How targeted advertising can be used to spy on individuals
Oct 21, 2017 // By:admin // No Comment
A study from the University of Washington shows that it is very simple to use advertising services to track a person’s movements without his knowledge.
A few hundred euros, and basic technical knowledge: these are the only tools necessary to track the movements and actions of an individual, through the targeted advertisements that appear in the mobile applications of our phones . This is the conclusion of a very comprehensive study ( PDF ) conducted by researchers at the University of Washington, published in the magazine IEEE Security & Privacy .
The system tested by researchers, simple and inexpensive, is based on the ever-thinner targeting capabilities offered by the so-called ” demand side platform ” ( DSP) advertising platforms . These online advertising intermediaries interface the demand of an advertiser with thousands of sites and apps that offer targeted advertising in real time. The advertiser chooses the population to whom he wishes to present his advertising according to more or less wide criteria (interests, geolocation, age, sex, etc.) and the DSP is in charge of “finding” Internet users corresponding to this profile.
But this very fine targeting can easily be used to track down a specific user. To do this, you must in some cases obtain the advertising ID number of your phone – only part of the procedure a little complex. Once the “target” is identified, a wide range of espionage techniques is possible. For example, it is conceivable to know when a person goes to a particular place, to roughly follow his movements throughout the day, or to know if he uses dating or prayer applications.
THE MERE FACT THAT THE ADVERTISEMENT IS DISPLAYED IS ENOUGH TO SPECIFY THE LOCATION
The protocol used by the researchers remains partly rude – for this “advertising attack” to work, it is necessary that the user opens an application and that the advertisement is displayed. So it’s not a permanent or infallible surveillance, but the researchers themselves have found that it can be extremely accurate, by providing a geolocation within eight meters of their “targets”, all without the Spied person needs to click on an advertisement, the simple fact that it appears is enough to specify the location.
The fact that the targeted ads represent a danger to privacy is far from a revelation. The documents released by whistleblower Edward Snowden in 2013 already showed that the US National Security Agency, the NSA, was taking advantage of the advertising infrastructure to massively collect personal data from internet users. But researchers at the University of Washington demonstrate that there is no need to have the technical capabilities of an intelligence agency to exploit this data.
Accessible to all, without significant resources
The attack scenarios described by the researchers are within the reach of any individual or group that does not have significant means. Especially because the “double bidding” system that prevails in the advertising market – the advertiser only pays the price of the second highest bid – has made the targeted ads very cheap, as long as they do not try to target very popular demographic groups of advertisers. Showing an ad to someone or others in a very limited geographical area costs just a few cents.
More worryingly, the researchers note that the checks that CSPs are supposed to exercise on their clients’ requests are at best deficient. Some of the companies whose services were used for this experiment only marginally control the content of the advertisements submitted to them. And “while we sent very strange requests compared to those sent by a normal advertiser, we have never received any warning or negative feedback from CSPs during the three months of use,” say the researchers
February 08, 2018
December 24, 2017