Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Girlfriend is being shown ads depending on what we do together. How?
98 points by enraged_camel on Apr 17, 2018 | hide | past | web | favorite | 94 comments
My girlfriend came to check out some open houses with me yesterday after work. By 10 PM, she was seeing ads on Instagram for new houses. She hasn't shopped for a house before, or even done any searches on Google on that topic. I simply invited her to come with me and she did.

Similarly, we were at her place the other day and watched a kung fu movie on my laptop (connected to her wifi), and then went to bed. The next morning she started seeing ads for martial arts schools in the area.

What is happening?

She doesn't have an Amazon Echo or anything else that might be listening, although she does have an Android phone. She most likely has the default (stock) settings and apps. Regardless, I want to help her improve her privacy. What steps should I take (other than installing ad-blockers on her phone)?

Corollary: Is this what the Internet is like for "regular" people? If so, holy shit. I'm glad I use uBlock Origin on my computers and an iPhone.

I have worked for a number of ad tech companies over the years.

If this really is happening (and it seems possible it could be coincidence) the most likely explanation is cross device targeting using IP address.

So, most ad tech companies do cross device targeting, using device maps bought from other companies (Drawbridge being one). These companies attempt to assign a variety of devices from the same person to a single advertising profile. The simplest way they do this is by IP address. So if they have an IP address with a small number of devices, they decide it is probably a household and assign all those devices to the same advertising profile.

So, by being on the same wifi together (either at your place or hers) they will show ads on her devices based on your behavior (and vice versa).

The other explanations are possible, but I think this is the most likely

This is the correct answer. We noticed this happening in our small lab and decided to run some tests and in fact if one person searched for something odd like 'Swedish fish' then visited sites selling Swedish fish, everyone in the lab would start to get ads for candy and snack food. Similarly, searching for "mountain bike" would result in everyone else seeing ads for bikes and bike accessories. It sort of became a game to figure out what the test search term of the day was.

Many would probably hear of experiences like that and think 'hey that sounds unintentional or like behavior the advertiser wouldn't want' but it actually sounds brilliant from a pure effectiveness point of view. You don't just show an ad to an interested person.... you increase the chance that the person will hear about the thing from people in their immediate vicinity. And what's the best advertising in the universe that no one can buy? Word of mouth.

Advertisers had better be paying through the nose for this sort of access, because it's insanely valuable.

We get this all the time in our office for salesforce (half of our team uses it.)

Since this seems to be the most accepted answer, I did some search on IP address re-targeting, and came across this, which is kind of creepy and annoying.

> Cookie-based retargeting uses online data while IP Targeting uses offline data, which is verified and drastically reduces the potential of non-human bot traffic. IP Targeting essentially takes the traditional direct mail approach and matches home and business postal addresses to computer/device IP addresses.

Source: http://www.accudata.com/why-ip-targeting-takes-the-cake/

its also more than just ip address. if you ever log into each others computers to check mail or any other system that requires a login, that company can sell your (device,username) pair to these cross device companies, and and you get another (device2,username) pair and its decided to be the same person.

https://whotracks.me/trackers/liveramp.html: twitch, okcupid, adobe

https://whotracks.me/trackers/drawbridge.html: etsy, aol, samsung

log into one of those from two devices and anyone who wants to pay will track you as the same person

I wonder if agencies register the GPS coordinates of open houses for location based advertisement.


That has some super creepy implications--imagine the father of a teenage girl wondering why he's suddenly seeing so many internet ads for maternity products, for instance.

How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did:


Can't find it atm but there was at least one story of someone being outed as gay due to ad targeting. For things like that, if you can think of it it probably already has happened, and if it hasn't, it will in the next 10 years.

Makes sense, especially since I think the IP for multiple devices on a home broadband connection would be the external IP of the broadband router, right?

Correct. About the only solution is for everyone to have an independent VPN connection.

VPN that anonymizes IP and isn't 1-to-1 mapped to person/device. Tor network?

I believe Google does this for suggested search. I’ve noticed that my suggested search is eerily spot on for my current conversation with someone who is searching or just searched for something that I too am now searching for.

