Exploring ADINT: Using Ad Targeting for Surveillance on a Budget — or — How Alice Can Buy Ads to Track Bob | Vines, Roesner, Kohno

Paul Vines, Franziska Roesner, Tadayoshi Kohno; Exploring ADINT: Using Ad Targeting for Surveillance on a Budget — or — How Alice Can Buy Ads to Track Bob; In Proceedings of the 16th ACM Workshop on Privacy in the Electronic Society (WPES 2017); 2017-10-30; 11 pages; outreach.

tl;dr → Tadayoshi et al. are virtuosos at these performance art happenings. Catchy hook, cool marketing name (ADINT) and press outreach frontrunning the actual conference venue. For the wuffie and the lulz. Nice demo tho.
and → They bought geofence campaigns in a grid. They used close-the-loop analytics to identify the sojourn trail of the target.
and → dont’ use Grindr.

Abstract

The online advertising ecosystem is built upon the ability of advertising networks to know properties about users (e.g., their interests or physical locations) and deliver targeted ads based on those properties. Much of the privacy debate around online advertising has focused on the harvesting of these properties by the advertising networks. In this work, we explore the following question: can third-parties use the purchasing of ads to extract private information about individuals? We find that the answer is yes. For example, in a case study with an archetypal advertising network, we find that — for $1000 USD — we can track the location of individuals who are using apps served by that advertising network, as well as infer whether they are using potentially sensitive applications (e.g., certain religious or sexuality-related apps). We also conduct a broad survey of other ad networks and assess their risks to similar attacks. We then step back and explore the implications of our findings.

Mentions

  • Markets
    They chose

    • Facebooik
    • not Google
    • etc.
    • not to fight with big DSPs;
      the picked the weaker ones to highlight.
  • Apps
    They chose

    • lower-quality apps.
    • adult apps
      few “family oriented” [none?] apps.
    • <ahem>Adult Diapering Diary</ahem>
      <ahem>Adult Diapering Diary</ahem>

Claimed

  • DSPs sell 8m CEP (precision) location.

Spooky Cool Military Lingo

  • SIGINT
  • HUMINT
  • ADINT

Targeting Dimensions

  • Demographics
  • Interests
  • Personally-Identifying Information (PII)
  • Domain (a usage taxonomy)
  • Location
  • Identifiers
    • Cookie Identifier
    • Mobile Ad Identifier (e.g. IDFA, GPSAID)
  • Technographics
    • Device (Make Model OS)
    • Network (Carrier)
  • Search

Media Types

Supply-Side Platforms (SSPs)

  • Adbund
  • InnerActive
  • MobFox
  • Smaato
  • Xapas

Supply (the adware itself, The Applications, The Apps)

  • Adult Diapering Diary
  • BitTorrent
  • FrostWire
  • Grindr
  • Hide My Texts
  • Hide Pictures vault
  • Hornet
  • iFunny
  • Imgur
  • Jack’D
  • Meet24
  • MeetMe
  • Moco
  • My Mixtapez Music
  • Pregnant Mommy’s Maternity
  • Psiphon
  • Quran Reciters
  • Romeo
  • Tagged
  • Talkatone
  • TextFree
  • TextMe
  • TextPlus
  • The Chive
  • uTorrent
  • Wapa
  • Words with Friends

Demand-Side Platforms (DSPs)

  • Ademedo
  • AddRoll
  • AdWords
  • Bing
  • Bonadza
  • BluAgile
  • Centro
  • Choozle
  • Criteo
  • ExactDrive
  • Facebook
  • GetIntent
  • Go2Mobi
  • LiquidM
  • MediaMath
  • MightyHive
  • Simpli.Fi
  • SiteScout
  • Splicky
  • Tapad

Promotions

References

  • Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the ACM Conference on Computer and Communications Security.
  • Rebecca Balebako, Pedro Leon, Richard Shay, Blase Ur, Yang Wang, L Cranor. 2012. Measuring the effectiveness of privacy tools for limiting behavioral advertising. In Web 2.0 Security and Privacy.
  • Hal Berghel. 2001. Caustic Cookies. In His Blog.
  • Interactive Advertising Bureau. 2015. IAB Tech Lab Content Taxonomy.
  • Interactive Advertising Bureau. 2017. IAB Interactive Advertising Wiki.
  • Giuseppe Cattaneo, Giancarlo De Maio, Pompeo Faruolo, Umberto Ferraro Petrillo. 2013. A review of security attacks on the GSM standard. In Information and Communication Technology-EurAsia Conference. Springer, pages 507–512.
  • Robert M Clark. 2013. Perspectives on Intelligence Collection. In The intelligencer, a Journal of US Intelligence Studies 20, 2, pages 47–53.
  • David Cole. 2014. We kill people based on metadata. In The New York Review of Books
  • Jonathan Crussell, Ryan Stevens, Hao Chen. 2014. Madfraud: Investigating ad fraud in android applications. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services. ACM, pages 123–134.
  • Doug DePerry, Tom Ritter, Andrew Rahimi. 2013. Cloning with a Compromised CDMA Femtocell.
  • Google Developers. 2017. Google Ads.
  • Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, pages 1388–1401.
  • Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, Edward W Felten. 2015. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web. ACM, pages 289–299.
  • Go2mobi. 2017.
  • Aleksandra Korolova. 2010. Privacy violations using microtargeted ads: A case study. In Proceedings of the 2010 IEEE International Conference on IEEE Data Mining Workshops (ICDMW), pages 474–482.
  • Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, XiaoFeng Wang. 2012. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and Communications Security. ACM, pages 674–686.
  • Nicolas Lidzborski. 2014. Staying at the forefront of email security and reliability: HTTPS-only and 99.978 percent availability.; In Their Blog. Google.
  • Steve Mansfield-Devine. 2015. When advertising turns nasty. In Network Security 11, pages 5–8.
  • Jeffrey Meisner. 2014. Advancing our encryption and transparency efforts. In Their Blog, Microsoft.
  • Rick Noack. 2014. Could using gay dating app Grindr get you arrested in Egypt?. In The Washington Post.
  • Franziska Roesner, Tadayoshi Kohno, David Wetherall. 2012. Detecting and Defending Against Third-Party Tracking on the Web. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI).
  • Sooel Son, Daehyeok Kim, Vitaly Shmatikov. 2016. What mobile ads know about mobile users. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS).
  • Mark Joseph Stern. 2016. This Daily Beast Grindr Stunt Is Sleazy, Dangerous, and Wildly Unethical. In Slate, 2016.
  • Ryan Stevens, Clint Gibler, Jon Crussell, Jeremy Erickson, Hao Chen. 2012. Investigating user privacy in android ad libraries. In Proceedings of the Workshop on Mobile Security Technologies<e/m> (MoST).
  • Ratko Vidakovic. 2013. The Mechanics Of Real-Time Bidding. In Marketingland.
  • Craig E. Wills and Can Tatar. 2012. Understanding what they do with what they know. In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES).
  • Tom Yeh, Tsung-Hsiang Chang, Robert C Miller. 2009. Sikuli: using GUI screenshots for search and automation. In Proceedings of the 22nd annual ACM Symposium on User Interface Software and Technology. ACM, pages 183–192.
  • Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, Giovanni Vigna. 2014. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference
  • Tiliang Zhang, Hua Zhang, Fei Gao. 2013. A Malicious Advertising Detection Scheme Based on the Depth of URL Strategy. In Proceedings of the 2013 Sixth International Symposium on Computational Intelligence and Design (ISCID), Vol. 2. IEEE, pages 57–60.
  • Peter Thomas Zimmerman. 2015. Measuring privacy, security, and censorship through the utilization of online advertising exchanges. Technical Report. Tech. rep., Princeton University.

Argot

The Suitcase Words

  • Mobile Advertising ID (MAID)
  • Demand-Side Platform (DSP)
  • Supply-Side Platform (SSP)
  • Global Positioning System (GPS)
  • Google Play Store (GPS)
  • geofencing
  • cookie tracking
  • Google Advertising Identifier (GAID)
    Google Play Services Advertising Identifier (GAID)
  • Facebook
  • Snowden
  • WiFi

Previously filled.

How Much of Your Audience is Fake? | Bloomberg

How Much of Your Audience is Fake?; Ben Elgin, Michael Riley, David Kocieniewski, and Joshua Brustein; In Bloomberg Business; 2015-09-23.
Teaser: Marketers thought the Web would allow perfectly targeted ads. Hasn’t worked out that way.

tl;dr →traffic fraud is everywhere and nobody cares; chum bucketers: Taboola, Outbrain; exemplar MyTopFace, Boris Media Group buys from Viant, MySpace who sourcemake it.

