University of Washington study: For $1000, anyone can purchase online ads to track your location and app use

19 Oct

“All happy families are alike; each unhappy family is unhappy in its own way.”
Leo Tolstoy, Anna Karenina

Tolstoy may not have been specifically talking about domestic violence, but each situation is unique. There is a specific story and specific journey for each victim, each couple, and each abuser. There is no predicted endpoint for domestic violence; each situation will have its own outcome.

Headlines regularly detail incidents of domestic violence involving sports figures and other prominent people. Domestic Violence is a societal problem. According to Safe Horizon:

The Victims
1 in 4 women will experience domestic violence during her lifetime.
Women experience more than 4 million physical assaults and rapes because of their partners, and men are victims of nearly 3 million physical assaults.
Women are more likely to be killed by an intimate partner than men
Women ages 20 to 24 are at greatest risk of becoming victims of domestic violence.
Every year, 1 in 3 women who is a victim of homicide is murdered by her current or former partner….. http://www.safehorizon.org/page/domestic-violence-statistics–facts-52.html

Abusers come in all races, classes, genders, religions and creeds.

Andy Greenberg reported in the Wired article, It Takes Just $1,000 to Track Someone’s Location With Mobile Ads:

When you consider the nagging privacy risks of online advertising, you may find comfort in the thought of a vast, abstract company like Pepsi or Nike viewing you as just one data point among millions. What, after all, do you have to hide from Pepsi? And why should that corporate megalith care about your secrets out of countless potential Pepsi drinkers? But an upcoming study has dissipated that delusion. It shows that ad-targeting can not only track you at the personal, individual level but also that it doesn’t take a corporation’s resources to seize upon that surveillance tool—just time, determination, and about a thousand dollars.
A team of security-focused researchers from the University of Washington has demonstrated just how deeply even someone with modest resources can exploit mobile advertising networks. An advertising-savvy spy, they’ve shown, can spend just a grand to track a target’s location with disturbing precision, learn details about them like their demographics and what apps they have installed on their phone, or correlate that information to make even more sensitive discoveries—say, that a certain twentysomething man has a gay dating app installed on his phone and lives at a certain address, that someone sitting next to the spy at a Starbucks took a certain route after leaving the coffee shop, or that a spy’s spouse has visited a particular friend’s home or business… https://www.wired.com/story/track-location-with-mobile-ads-1000-dollars-study/

Tracking a partner’s movements is one element of control in an abusive relationship.

Rachael Williams wrote in the Guardian article, Spyware and smartphones: how abusive men track their partners:

New technology is being developed so quickly, and social media pervades so many aspects of our lives, that it is hard to stay ahead, says Jennifer Perry, the chief executive of the Digital Trust, which supports victims of digital abuse. In fact, spyware, she reckons, is “yesterday’s technology” for tracking victims: “The easiest thing is to access the woman in the cloud. A man might buy a phone and set it up for his partner to be ‘helpful’. He knows the username and password. You have women who don’t even realise they have a cloud account in their smartphone.
“There is also an app you can buy that mirrors the phone on to a PC. The man can just sit at his computer and watch everything that happens on the phone.”
The technology is cheap and accessible, she says. And evading it is often not as simple as just turning the phone off. Perry usually advises women to take their sim card out, leave the phone with a friend until it can be cleaned, and use a cheap pay-as-you-go device in the meantime. But if her ex-partner owns the phone, it will never be safe.
Cloud storage is particularly problematic because it is linked to laptops and PCs, which, unlike phones, can have spyware installed on them remotely via email. “You often find that a woman had spyware put on to her computer remotely, so even if she changes the username and password for the cloud on her phone, the abuser can see that on the computer and get back in,” Perry says.
Perpetrators don’t just use this technology to find out where an escaping partner has gone; it is another tool for abuse when they’re together, too. “They will use the information to belittle or threaten the woman,” says Clare Laxton, public policy manager at Women’s Aid. “They’ll say: ‘Why were you at this restaurant? You’re cheating on me, I’m going to kill myself.’ It closes down that woman’s space, so she won’t want to go out and socialise, because she knows the abuse she’ll get when she gets home isn’t worth it. It’s all part of controlling her as much as possible….” https://www.theguardian.com/lifeandstyle/2015/jan/25/spyware-smartphone-abusive-men-track-partners-domestic-violence

Science Daily reported about privacy concerns:

Privacy concerns have long swirled around how much information online advertising networks collect about people’s browsing, buying and social media habits — typically to sell you something.
But could someone use mobile advertising to learn where you go for coffee? Could a burglar establish a sham company and send ads to your phone to learn when you leave the house? Could a suspicious employer see if you’re using shopping apps on work time?
The answer is yes, at least in theory. New University of Washington research, which will be presented Oct. 30 at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society, suggests that for roughly $1,000, someone with devious intent can purchase and target online advertising in ways that allow them to track the location of other individuals and learn what apps they are using….

Citation:

For $1000, anyone can purchase online ads to track your location and app use
Date: October 18, 2017
Source: University of Washington
Summary:
New research finds that for a budget of roughly $1000, it is possible for someone to track your location and app use by purchasing and targeting mobile ads. The team hopes to raise industry awareness about the potential privacy threat. https://www.sciencedaily.com/releases/2017/10/171018124131.htm

Here is the press release from the University of Washington:

October 18, 2017

For $1000, anyone can purchase online ads to track your location and app use
Jennifer Langston

UW News

New University of Washington research finds that for a budget of roughly $1000, it is possible for someone to track your location and app use by purchasing and targeting mobile ads. The team aims to raise industry awareness about the potential privacy threat.