Yes. This is retargeting based on a cross device graph and this experience illustrates ad tech trade-off. We're those ads in a logged-in ad platform like Facebook or were they generic display stuff?

Well there goes Christmas shopping.

> they will show ads on her devices based on your behavior (and vice versa).

She went house hunting and watched kung fu movies. Has nothing to do with the partners behavior.

Most android (CIAlphabet) phones have CIABook installed by default and it cannot be turned off or deleted without root access. Both listen to microphone and probably take random photos. The phones are both linked to credit cards which are probably also linked to Netflix account.

Why are people still surprised by this?

I cannot attest to the above suggestion that "CIABook" is installed, as I have not reviewed any of the Android source.

Instead, I offer different information: I know of a person who is switching back to a pager to avoid smart device-based tracking. This after he received the requested "all information Facebook has about me" and saw how many of the quizzes he took for fun were advertiser-based, articles that seemed to be interesting (and were not about products or services, per se) being brought to his attention by advertisers, as well as other behavior he thought was innocuous but instead resulted in yet more data gathered about him.

It is my understanding he is piecing together different services to allow the pager to still be able to communicate (eventually) via IM with the right hand-offs involving services who rank privacy/no-tracking towards the top of their service offering.

There is some interest among his peers to offer this as a service, for those who might find this idea desirable. Apparently there are refurbished pagers available for purchase that can be used in this way.

He has jokingly referred to it as a "Hi-Tech detox" process...

I, too, listen to this person in the morning! Maybe attitudes have changed over the years but IIRC his partner isn't very well liked around here.

I find thinking dimensionally helps me understand better...

I find HN to be a really interesting intersection point of the Dimensions

A totally plausible explanation for this (as plausible as any Amazon Echo passive speech recognition ad targeting theory) is that she's been seeing these ads for weeks, but they were completely irrelevant and her mind filtered them out until she happened to have house hunting / martial arts movies on her mind after these events.

I agree this is a very probable cause, but since a lot of people seem to be reporting this affect I wonder if it can be quantified... are there any tools that can do ad-tracker-tracking to collect information on the ads you're being shown over time and categorize them in order to show that you really are getting more ads of a particular type after a particular action is taken (which isn't obviously trackable)?

This seems to be the most plausible, if least satisfying explanation.

I think you may be right. Many of these stories talk about users mentioning they would like X product. Then they are surprised when they get an ad for that product. They forget A. all the other times they talked about products and never saw an ad and B. all the other ads they saw without ever mentioning the product.

This has a name! Baader-Meinhof Phenomenon.

Nice try Mark.

Jokes aside, these issues are happening way too often for it to just be a coincidence. I've seen multiple friends and strangers, as well as myself, reporting that they were talking about something and then an ad shows up about that.

EDIT: typo

No. You read this first: https://en.wikipedia.org/wiki/Joke

So what you wrote after "Jokes aside," was also a joke?

This is a well-known psychological phenomenon, not a joke or coincidence.

I understand that. I just don't think it applies to this case. It happened to me and close friends, that's why I am skeptical.

It is very easy to have opinions and explanations on something you didn't experience yourself.

This phenomenon happens to me and close friends too.

I am not in this field and I believe some guys here already explained it much clearly than me.

1. Checking Open houses: Many apps are authorized by most users to access their location. Ads space providers qualify their data, that is the way they earn their life. Then if one Ad client works in real estate, the Ads space, sorry your girlfriend phone screen, is a nice target for real estate Ads.

2. Kung fu ads: A Ads space provider for some of the ads may have noticed that several different user agents come from the same IP adress, so it inferred incorrectly that they belong to the same person.

^ Probably correct, +1.

I'd like to add that Android by default tracks your location constantly [1]. I recently got a Pixel and was staying in a hotel. Every night I came back to the hotel room it would ask me to rate it or upload pictures of it to Google Maps. It can be disabled in Settings, iirc.

