Did you know mobile devices use Advertiser Identification Codes (Ad IDs) to distinguish you from others? Maybe you did and you are aware most devices now come with a way of Controlling Ad IDs… but to what extent does it become Pointless Privacy? Read on to find out what thousands of app developers are doing to track you even if you say a Big Fat ‘NO!’, and how device manufacturers really need to play the ‘catch up‘ game quicker to meet our privacy needs.
UPDATED! Netflix Tracks Your Movements
It has just come to light that Netflix, the video streaming website has been running experiments on users. Netflix has been requesting access to your physical activity (movement data) whilst you watch movies. Netflix attributed this experiment with the lame excuse of trying to improve video quality. I feel this is just a cover up and actually, they intend to see how users engage with advertising material. I have placed a link in the further reading section at end.
What is an Ad ID?
An advertising identifier (Ad ID) is referred to as the industry standard for identifying users (commonly known as advertiser assets) across all media platforms. It’s a unique identifying code that allows any media company the ability to track your every movement on the world wide web (and physical geometric location). It’s important to remember advertising never sleeps and it operates 24hrs a day, seven days each week, 365 days (plus leap year days) and doesn’t stop. It allows the advertising industry as a whole to become more efficient in everything it does, and gives the ability to scale their value based on user data collected.
Why are Ad IDs used?
Simply put, Ad IDs are used to allow companies to track you when you are browsing the internet, using your phone, your computer, your tablet, opening system applications, third-party applications, playing games, tracking your physical location and building a map of your common routes taken, and link all this together to build a user profile. This profile becomes an asset and is valuable to companies wanting to sell products or services. Example companies whom build up user profiles for a monetary value are Google, Amazon, Facebook, Twitter, eBay, Internet Service Providers (ISPs), Netflix, and more. Even companies or individuals you would not expect to collect your data are developing and operating small utility apps such as torches, and calculators having hidden tracking abilities built in.
This user profile data is then offered to potential buyers whom want to sell their products or services to a general population, or whom require a more specific detailed profile to increase potential sales opportunities (you). This user profile data could be sold on many times, to many different organisations. This profile data is also commonly shared with many advertising industry organisations without the subjects’ knowledge or agreement (privacy terms are normally hidden within lengthy, complex terms and conditions documentation).
Why is it Pointless Privacy?
Firstly, allow me to clarify: I am not insinuating privacy is in any form pointless. I have been a privacy advocate for many years, and hold strong opinions about how we all have become tangible, profit fulfilling assets for big data companies (and possibly have been since the birth of the very first mobile application).
It’s a common question I get because you would assume, having the ability to change your Advertising ID (Ad ID), it could potentially stop you being tracked for marketing and sales. However, there is one major flaw with this logic which leads me to state, ‘It’s Pointless Privacy‘.
We are all tangible, profit fulfilling assets for big data companies.By ThinkOgram (2019)
Along with Ad IDs, there are also other identifying IDs on your devices. Two of the most common types are: your phone number, and your Device ID number. Now… just to clarify… phone manufacturers and application marketplace owners do have strict terms and conditions in place. These terms and conditions refer to how Device IDs are to be used. However, a recent research study has highlighted thousands of device apps collecting additional IDs in tandem with Ad IDs.
What is a Device ID?
A Device ID is a unique number or code enabling anybody to identify a particular device. There are many different types of codes depending on the device being used. For example, Apple has the ‘Unique Device Indentifier (UDID)‘, Blackberry has the ‘Mobile Equipment Indentity (IMEI)‘, and Android has the ‘Mobile Equipment Identifier (MEID)‘.
Phone numbers can be used to identify a particular user or device. It’s not very often people want to change their phone numbers. It can be a hassle and many communications could be lost if the right people are not informed.
MAC Address codes are also another Device ID. It stands for ‘Media Access Control (MAC)‘ and is commonly used to identify devices on both home and commercial networks.
Why are these Device IDs important?
Application developers and even website owners can trace your browsing habits, look into your contact lists, even make phone calls without your prior knowledge or permission, track your every location, examine your personal files, documents, and private photos. It’s also possible to send your location data to many mobile ad networks instantly.
However, if you are able to change your Ad ID there should not be a problem right? NOPE!! This would be the ideal situation but sadly, this is never the case. Unfortunately, many application and device developers/manufacturers are finding many backdoors to get access to your data. This can still be achieved even if you have reset your Ad ID, selected not to have tailored advertisements, and restricted the application’s access to your device data via your privacy settings.