Mentions

  • Google
  • Yahoo!
  • programmatic
  • audience buying
  • Ford Motor
  • Metrics
    attributed to Ron Amram, Heineken on $150M yearly spend

    • Return on Ad Spend (ROAS)
      • Digital → 2:1
      • TV → 6:1 ($6 increase in sales for $1 advertising spend)
    • Viewability
      • 20%
    • Non-Human Traffic (NHT)
      • 11% of view are bots,attributed to WhiteOps.
      • $6.3B/year
  • Association of National Advertisers (ANA)
  • <quote>Consumers, meanwhile, to the extent they pay attention to targeted ads at all, hate them: The top paid iPhone app on Apple’s App Store is an ad blocker.</quote>
  • Bonnier
    • Swedish
    • media conglomerate.
    • 21-years old
    • Who
      • Sean Holzman, chief digital revenue officer.
      • Paul Maya, global head of digital
    • operates
      • savent.tv
      • video sites
        • Outdoor Life,
        • Popular Science.
        • Saveur
        • Working Mother
    • <quote>About half of Saveur.tv’s home page is taken up by a player that automatically plays videos with simple kitchen tips. In early September, the spots (How to Stir a Cocktail, Step One: “Hold the spoon between pointer and middle finger …”), were preceded by ads from Snapple and Mrs. Meyer’s household cleaning products.</quote>
  • Chum Bucketers
    • purchased traffic
      generated traffic
    • Exemplars
      • Taboola
      • Outbrain
    • 2% CTR
  • DoubleVerify
  • Buying & Selling TRAFFIC; a forum on LinkedIn
  • SiteScout
    • traffic protection estimation
    • <quote>locks several of these new Bonnier sites for “excessive nonhuman traffic.</quote>
  • SimilarWeb
    • traffic protection estimation
  • Techniques of Low-Quality Traffic
    • popups
    • tab-unders
    • video autoplay
  • Advertise.com
    • a traffic supplier
    • Sherman Oaks, CA.
    • Daniel Yomtobian, chief executive officer
  • Benjamin Edelman
    • activist
    • advice
    • professor, School of Business, Harvard
  • Boris Media Group
    • MyTopFace.com
    • Owner
      • Boris Boris
      • age 28
      • wife
      • son, age 1month
      • Ukraine
    • makeup advice
    • Pricing
      • $0.73 →$10 CPM
    • Inventory
      • stale content
      • milled content
      • video (autoplay)
    • Advertisers
      • American Express
      • Hebrew National Hot Dogs
    • Traffic Sources
      • MySpace
      • Facebook (at 100x cost, so … not much)
    • Quality
      • 94% bots
      • <quote>Bloomberg BusinessWeek asked two traffic-fraud-detection firms to assess recent traffic to MyTopFace; they agreed on the condition that their names not be used.</quote»
  • MySpace
    • Viant, owner
    • relaunched in 2013
    • video
      • exclusives
      • commissioned work
      • milled content
      • user-generated content
    • Chris Vanderhook, chief operating officer
    • Affiliate Program
      • video player syndication
    • Claim
      • syndicated video player shows blocked content preceded by ads
      • blocked content of MySpace plays
        • Hitboy
        • Surfing
    • Advertisers
      • Chevrolet
      • Kozy Shack pudding
      • Procter & Gamble
        • Always
        • Tampax
      • Unilever
  • Telemetry
    • fraud detection
  • Sovrn Holdings
    • an ad exchange
    • Walter Knapp, CEO

Referenced

Quoted

For color, background & verisimilitude.

  • Ron Amram
    • Heineken, USA
    • ex-media director, prepaid cellular, Sprint
  • Fernando Arriola, vice president for media and integration at ConAgra Foods.
  • Perri Dorset,press relations, Bonnier.
  • Jim Kiszka, senior manager for digital strategy, Kellogg’s.
  • Walter Knapp, CEO, Sovrn Holdings,
  • Sean Holzman, chief digital revenue officer,, Bonnier.
  • Paul Maya, global head of digita, Bonnier.
  • Chris Vanderhook, chief operating officer, Viant
  • Eileen Wunderlich,press relations, Chrysler.
  • Daniel Yomtobian, chief executive officer, Advertise.com