Privacy concerns have long swirled around how much information online advertising networks collect about people’s browsing, buying and social media habits — typically to sell you something.

But could someone use mobile advertising to learn where you go for coffee? Could a burglar establish a sham company and send ads to your phone to learn when you leave the house? Could a suspicious employer see if you’re using shopping apps on work time?

The answer is yes, at least in theory. New University of Washington research, to be presented in a paper Oct. 30 at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society, suggests that for roughly $1,000, someone with devious intent can purchase and target online advertising in ways that allow them to track the location of other individuals and learn what apps they are using.
“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behavior,” said lead author Paul Vines, a recent doctoral graduate in the UW’s Paul G. Allen School of Computer Science & Engineering.

The research team set out to test whether an adversary could exploit the existing online advertising infrastructure for personal surveillance and, if so, raise industry awareness about the threat.

“Because it was so easy to do what we did, we believe this is an issue that the online advertising industry needs to be thinking about,” said co-author Franzi Roesner, co-director of the UW Security and Privacy Research Lab and an assistant professor in the Allen School. “We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them.”

This map represents an individual’s morning commute. Red dots reflect the places where the UW computer security researchers were able to track that person’s movements by serving location-based ads: at home (real location not shown), a coffee shop, bus stop and office. The team found that a target needed to stay in one location for roughly four minutes before an ad was served, which is why no red dots appear along the individual’s bus commute (dashed line) or walking route (solid line.)University of Washington

The researchers discovered that an individual ad purchaser can, under certain circumstances, see when a person visits a predetermined sensitive location — a suspected rendezvous spot for an affair, the office of a company that a venture capitalist might be interested in or a hospital where someone might be receiving treatment — within 10 minutes of that person’s arrival. They were also able to track a person’s movements across the city during a morning commute by serving location-based ads to the target’s phone.

The team also discovered that individuals who purchase the ads could see what types of apps their target was using. That could potentially divulge information about the person’s interests, dating habits, religious affiliations, health conditions, political leanings and other potentially sensitive or private information.
Someone who wants to surveil a person’s movements first needs to learn the mobile advertising ID (MAID) for the target’s mobile phone. These unique identifiers that help marketers serve ads tailored to a person’s interests are sent to the advertiser and a number of other parties whenever a person clicks on a mobile ad. A person’s MAID also could be obtained by eavesdropping on an unsecured wireless network the person is using or by gaining temporary access to his or her WiFi router.
The UW team demonstrated that customers of advertising services can purchase a number of hyperlocal ads through that service, which will only be served to that particular phone when its owner opens an app in a particular spot. By setting up a grid of these location-based ads, the adversary can track the target’s movements if he or she has opened an app and remains in a location long enough for an ad to be served — typically about four minutes, the team found.
Importantly, the target does not have to click on or engage with the ad — the purchaser can see where ads are being served and use that information to track the target through space. In the team’s experiments, they were able to pinpoint a person’s location within about 8 meters.

“To be very honest, I was shocked at how effective this was,” said co-author Tadayoshi Kohno, an Allen School professor who has studied security vulnerabilities in products ranging from automobiles to medical devices. “We did this research to better understand the privacy risks with online advertising. There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision. It is important to understand both the benefits and risks with technologies.”

An individual could potentially disrupt the simple types of location-based attacks that the UW team demonstrated by frequently resetting the mobile advertising IDs in their phones — a feature that many smartphones now offer. Disabling location tracking within individual app settings could help, the researchers said, but advertisers still may be capable of harvesting location data in other ways.
On the industry side, mobile and online advertisers could help thwart these types of attacks by rejecting ad buys that target only a small number of devices or individuals, the researchers said. They also could develop and deploy machine learning tools to distinguish between normal advertising patterns and suspicious advertising behavior that looks more like personal surveillance.
The UW Security and Privacy Research Lab is a leader in evaluating potential security threats in emerging technologies, including telematics in automobiles, web browsers, DNA sequencing software and augmented reality, before they can be exploited by bad actors.

Next steps for the team include working with experts at the UW’s Tech Policy Lab to explore the legal and policy questions raised by this new form of potential intelligence gathering.

The research was funded by The National Science Foundation, The Tech Policy Lab and the Short-Dooley Professorship.

For more information, contact the research team at adint@cs.washington.edu.
Grant number: NSF: CNS-1463968

Resources:

Cell Phone Location Tracking Laws By State https://www.aclu.org/issues/privacy-technology/location-tracking/cell-phone-location-tracking-laws-state

Mobile Phone Safety for a Domestic Abuse Victim http://www.getdomesticviolencehelp.com/domestic-abuse-victim.html

Smartphones Are Used To Stalk, Control Domestic Abuse Victims http://www.npr.org/sections/alltechconsidered/2014/09/15/346149979/smartphones-are-used-to-stalk-control-domestic-abuse-victims

Where information leads to Hope. © Dr. Wilda.com

Dr. Wilda says this about that ©

Blogs by Dr. Wilda:

COMMENTS FROM AN OLD FART©
http://drwildaoldfart.wordpress.com/

Dr. Wilda Reviews ©
http://drwildareviews.wordpress.com/

Dr. Wilda ©
https://drwilda.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: