Do you remember playing the board game "Clue" in your younger days?
In the game, you were trying to solve a murder.
"I think it was Professor Plum, in the library, with the candlestick," you might say.
But when it comes to our privacy, researchers have discovered it was the MAID, in the coffee shop, using a smartphone, that gave your privacy away.
The MAID is not a real person, but it does identify one: you.
What is a MAID?
A MAID is your Mobile Advertising ID. Did you even know you had one of those?
Researchers at the University of Washington's Security and Privacy Research Lab say this MAID functions kind of like a "whole device" cookie. It tracks you.
And because this ID is assigned to your device, exclusively, it makes it easier for advertisers to target you more accurately. It's why you may be using an app or surfing the web when an ad suddenly pops up for the restaurant down the block.
That ad could be helpful, especially if you're hungry. But the researchers found out there is a gaping privacy whole where almost anyone could track anyone else on the cheap.
How ad targeting agency tracking can be used by bad actors
The University of Washington cybersecurity researchers explain how easy it is to track someone in their cleverly titled paper: "Exploring ADINT: Using Ad Targeting for Surveillance on a Budget—or—How Alice Can Buy Ads to Track Bob."
The team spent about a $1,000 to target ads toward 10 real and 10 facsimile users, based on the Mobile Advertising ID assigned to each device. Even they were stunned by what they found.
They were able to track the users' paths, which apps the user was using, and when this was all happening. It turns out when a custom ad is served up, these details can be seen.
“To be very honest, I was shocked at how effective this was,” says Tadayoshi Kohno, who co-directs the Paul G. Allen School's Security and Privacy Research Lab. “There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision.”
Can you imagine how this could be used by everyone from nation-state bad actors to homegrown criminals or a suspicious spouse?
It appears this is another case where cybersecurity, privacy, and physical security all intersect.
The social engineering possibilities are also very real here, with the information they could find.
University of Washington researchers say it could be a new way of intelligence gathering
The University of Washington researchers are calling the method of information gathering they used ADINT. From their FAQ section:
The U.S. government’s naming scheme for different categories of intelligence gathering capabilities, including SIGINT (signals intelligence, like radio interception) and HUMINT (human intelligence, like espionage). We dub intelligence gathered through the advertising ecosystem, as a purchaser of the ads, as ADINT (advertising-based intelligence). ADINT is intelligence gathering through the purchasing of ads.
Sometimes when new studies come out around privacy or cybersecurity it seems like an attempt at free publicity and little more.
But the research team at the University of Washington, including professor Franziska Roesner, says this is about taking a serious look at something that could be used maliciously if nothing changes.
“We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks,” she explained, “and so that there can be a broad public discussion about how we as a society might try to prevent them.”
As that discussion gets started, just remember what is happening when you get that next custom ad.
"It was the MAID, in the coffee shop (or wherever you are), using a smartphone, that gave your privacy away."