[1]: https://www.google.com/maps/timeline?pb

My guess would be:

1) Facebook (ie instagram) knows you are in a relationship

2) Facebook knows girlfriend's location from being signed in (on Instagram)

3) Facebook knows locations are at open houses from data gathered from other users or around the web. Or maybe Facebook knows that going to a few totally new random residential locations in a short period of time, combined with girlfriend's other engagement activities means user is looking for a new place to live.

Also the fact that both of them are in the same physical location frequently, at key times, even if your hadn't set your relationship status it might figure it out.

Not just with facebook, there are more options:

You can geofence users (probably the realtor does it) and then send targeted ads to audiences that touch more than one geofenced area.

For the kung-fu panda and martial arts. Do you share wifi and (public) ip addresses with your girlfirend?

> Is this what the Internet is like for "regular" people? If so, holy shit. I'm glad I use uBlock Origin on my computers and an iPhone.

Somewhere, in a dark corner in a AWS datacenter in Oregon, some third-party tracking software records "Hey, the only user within five-mile radius that blocks our ad links just finished watching a kung fu movie."

If you're going to get fingerprinted anyway, might as well save the bandwidth.

Of course, I have nothing against saving bandwidth. I just didn't expect to see an iPhone user non-ironically calling Android users as "regular people" these days. What year is it now? :P

i don't think it was because of the phone but because enraged_camel takes preventative measures to block tracking tools and "normal people" do not. note that it's "on my computers and...." not just "iphone"

> Is this what the Internet is like for "regular" people? If so, holy shit.

Presumably. Even with the best precautions (ad blocking, etc) some tracking still slips through the cracks. I don’t want to imagine what it’s like for the average idiot who installs every single crappy app, gives it all the permissions and logs in with their Facebook account into them.

I work in advertising (check my post history).

Likely this is just "household extension". How it works:

1. You visit my website on your phone 2. I can now send ads to your phone, but not your desktop 3. I enable cross-device targeting 4. I can now send ads to your phone, laptop, and work computer 5. I enable household extension 6. I can now send ads to any device associated with your household (your girlfriend's phone and laptop, your son's tablet, etc.)

The more likely explanation (for the kung fu stuff) is just random chance. You get like 500 ads a day, so some of those will coincidentally line up with things you've recently done.

But your behavior (watching a kung fu movie) might have gotten you or your household added to a 3rd party audience for interest in karate, and then you get karate ads. Same for open houses - there are data providers who sell the audience "user has been to an open house recently" or more likely just "in-market for real estate services"

Suppose I operate a small general practitioner healthcare facility that often has only two patients at the same time. If I offer free Wi-Fi in the waiting area, should I consider that a HIPAA violation, because I'm reasonably confident that one patient will see ads related to the other patient's medical condition?

Disclaimer: IANAL. But, probably: no. The ad company is the one at fault, as it is showing a patient an ad related to someone else's condition. You're not the one showing the ad,

Start by switching to iOS, then for each app she installs make sure location permissions are denied. On the laptop, make sure uBlock Origin is installed.

Start by buying an expensive piece of hardware running a different operating system? Why not just use the app permissions built into Android 6.0+?

An expensive piece of hardware from a company that has no interest in spying on you.

The Android permissions are still not enough; there is a lot of nasty stuff you can do on Android (get low-level cell tower information, WiFi, Bluetooth, etc) that is outright impossible on iOS.

I would be very surprised if OP's girlfriend's ad tracking involved anything sophisticated and nasty. It's probably either IP-based as others have suggested, or using the location permission, which can be turned off.

> that is outright impossible on iOS

As far as you know.

Since their OS is proprietary, security research is severely hindered, and they are inherently incentivized to hide security flaws.

> As far as you know.

Still better than leaving the capability right there in the open, no?

Also you do understand critical parts of Android like Google Play Services are closed source, and also outright malicious when it comes to a privacy standpoint (it’s right there in the name - Google Play Services).

Sure, you can build a privacy-conscious Android from scratch if you’re tech-savvy and have lots of free time and courage. We’re not talking about a tech person here, we’re talking about someone who just wants to sort this problem out and get on with their life. Buying an iPhone solves that problem easily and in little time.

IP address is sort of equivalent to location.

Cellphone tower is similarly equivalent to location.

The IP can be used to correlate them being together (connected to their home WiFi), but would be unable to track them outside (unless the phones try to connect to “free” public WiFi which is subsidised by ads and will no doubt rat the users out to Facebook).

Cell phone towers don’t correlate to IPs at all; the IP layer is added way above all that at the GGSN in the carrier’s network, which doesn’t even know nor care which tower you’re connected to.

> The IP can be used to correlate them being together

There you go.

Speaking of wifi, by correlating IP address and MAC broadcasts, ad networks could figure out your MAC address. This could also be used to track your location.

Correlating that they’re together wouldn’t explain how the ad networks figured out they were outside looking at houses.

MAC addresses are never transmitted past the first layer 2 hop, so it would require either a compromised switch/access point (like public WiFi) to be nearby and the phone to connect to it (phones randomise MACs when searching for networks to protect against that).

Last Summer, I was on a Boy Scout trip and opened Facebook Messenger and it had PRE-FILLED the text of a message with "At terminal w/ Bobby waiting to board." The spooky thing is that it somehow knew:

1) I was at the airport (OK, not so hard, maybe using WiFi or GPS). 2) So was my friend's son, Bobby (who I wasn't directly FB friends with). 3) We were at a gate waiting for our plane..

Here's the thing: I hadn't posted any kind of itinerary or booked the flights myself. So, if FB was just "guessing" and did this every time a friend-of-a-friend was at the same place, you'd constantly be paired up with relative strangers crossing paths nearby.

It could just be targeting. While it's possible something nefarious is going on, advertisers are really good at using available data to predict information that was never provided. In the case of the kung fu movie, it's possible IP address was used. For the open house, there could be some location correlation, but I would bet it's more than that (age, financial profile, relationship status). You can feed a bunch of data about someone to an algorithm and predict these things with pretty high confidence.

The way to avoid this is to opt out of interest based ads. iOS and Android both have options for this.

Since the video of the guy talking about dog toys with chrome closed, and then seeing dog toy ads shortly after, I've become skeptical of this. So, I've begun testing it myself. I thought of something somewhat specific but random, unrelated to me, unlikely for me to see regular ads for, and now from time to time I talk about that thing. Until maybe a few weeks from now when I stop doing this, I will not be typing the thing, or anything too closely related, into any kind of text field.

I've been doing it a few days so far and nothing yet.


The Facebook app tracks location and other peoples' locations, and makes assumptions based on people being at the same place at the same time. If Facebook (or whoever) knows that several other people are all interested in new houses, and all those people + your girlfriend go to the same place(s), Facebook decides that your girlfriend might have the same interest as all those other people.

This kind of "air-gap join" definitely happens based on my own experience. e.g. I get shown ads for products my kids are interested in, where I am sure I never interacted in any way online with the vendor. Also I had a /24 IP block and used some addresses for my neighbors' connections (different to our IP but within the same block). Neighbors reported seeing ads for products we bought. In fact we would joke about it, ask each other why we were seeing ads for xxx weird and unusual thing.

I'll guess that the following join keys could be used:

IP address or IP address subnet Physical location / postal address Known family or romantic relationship Offline key match such as use of the same credit card

Besides ad-blockers, turn off location tracking in apps. I forgot how it is for Android, but in iOS you can disable location tracking on an app-by-app basis. And you can also partially disable it -- only allow it when the app is active, as opposed to background tracking.

If you have enough data point for enough people in a large enough area, well machine learning will do the trick[1].

[1]: https://idiallo.com/blog/machine-learning-ads

The brilliance and scariness of the possibility that this may be where advertising technology is at reminds me of this sentiment that I can't remember the source of:

"All the brightest human minds in the world are working for advertising companies"

Did either one of you login to amazon, Facebook, google, etc on one of the other persons device? If so there is likely still a tracking cookie associating you with her device. And your searches are causing her device to be targeted.

You are logged in to Android phones all the time. Not that it matters since they know who owns the phone.

Even if you don't have cookies enabled, then browser fingerprinting could make the connection.

