Privacy advocates warn FTC about ad tracking tech that uses inaudible sounds to link devices


Posts: 6,307   +53
Staff member

Ads that track users’ online activities are bad enough, but now there’s a new threat that looks even worse: ads that use inaudible, high-frequency sounds to covertly track online behavior across a range of devices, including tablets, phones, computers, and even TVs.

These ultrasonic pitches - which are embedded into TV commercials or get played when ads are displayed in a browser - are detected by nearby smartphones and tablets. When this happens, browser cookies are able to pair a single user to multiple devices, tracking what TV commercials the person sees, how long they watch the ads, and whether the person acts on the ads by doing a web search or buying a product, according to Ars Technica.

The Center for Democracy and Technology, a digital rights advocacy group, recently filed comments to the Federal Trade Commission, expressing its concerns over such cross-device tracking technology. The FTC has responded by scheduling a workshop to discuss the tracking tech and what kind of implications it may have.

According to the CDT’s letter, using this high-frequency sound method “is a more accurate way to track users across devices” compared to other techniques that track people without using cookies. One example of this type of so-called ‘Probabilistic tracking’ is Browser Fingerprinting - a technique that combines specific user data, such as what plugins and system fonts they use, in order to create a unique browser ‘fingerprint’ that could potentially be used to identify them.

"As a person goes about her business, her activity on each device generates different data streams about her preferences and behavior that are siloed in these devices and services that mediate them," CDT officials wrote. "Cross-device tracking allows marketers to combine these streams by linking them to the same individual, enhancing the granularity of what they know about that person."

The CDT’s letter goes on to state that a number of companies are working on ways to pair a given user to specific devices, including Drawbridge, Flurry and even Adobe. But the worst offender by far is SilverPush – a company that recently raised $1.25 million for global expansion.

“When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.”

It’s claimed that as of April 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones - and you can’t opt out of the tracking technology.

This isn’t the first time reports of this kind of tech have come to light. In 2013, a security consultant and organizer of the CanSecWest and PacSec conferences, Dragos Ruiu, claimed to have discovered a piece of malware called badBIOS that uses the speakers of an infected machine to transmit data through ultrasonic transmissions that is received by the microphone of another infected machine.

It appears that the more technology advances, the more ways companies find to surreptitiously track people. Hopefully, the CDT’s letter will prompt the FTC to find better ways of regulating this practice.

Image credit: enzozo / Shutterstock

Permalink to story.



Posts: 14,028   +1,802
HMM; devices pickup sounds - - Yea, there's a mic but it's not continuously active (think Siri disabled). So the question is, where's the trigger and what get's notified? Puzzling


Posts: 544   +185
TechSpot Elite
When you think of these things, do not think of them in the singular nor in the present tense. Think of them as steps along a path.

Smart TV, these days, have microphones. All tablets, phones, notebooks, have bluetooth and most speaker/mics.

Prior to very recent events concerning "possible" spying by manufacturers using things like Siri, the though of being surreptiously listened to didn't occur to those embracing every new feature.

This is an exploited feature of a feature.

There is a new bluetooth standard coming out. I'm betting no one is specifying sound input and output requirements only in the human audible range (setting aside human under 20 years old), especially not as a setting. Maybe they will now.

Look for other exploits later. LED outputs are not limted to visible. Cameras routinely filter over/under frequencies from pictures. Neither of these are mandated by standards. This makes them exploitable. Remember, the users expect a camera on everything.

Wifi, 4G, Bluetooth broadcasts are continuous unless turned off. Newly developed ping broadcasting methods will allow transmission and tracking of hardware response of devices, not even user response, but it can be inferred in 3D space

This particular article is notable because it gets inside the home/user space without the user knowledge or consent. There will be much more of this occurring as the internet of things and IPV6 are implemented.

If you're worried about audio I/O, these are helpful. You can put a couple batch files like these on your desktop:

sc stop "audiosrv"
sc start "audiosrv"

I did.

Of course, if you're like my spouse and can't stand the silence, someone will be and is watching you.


Posts: 1,200   +740
I'm continuously amazed at the number of apps that require access to my microphone and camera. Any time I see that, I don't install the app. I recently tried to install a browser on my tablet but every one seems to need access to my microphone. Eventually I found Opera Mini which is barebones and needs very few permissions.