Anyone can track the applications used by a person or their location with a modest budget of $1,000. This allows employers or suspicious partners to track and individual for a paltry sum, apart from intelligence agencies. The targeting allowed by modern advertising networks allow malicious individuals to track movements of an individual, as well as find out their interests by tracking which applications they are using. Essentially, those purchasing advertisements can use the purchase nefariously for individual surveillance.
Researchers from the University of Washington (UW) have demonstrated the approach. The lead author of the paper, Paul Vines says, "Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behavior."
Someone using this approach first has to get the user's mobile advertising ID, also known as the MAID which is linked to each individual smartphone. The MAID can be obtained by snooping in on the target while they are using an unsecured wi-fi network, or by gaining temporary access to a secured wi-fi router used by the target. This steps de-anonymises the targeting and delivery of the advertising.
After that, the attacker can serve a number of hyperlocal advertisements, which are only served when the target is at a particular location. These ads can be used to track the movements of the target during a commute, or when they are visiting a sensitive location. The targets do not even need to tap on the ads, the researchers were able to track users within 8 meters of their location by just looking into the back end and seeing which ads were being served when and where.
The research was conducted to help the advertising industry formulate steps to improve their security and privacy measures. The paper is to be presented on 30 October at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society.