We already know that our smartphones can give away a frankly scary amount of information about ourselves but researchers at the University of Washington have discovered that the situation is actually far worse than we thought.
In an experiment the team found that by spending just $1000 on targeted adverts to a smartphone, they could track a person’s location, the apps they were using, even where they went for coffee.
“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behaviour,” said lead author Paul Vines.
So how did they do it? Well to be able to track a phone through adverts you need something called a mobile advertising ID. This can be obtained either by joining an unsecured network they’re on at the same time (coffee shop WiFi), or by having temporary access to his or her router.
Once you’ve got that you can start delivering what’s known as hyperlocal adverts. You can then set these adverts to be sent out at a specific location, and then watch in real-time to see if the person has received the ad or not.
If they have, then it means they’re there. By creating a network of these ads you can effectively create your very own map of their complete movements.
What’s even more concerning is that the person doesn’t even have to engage with the ad, and once it has been delivered the team were able to pinpoint a person’s location to within just 8 metres.
“To be very honest, I was shocked at how effective this was.” said co-author Tadayoshi Kohno. “There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision.”
So how do you stop it? Well at the moment the team are only able to recommend a few steps that can help.
Turning on a feature called ‘Limit Ad Tracking’ within your iPhone certainly helps, as does activating a feature just below it called ‘Reset Advertising Identifier’. This effectively deletes your old mobile ad ID and replaces it with a new one making it harder for individuals to see who you are.
The team will be reporting their findings at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society and the hope is that it can make advertising companies listen to their concerns and act accordingly.
“We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks,” explains co-author Franzi Roesner. “So that there can be a broad public discussion about how we as a society might try to prevent them.”