The application developers are also sending your Device IDs ranging from MAC address, phone numbers, and IMEI, UDID, MEID data. The Device ID codes are seen as perminant identifiers. Yes, you can change your MAC address to a certain extent, and changing your IMEI could land you in big trouble with law enforcement in certain countries. However, the average user wouldn’t be aware of the possiblities to change the codes, and even less likely to have the knowledge to carry out such a task.
Again… What’s the problem with all this?
Here is the crunch of it… thousands of application developers are grabbing your unique Ad IDs as per the terms and conditions for App market stores. However, they are also grabbing your perminant indentifiers along with them. This means, even if you change your Ad ID, they could easily still link your records up. The objective here is to build a profile up of each user. This means big money because it’s big data. Each users’ data is worth something to a potential advertiser. You think you can just unlink your records, reduce tailored adverts, even change your mobile if needed. However, there are so many ways to link your data back to the original profile, it becomes Pointless Privacy.
Initial Research Way Back in 2010
It is a common, acceptable fact a high percentage of smart device apps may threaten your privacy. Way back in 2010, a joint research project was conducted between Intel Labs, Penn State, and Duke University. It was found 15 out of 30 Android apps analysed sent your physical location data (geolocation information) to remote ad servers without users’ knowledge or permission. It was argued this could easily allow app venders and advertisers to create a very conprehensive profile about your most private likes and dislikes, the places you love to visit, and your Web surfing habits. Those app venders and advertisers can then use your private data (user profiles) however they want, and sell to whom ever they want, as many times as they want, whenever they want.
Meanwhile, still back in 2010, a security vendor named SMobile Systems found from their analysis, 20 percent of Android apps allowed third party (third party meaning companies other than the app venders themselves) access to private or very sensitive information about you. SMobile Systems also warned 5 percent of the apps were able to make phone calls by themselves without any user intervention. 2 percent could even send text messages to a premium, for-pay number… again, without the user having any intervention.
Apple is clearly not immune to this type of data gathering threat. In January 2010, a class-action law suit filed in San Jose charged Apple, and also the music-streaming service Pandora and others with ‘transmitting users’ personal, indentifying information to advertising networks without obtaining their consent‘. The law suit also charged, ‘some of the popular in-use apps were also selling additional information to ad networks‘. This additional data involved, ‘location data, age, gender, income data, ethnicity, your sexual orientation‘, and even your ‘political views’. We’ve all certainly heard recently about the Cambridge Analytica scandals.
After this, the most comprehensive investigation into smart device apps gathering user data without knowledge or permission, and how it may and could be used was conducted by the Wall Street Journal. The Journal examined not just 30 smart apps, but 101 popular iOS and Android apps. The examination found 56 of those apps transmitted the phone’s unique Device ID to other companies without users’ awareness or any form of consent. Forty-seven of those apps transmitted the device’s physical geolocation data, and a further five sent personal user data relating to age, gender, and other personal details to outside companies.
Fast Forward to 2019
App developers now like your data so much, they are willing to go to great lengths to get their hands on it. Even if this means, ignoring the app store terms and conditions, and also the Pointless Privacy settings you enable or restrict within your device settings.
The most recent data was presented at the PrivacyCon 2019 event held in June 2019. Researchers from the International Computer Science Institute (ICSI) presented data showing as many as 1325 Android apps were gathering additional data from devices. This was still true even if the user had denied such permissions within the app itself, or within the pointless device privacy settings.
1325 Smart Device apps scraping your data without your knowledge or consent.International Computer Science Institute (ICSI) (2019)
Here’s An Example Scenario
Let’s take your private photos that you use within those very addictive photography apps. We use these apps because they make our amature photos look more professional, or change our personal looks to better please us (this is a whole new topic for another day). How would you feel if, within your settings, you had requested no location data be taken. Then you find out the app has scanned all your photos to obtain such data? I know personally, I would feel very betrayed, and would instantly remove the application from my smart device.
Other smart apps gathered your location data by extracting your MAC Address indentifiers mentioned above, and those MAC addresses for your private or public Wi-Fi routers. This would allow them to pinpoint your exact location at any time. Whether you are in a coffee shop having a beverage but your phone is connected to the free Wi-Fi, or whether you are at your home address putting your feet up binge watching Stranger Things on Netflix. Your devices will probably be connected to your home network right? Now they have your physical home location too.
Is this a New Threat for Privacy?
