It's not just personally identifiable information that can be used to personally identify you, researchers have warned.
The collection of user data is a frequent target for criticism, especially with regards to privacy concerns. Now it turns out that knowing that you buy shoes from Asos could contribute to finding out who you are behind the screen.
Threat actors can abuse advertising to find out when you leave the house, where you go and when you're busy online, says a team from the University of Washington - all on a comparatively modest budget of $1,000 or less.
Report co-author Franzi Roesner said, "Because it was so easy to do what we did, we believe this is an issue that the online advertising industry needs to be thinking about.
"We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them."
An individual advert buyer can, under the right circumstances, see when a person physically visits a specified location in near-to-real time (within 10 minutes of their arrival). It might highlight a company that an investor is interested in (because of an office visit), or the location of an illicit affair.
The target doesn't even need to click an advert to be tracked; it simply needs to be displayed to them. The advertising network then reports back on that fact to the buyer.
As well as location (to an accuracy of 8m), advert buyers can see the types of apps that their target is using; that could lead to information about dating habits, political or religious affiliations, health, interests and more.
There are limitations: the target must be using apps that show advertising, and they must stay in one location for five minutes or more before an ad is served to them. Most importantly, the buyer must have the MAID of a target before being able to track them individually.
A device's MAID (Mobile Advertising ID) is a unique identifier, and is what enables adverts to target an individual device. The researchers (Paul Vines, Tadayoshi Kohno and Franzi Roesner) describe a method of obtaining the target's MAID through sniffing their network traffic; and then creating a series of adverts, each targeting that MAID and a different GPS location. The buyer can then track the target's movements in a defined area.
The target could get around the tracking by manually resetting their device's MAID (a feature that many phones now offer), although there are other means of targeting a user, such as using an IP address as a substitute for a MAID. Another possibility is targeting a specific app, which would show a buyer all of the users in an area.
To stop this type of threat, the researchers recommend that advertiser networks ensure adverts must target a minimum number of people, and/or prevent the delivery of ads from a single buyer to the same person multiple times in one day. They could also limit the data that they pass back to the advertiser, such as what type of app the advert was displayed in.
Mike Viscuso, CTO and co-founder of Carbon Black, told us:
"The research talks about the fact that a device's mobile advertising ID (MAID) needs to be associated to a person. If you then took out an ad and associated the location with the MAID this creates a second piece of metadata. At this stage neither pieces of metadata would be considered as personal identifiable information. However, if you combined the two pieces of metadata with a person's 'precise' location this could be considered as PII...
"The MAID exists to serve marketers, but consumers should be asked whether they actually prefer that marketers know what they like and dislike, so they don't have to hunt around looking for what they want, versus the potential risk of exposing personal identifiable information. The best way to start to answer this dilemma is for operating system manufacturers to ask consumers which MAID they would like to use for any given disclosure.
"Additionally, on a more concerning level, this is the latest instance of how the bar is being lowered for cybercriminals to enter the game. We've seen that recently with ransomware and now that's also the case with online advertising. As software is created, developers should be keeping security in mind throughout the entire process to help alleviate some risk associated with revealing potentially private information."
Updated on 24/10/17 to add comment from Carbon Black
After firing off writs against AMD and Intel, ambulance-chasing lawyers take aim at Apple
Scientists claim to have found a way to create lighter and more reliable batteries
A malicious script has been in operation since November
Scientists are crowdsourcing help in detecting rare high-energy cosmic rays - and all you need is a mobile phone