Using less than $1,000 worth of targeted advertising, University of Washington researchers were able to surveil individual users, determining location and habits.
Researchers found that advertising can be used by the individuals buying ads to track a target's location in relative real-time and to determine which apps a target uses and when, for apps with ads, according to the ADINT: Using Targeted Advertising for Personal Surveillance report.
The goal of the project was to provide a new perspective in the advertising privacy debate and researchers found that as advertisers are incentivized to provide more highly targeted ads, each increase in targeting precision inherently increases ADINT, advertising intelligence, capabilities.
Many of these capabilities were developed by advertisers for legitimate business purposes, but researchers said they could easily be exploited by someone with malicious intentions. A targeted individual need not click the ad to be targeted and by using a canonical demand-side provider (DSP), researchers were able to identify a target's, home, routes and place of work, and even which apps were on a user's phone.
“Ads can be targeted in a wide variety of ways, as described in our survey in our paper, including things about a person like age or gender, and things about the device, like operating system, IP address, location, or Mobile Advertising ID (MAID),” researchers said in a press release. “Some of these are unique, like the MAID, but others are only semi-unique, like location or IP address, that might be shared by many individuals in some situations.”
Researchers recommend users consider resetting their MAID on their devices and that advertising networks do more vetting of the parties that wish to purchase ads to prevent exploits like this in the wild.