According to Chris Morales, who is head of security analytics for a company called Vectra says this:
Apps capturing and using data in unintended ways is not new and has been a problem since the first smart [device] app was introduced.Chris Morales – Head of Security – Vectra (2019)
Here is the thing… the smart device market moved and grew so quickly, the app markets didn’t really have much in way of applications to use. They began pushing out applications and allowing third parties to develop them also. However, even though this provided us with a great source for entertainment and usage, the app markets were not focused on security and protecting our data once we had installed all these smart apps. We now find the app markets, and device manufacturers are playing the, ‘clean up game‘. They are only just starting to realise how important customer data is to the people who own it… the user!!!
Google has labeled these data collection methods as, ‘side channel access‘. However, instead of rolling out a global fix for all their devices to actually give meaning to your Pointless Privacy settings, they are only going to address this issue in their next major Android release… known as Android Q. Here is the issue with this logic… most devices currently in use will not be getting access to the new Android Q release. There are millions of devices currently being used who are not going to get this critical update. As such, those millions of devices will remain vulnerable to these ‘side channels‘.
Unfortunately, we live in a world where our data is more important than our rights for these big (and some small) companies. Our data is being taken from us without our knowledge, and even still when we have taken the time to put our trust in the device privacy settings. With the scope of the new regulations and laws currently in force… GDPR, CCPA, and LGPD for example, I feel it should be a requirement for all app store owners, device manufactors, and smart app developers to adopt a ‘zero trust‘ approach. Not just a ‘zero trust‘ but also a ‘zero tolerance‘ for those whom refuse to abide by the strict policies and user enabled privacy settings.
Until the manufacturers deal with their market places, and start to enforce zero tolerance approaches upon app developers, I feel our privacy settings will remain nothing but Pointless Privacy.
Reardon, J., Feal, Á., Wijesekera, P., n.d. 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System 18.
Egelman, S., n.d. Ad IDs Behaving Badly – The Appcensus Blog. URL https://blog.appcensus.mobi/2019/02/14/ad-ids-behaving-badly/ (accessed 7.14.19).
Android App Publishers Won’t Take “No” for an Answer on Personal Data [WWW Document], n.d. . Dark Reading. URL https://www.darkreading.com/endpoint/android-app-publishers-wont-take-no-for-an-answer-on-personal-data/d/d-id/1335169 (accessed 7.14.19).
Best practices for unique identifiers [WWW Document], n.d. . Android Developers. URL https://developer.android.com/training/articles/user-data-ids (accessed 7.14.19).
Google Assistant finally gets a gesture shortcut in Android Q beta 5 [WWW Document], 2019. . Digital Trends. URL https://www.digitaltrends.com/mobile/google-android-q-news/ (accessed 7.14.19).
Google I/O: Android Q Will Bring App Permissions Firmly Under Control [WWW Document], 2019. . Digital Trends. URL https://www.digitaltrends.com/mobile/google-io-2019-android-q-permissions-and-security/ (accessed 7.14.19).
Over 1,000 Android Apps are Collecting User Data Without Permission [WWW Document], 2019. . Digital Trends. URL https://www.digitaltrends.com/mobile/android-app-data-collection-without-permission/ (accessed 7.14.19).
Faas, P.G., Al Sacco and Ryan, 2011. Smartphone apps: Is your privacy protected? [WWW Document]. Computerworld. URL https://www.computerworld.com/article/2509878/smartphone-apps–is-your-privacy-protected-.html (accessed 7.14.19).
Hautala, L., n.d. These Android apps have been tracking you, even when you say stop [WWW Document]. CNET. URL https://www.cnet.com/news/these-android-apps-have-been-tracking-you-even-when-you-say-stop/ (accessed 7.14.19).
Isaac, M., 2017. Uber’s C.E.O. Plays With Fire. The New York Times.
Ad-ID, 2018. . Wikipedia.
About Ad-ID/History | Ad-ID [WWW Document], n.d. URL http://www.ad-id.org/about (accessed 7.14.19).
Truth and Advertising IRL: Stop Targeted Ads from Following You, 2016. . How to, Technology and PC Security Forum | SensorsTechForum.com. URL https://sensorstechforum.com/truth-and-advertising-irl-stop-targeted-ads-from-following-you/ (accessed 7.31.19).
Netflix Android App Requests Access to Physical Activity. But Why?, 2019. . How to, Technology and PC Security Forum | SensorsTechForum.com. URL https://sensorstechforum.com/netflix-android-app-access-physical-activity/ (accessed 7.31.19).