... or a co-worker could do the same in the office... Or an ad buyer could use active-content ads to gather the MAIDs of the people at a specific location, like a protest, or users of a potentially sensitive app like gay-dating apps or religious apps...
I guess they're intended to show ads multiple time for a user. Ads often only work if you've seen them often enough. A coke ad once will not change your behaviour but seeing it three times a day over a week could.
Also, has anyone carefully looked into the recent changes apple made to mobile ad identifiers/etc in ios 11?
Get a VPS, install OpenVPN on it, install "OpenVPN for Android" on your phone, and click through the settings.
DigitalOcean have a good writeup of the VPS side of things: https://www.digitalocean.com/community/tutorials/how-to-set-...
If you look at the commits, it regularly downloads and concats a large number of host files that track ad/analytics/malware hosts.
However, from the readme:
>Blocks ads with a local DNS resolver (optional)