For just $1,000, anyone using a mobile device can be tracked using mobile adverts

Audience and consumer data collection practices are common among mobile advertisers and big companies. However, new research by the University of Washington reveals that data collection is not only restricted to the big players. Instead, it costs just $1,000 to track a person’s mobile location using mobile app adverts.

The study proposed that anyone could exploit digital ads to collect private user information. It tested this hypothesis by using targeted ads to reach specific people by their gender, age or device IP address, location and operating system.

The authors write:

“[W]e find that an individual or small group with a $1000 US Dollar budget can use targeted ads and a DSP to track the locations of targeted individuals as they move from home, to work, and to other sensitive locations.”

Additionally, researchers were also able to target specific apps and locations and count users on example apps such as Grindr. Targeted adverts also allowed them to monitor when a person was using a certain app.

To find a person’s GPS location, the authors first determined an individual’s mobile advertising ID and then began to target only that ID. When asking for location-specific ads, the served ad report would reveal a user’s location within eight meters as long as the user had remained in the same location for over five minutes.

The implications of the research are of course important. The paper suggests that users could avoid targeting attacks “by never using apps or visiting websites with ads”.

However, that’s a rather drastic and limiting step. Instead, privacy could be enhanced from the advertiser’s end.

“Some ad-networks have already done this: Facebook and Google both have thresholds on how few users an ad can specify that it targets (20 and 1,000, respectively). However, both of these ad-networks are abnormal in the ecosystem because they are also software platforms with large user-bases. Thus, they have a market incentive to protect user privacy that many other ad-networks do not.”

Adam Lee, Professor at the University of Pittsburgh and a reviewer of the study told Wired:

“It’s not a particularly high bar to entry for a very, very highly targeted attack.”