Exploring ADINT: Using Ad Targeting for Surveillance on a Budget - or - How Alice Can Buy Ads to Track Bob

The online advertising ecosystem is built upon the ability of advertising networks to know properties about users (e.g., their interests or physical locations) and deliver targeted ads based on those properties. Much of the privacy debate around online advertising has focused on the harvesting of these properties by the advertising networks. In this work, we explore the following question: can third-parties use the purchasing of ads to extract private information about individuals? We find that the answer is yes. For example, in a case study with an archetypal advertising network, we find that - for $1000 USD - we can track the location of individuals who are using apps served by that advertising network, as well as infer whether they are using potentially sensitive applications (e.g., certain religious or sexuality-related apps). We also conduct a broad survey of other ad networks and assess their risks to similar attacks. We then step back and explore the implications of our findings.

[1]  Rob Miller,et al.  Sikuli: using GUI screenshots for search and automation , 2009, UIST '09.

[2]  Aleksandra Korolova Privacy Violations Using Microtargeted Ads: A Case Study , 2011, J. Priv. Confidentiality.

[3]  R. Shay,et al.  Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising , 2012 .

[4]  Craig E. Wills,et al.  Understanding what they do with what they know , 2012, WPES '12.

[5]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[6]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[7]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[8]  Fei Gao,et al.  A Malicious Advertising Detection Scheme Based on the Depth of URL Strategy , 2013, 2013 Sixth International Symposium on Computational Intelligence and Design.

[9]  Umberto Ferraro Petrillo,et al.  A Review of Security Attacks on the GSM Standard , 2013, ICT-EurAsia.

[10]  Gianluca Stringhini,et al.  The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements , 2014, Internet Measurement Conference.

[11]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[12]  Ryan Stevens,et al.  MAdFraud: investigating ad fraud in android applications , 2014, MobiSys.

[13]  Steve Mansfield-Devine When advertising turns nasty , 2015, Netw. Secur..

[14]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[15]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[16]  Vitaly Shmatikov,et al.  What Mobile Ads Know About Mobile Users , 2016, NDSS.

[17]  Jennifer Granick,et al.  We Kill People Based on Metadata , 2017 .