Ads that track users’ online activities are bad enough, but now there’s a new threat that looks even worse: ads that use inaudible, high-frequency sounds to covertly track online behavior across a range of devices, including tablets, phones, computers, and even TVs.
These ultrasonic pitches - which are embedded into TV commercials or get played when ads are displayed in a browser - are detected by nearby smartphones and tablets. When this happens, browser cookies are able to pair a single user to multiple devices, tracking what TV commercials the person sees, how long they watch the ads, and whether the person acts on the ads by doing a web search or buying a product, according to Ars Technica.
The Center for Democracy and Technology, a digital rights advocacy group, recently filed comments to the Federal Trade Commission, expressing its concerns over such cross-device tracking technology. The FTC has responded by scheduling a workshop to discuss the tracking tech and what kind of implications it may have.
According to the CDT’s letter, using this high-frequency sound method “is a more accurate way to track users across devices” compared to other techniques that track people without using cookies. One example of this type of so-called ‘Probabilistic tracking’ is Browser Fingerprinting - a technique that combines specific user data, such as what plugins and system fonts they use, in order to create a unique browser ‘fingerprint’ that could potentially be used to identify them.
"As a person goes about her business, her activity on each device generates different data streams about her preferences and behavior that are siloed in these devices and services that mediate them," CDT officials wrote. "Cross-device tracking allows marketers to combine these streams by linking them to the same individual, enhancing the granularity of what they know about that person."
The CDT’s letter goes on to state that a number of companies are working on ways to pair a given user to specific devices, including Drawbridge, Flurry and even Adobe. But the worst offender by far is SilverPush – a company that recently raised $1.25 million for global expansion.
“When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.”
It’s claimed that as of April 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones - and you can’t opt out of the tracking technology.
This isn’t the first time reports of this kind of tech have come to light. In 2013, a security consultant and organizer of the CanSecWest and PacSec conferences, Dragos Ruiu, claimed to have discovered a piece of malware called badBIOS that uses the speakers of an infected machine to transmit data through ultrasonic transmissions that is received by the microphone of another infected machine.
It appears that the more technology advances, the more ways companies find to surreptitiously track people. Hopefully, the CDT’s letter will prompt the FTC to find better ways of regulating this practice.