Cross-Device Tracking: a privacy invasive tracking method
Marketing companies are always on the lookout for new methods to track user activity on the Internet. These information are used to display targeted advertisement to users which have a better return than less-targeted ads.
The more a company knows about a user, the higher the return and that is the main reason why companies step up the tracking game despite public outcry about it and the rise of ad-blockers.
In fact, tracking is one of the core reasons -- the other is invasive ads -- that users install ad-blockers on their devices.
Cross-Device Tracking is yet another ingenious method to track users. As the name suggests, it has the capability to track users across devices. This is done by using high-frequency sounds that are inaudible to the human ear.
The method links devices such as web browsers, mobile devices or TVs through the use of these sounds and browser cookies resulting in a combined tracking profile of the user across devices instead of just individual devices.
The technique allows companies to track users even more, as they know for instance for how long TV ads are watched.
SilverPush, one of the companies that uses cross-device tracking, monitors 18 million smartphones already as of April 2015.
For those who are tracked, it is nearly impossible to tell if they are. These companies don't offer opt-outs and there is no software available that blocks the transmission of high-frequency audio signals. Furthermore, it is unclear which apps, ads or companies make use of the technology. The technique is limited by distance first and foremost.
It seems as well that only apps are used currently to pick up these audio signals, and that ads on the PC and TVs are merely used to push out these signals.
The CDT letter of SilverPush revealed some information, including that the company's software is used on 67 apps, and that "more than a dozen marketing companies" use cross-device tracking.
One recourse that users have is to limit microphone access on their mobile devices. The main issue here is that this is not available by default on many devices. While there are apps available that block the microphone altogether, they may cause usability issues as the microphone needs to be enabled for phone calls for instance.
It is interesting to note that Cross-Device Tracking resembles badBios, a malware discovered in 2013 that uses inaudible sounds to bridge air-gapped computer systems. (via Ars Technica)
On my Android (Samsung) phone I use a Czech app with the somewhat clumsy name “Microphone Guard (Mute&Block)”.
If you set this one to mute the mic, it will still auto-activate the mic during phone calls.
It also has an option that will mute the mic only when the phone screen is off (in daily life this means it will activate the mic as soon as you touch the screen, and mute it again when the phone goes to sleep afterwards).
And it has a per-app whitelist option, so when a whitelisted apps is running, the mic will be activated automatically. For example, you might want to whitelist Skype.
This is certainly not a perfect app. The settings interface has ads (which I hate). It lacks a status bar icon to permanently show the actual mic on-off status. And it does not autorun, meaning you need to restart it manually after a phone reboot (unless you make a script for that). But at least when I need it, this one does work for me.
Due to their hardware linkage, your experience with apps of this kind may vary. It’s quite possible that this one may not work equally well with different Android smartphones. But maybe it’s worth a try?
Can you link that app, please?
Good God! Nearly every day it seems I learn of more ways we are spied on! Thank you, Martin, for bringing this to my attention.
Other companies doing this besides Silverpush appear to be Adobe, Drawbridge, Flurry (purchased by Yahoo last year), and Tapad.
The only defenses against this for now seem to be, as you said, muting the microphone, or putting enough physical distance between devices so that audible signals cannot be picked up by the microphones.
It’s going to get worse. Internet advertising revenues for just the United States totaled $27.5 billion in the first 6 months of 2015. That was an increase of 19% over 2014. Social advertising increased 51% in the first 6 months of 2015. Mobile revenues increased 56% and were the 2nd largest income source after search engines. Spying on us is way profitable.
Source: Interactive Advertising Bureau (IAB) report published Oct. 21, 2015
http://www.iab.com/wp-content/uploads/2015/10/IAB_Internet_Advertising_Revenue_Report_HY_2015.pdf
There is one flaw to this from a marketing perspective – imagine a household of multiple users – it’s probably going to mix profiles and produce “false positives”.
As for this particular CDT method – a lot depends on the hardware/speaker capabilities. Most speakers can’t reproduce ultrasonic sounds. A lot of sound cards can’t produce anything above 20-24kHz = a fundamental characteristic of the 44.1kHz or 48kHz sampling rate limit of their DAC’s. Just how good are the speakers in your TV for example, or laptop, or smartphone. And just how good is your microphone? (lets also not forget that browsers can have settings or prefs for use of microphones/cameras)
Also, devices would have to be “infected” (a dumb TV for example could only transmit) – most adblocking would kill this (and specific blacklists will spring up), not to mention not allowing cookies or having XSS control etc.
I would also think that devices (think smartphones) that are “infected” (eg running a background listening service) would run down the battery and become obvious targets in tech news, hacks, etc.
At this stage, despite the numbers, I’m kinda thinking this is more a proof of concept and not fiscally feasible yet. I still the worst CDT is the XUID? headers injected by your ISP .. in plain f*kkin text.
These technologies don’t use ultra sonic sounds but inaudible audio watermarks in the audible spectrum (see audiowatermarking.info for an example).
As for the battery drain, Google Launcher also listens for “OK, Google” all the time and it doesn’t seem to drain battery extensively.
From the Ars article: “The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser”. Pretty sure ultrasonic is not in the audible spectrum. However, hiding watermarks in audio is a definite technique.
You mentioned TV’s in this article. I’m guessing that you’ve heard about Vizio’s nastiness.
http://arstechnica.com/security/2015/11/own-a-vizio-smart-tv-its-watching-you/
https://www.bing.com/news/search?q=Vizio+TV
@Pants: Most people do not hear sounds higher than 16kHz. I do not hear anything higher than 15kHz.
My understanding is, without looking anything up, that 20kHz is excellent (perfect?) hearing .. and tapers off as you get older. Looks like the Mosquito ( https://en.wikipedia.org/wiki/The_Mosquito ) uses 17.4 to annoy teenagers.
“This is done by using high-frequency sounds that are inaudible to the human ear.”
Can dogs hear it?
After a year of your article, this is from Wired, https://www.wired.com/2016/11/block-ultrasonic-signals-didnt-know-tracking I don’t see how to block it though. They do mention researchers from UCSB and UCL offer a software patch, but I can’t see where to find it.
Any ideas?
Probably not released yet to the public.