What's Happening In Security #20

Location Tracking On Another Level

We know that company’s are always collecting information on us, but a company called Babel Street takes it to a whole other level with their product “LocateX” which offers hyper accurate location tracking. This tool allows users to draw a shape on a map and replay the movements of phones entering or leaving that area as recently as a few days prior. It leverages Mobile Advertising IDs (MAIDs) embedded in both Android and Apple devices to enable this tracking.

A lawsuit filed on behalf of New Jersey police officers receiving death threats, recently brought this situation to light. The extent of location tracking was so egregious that investigators were able to track over 100,000 hits on one of the plaintiffs.

How do they do it? How is it possible that a single company that most of us have never heard of has such a large amount of data? Programmatic Advertising is how.

Okay, a lot of data comes from other software vendors selling data to data brokers, but publishers are another huge source. A majority of spending on digital advertising is done through programmatic advertising, a process in which websites and advertisers buy and sell advertising space automatically.

When a user visits a site, a process called “real time bidding” (RTB) is triggered and the highest bid wins the advertisement. During RTB, a stream of information known as a bidstream is sent to prospective advertisers which includes information like location data to inform the buying process. Even if they don’t win the bid, advertisers still receive all this valuable information.

Impacts. As mentioned above, this information could be used to dox (publish identifying information about someone on the internet) police officers.

Another dangerous observed use case was by an anti-abortion group in Wisconsin which ran targeted ads at individuals that regularly visited an abortion clinic. In certain states where travelling to get an abortion is banned, this technology could realistically see some use.

Accessibility. Initially MAID was created to anonymize users while allowing personalized ads, but given how lucrative deanonymizing this information could be, people have put in a lot of effort to do just that.

Using the technique of bidding information described above, a german news outlet BR24 was able to figure out movement patterns of millions of people across Germany, including strong evidence that one of them was an intelligence agent and where they live

An investigator in the court case inquired about information on certain home addresses, and was told that while the service is only meant for government workers, “they don’t actually check”, so it’s not a problem.

An aside on app permissions. The only app on the officer’s phone which used location tracking was Macy’s who claim they do not share this data outside of with a few partners.

• Looking at this Exodus report you can see that Macy’s has many trackers

• More importantly, given that data is brokered many times, even if Macy’s only sells information to some company’s, it can easily proliferate to other companies like Babel Street

What Can You Do?

Turning off certain settings on your mobile device is a good start. Here’s what you should do.

Androids: Delete your advertising ID

Apple: Go to Privacy and Security, Tracking, Turn off “Allow Apps to Request to Track”

Simple actions like restricting app permissions and disabling advertising IDs can help reduce these problems immensely, so give it a try and tell your friends and family too.

Thanks for taking the time to read this week’s deep dive into security. If it’s something you want to talk more about, feel free to reach out! If you know someone else you might like it, give it a share!

See you in the next one.