Note that this is not data leaking from one person to the other. Here the ad networks know specifically that the two people are doing stuff together, but that they are not the same person.

1. Did she discuss looking at houses with you or anybody in emails or social media messages?

2. Did her smartphone location ever correspond with a house that is listed on the MLS in the past week?

Does she leave WiFi, Bluetooth, NFC, or other non-phone communications active on her phone all the time?

Did you guys use zillow/trulia to look up listings?

This was happening to me until I removed Facebook and Facebook Messenger from my phone. I believe these apps listen to conversations even when you aren’t using them. I am not alone in believing this.

> I believe these apps listen to conversations even when you aren’t using them. I am not alone in believing this.

I have evidence of same and it may not be just FB and Messanger

Last week a co-worker engaged me in a discussion concerning her father-in-laws diagnosis of prostate cancer. This lasted about 20 or 30 minutes. I had my cell phone on me. I do not have FB or Messanger.

I do not deal with cancer cases at work. I did not google any information on prostate cancer. I did not send any mails pertaining to prostate cancer or any other form of cancer.

Two days later I start getting ads and suggestions for prostate cancer treatment options. How unlikely should that be?

I am trying to reproduce the effect by talking about other rare disease conditions with my phone switched on.

If the bugger is spying on me I'd like to know.

Even getting ads for related things could happen now. I'd suggest thinking of something entirely new, and begin talking about it, but make sure you do not enter that term or anything too closely related to it into any kind of text field. (or rather, only enter into text fields which should be 100% private)

I have absolutely no proof but I swear this happens to me and my wife all the time. We just talk about things then end up seeing ads for them. I'm on android and she is on iOS.

What kind of phone? The rest of us might want to get in on this test too.

Motorola running the latest version of Android; but I suspect it is the google search feature that is doing the snooping.

Just revoke microphone access.

Say that only half of Facebook's users have the apps: one billion

Say that the average within-microphone-range presence of each user is five hours per day. Probably a huge underestimate.

Do you really think that Facebook would devote enough server time to parse five billion hours of mumbling audio each and every day? That's several times longer than the total viewing of YouTube each day.

its not that expensive, the transfer of raw audio to the server would probably be a bigger problem to deal with. Likely the processing is done on the phone. Either way its not cool, using YOUR data or battery to do their processing to target you with ads.

Its likely a passive listening for keywords kind of thing.

That is unreasonable conspiratorial thinking. Please don't believe it.

This kind of Ultrasonic tracking i.e listening for a set of specific frequencies that are too high for most humans to perceive is much less complex then actual speech recognition, and consequently much more pragmatic.

did you invite her to come see the open house by texting her "hey, wanna come see an open house"?

if you mean whatsapp, the content of messages is not available to whatsapp/facebook systems (it's end-to-end encrypted).

They could still extract keywords on the sender or recipient device and send them independently of the message; the message is still encrypted but keywords such as “buy” and “house” were submitted to Facebook anyway.

I don’t buy the “end to end encryption” argument. If the app used encryption for the benefit of their users it would absolutely make no sense for Facebook to buy them for billions. The reason FB did so anyway is that they have a workaround the E2E encryption like described above.

Does WhatsApp make it clear what "end" means and how many so-called "ends" you are transmitting a message to?

...unless your software keyboard is logging your keystrokes and sending those home.

but they have the keys, and can't be trusted

I don't know how this is happening exactly, but I want to add that it has also been happening to myself and to my friends for quite some time.

This is the result of all the years of data mining and tracking. Now they can see your phone is at an open house and make an educated guess (which is all it is), that you're interested in buying homes.

All your web traffic is tracked too, unless you only use sources that explicitly do not track, such as duckduckgo.com. Check out https://ssd.eff.org, you might find it helpful.

It seems to me as though this is the exact reason that Zuck was called in to testify. We have a reasonable understanding and can at least comment intelligently, but the public sees this, and clearly calls fowl. Being unable to stop it, they demand action from their senators. There's a reckoning coming I reckon --- it reminds me of GDPR in Europe.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact