The Quiet Fight for User Data
There’s a silent battle going on for consumers’ browsing habits, shopping preferences, location data, and other sensitive information. Marketers and technology providers have teamed up to implement advanced tracking systems that can follow users from device to device and around the web, and the vast majority of people have no idea it’s happening.
The technology behind this tracking is ingenious in both its conception and implementation. Known as ultrasonic cross-device tracking, the system uses inaudible signals from ads on TV or online to pair users with their various devices. The second piece of the system is code embedded in mobile apps that can receive and interpret the audio signals. That allows advertisers to track users across their various devices and monitor their online behavior, all in the service of more accurately targeting ads and putting specific offers in front of potential customers.
This ultrasonic tracking technology has been in use for a couple of years at least, and several companies are selling various versions of it. The most well-known right now is India’s SilverPush, whose code was the subject of a warning letter from the Federal Trade Commission to a number of app developers earlier this year. The FTC warned the developers that they needed to disclose the presence of SilverPush’s technology in their mobile apps. The company had said that it didn’t work with developers in the United States, and soon after the FTC sent its letter, SilverPush said it would stop selling its audio beacon technology.
But the idea of ultrasonic tracking is just getting started, and researchers have begun to take a close look at the privacy and security implications of it. A group of researchers from University College London have done new work that highlights problems with some of the existing tracking frameworks and show how an adversary could use simple techniques to identify users, even those that are on Tor or a VPN.
“For example, an attacker equipped with a simple beacon-emitting device (e.g., a smartphone) can walk into a Starbucks at peak hour and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps,” the research says.
Security people on the defensive side of the fence love to talk about the cat-and-mouse game between attackers and security teams. And it’s an apt description. As attackers begin using a new technique, defensive teams start to adapt to it and find ways to prevent or mitigate it. By the time that’s accomplished, the adversaries have moved on to something else, and the game starts all over again.
That cycle has been repeating for decades, but now it’s beginning to emerge in the privacy world as well. We’ve seen it recently with the battle between Facebook and ad blockers, and many news sites are making life very difficult for visitors who value their security and privacy by asking them to disable ad blockers, too. This is now extending to advertisers and the technology companies who provide them with the tools they need to stay a step ahead of privacy tools.
The good news is that regulators and privacy advocates are aware of what’s going on with audio tracking and are following the developments closely. We’ve already seen some results from this, with the FTC’s intervention. But the bad news is that you can bet these companies already are well down the road to developing the system that will replace ultrasonic tracking. It may be a year or two until we see it, but it’s coming and it won’t be good.