Exploring ADINT: Using Ad Targeting for Surveillance on a Budget — or — How Alice Can Buy Ads to Track Bob | Vines, Roesner, Kohno

Paul Vines, Franziska Roesner, Tadayoshi Kohno; Exploring ADINT: Using Ad Targeting for Surveillance on a Budget — or — How Alice Can Buy Ads to Track Bob; In Proceedings of the 16th ACM Workshop on Privacy in the Electronic Society (WPES 2017); 2017-10-30; 11 pages; outreach.

tl;dr → Tadayoshi et al. are virtuosos at these performance art happenings. Catchy hook, cool marketing name (ADINT) and press outreach frontrunning the actual conference venue. For the wuffie and the lulz. Nice demo tho.
and → They bought geofence campaigns in a grid. They used close-the-loop analytics to identify the sojourn trail of the target.
and → dont’ use Grindr.

Abstract

The online advertising ecosystem is built upon the ability of advertising networks to know properties about users (e.g., their interests or physical locations) and deliver targeted ads based on those properties. Much of the privacy debate around online advertising has focused on the harvesting of these properties by the advertising networks. In this work, we explore the following question: can third-parties use the purchasing of ads to extract private information about individuals? We find that the answer is yes. For example, in a case study with an archetypal advertising network, we find that — for $1000 USD — we can track the location of individuals who are using apps served by that advertising network, as well as infer whether they are using potentially sensitive applications (e.g., certain religious or sexuality-related apps). We also conduct a broad survey of other ad networks and assess their risks to similar attacks. We then step back and explore the implications of our findings.

Mentions

  • Markets
    They chose

    • Facebooik
    • not Google
    • etc.
    • not to fight with big DSPs;
      the picked the weaker ones to highlight.
  • Apps
    They chose

    • lower-quality apps.
    • adult apps
      few “family oriented” [none?] apps.
    • <ahem>Adult Diapering Diary</ahem>
      <ahem>Adult Diapering Diary</ahem>

Claimed

  • DSPs sell 8m CEP (precision) location.

Spooky Cool Military Lingo

  • SIGINT
  • HUMINT
  • ADINT

Targeting Dimensions

  • Demographics
  • Interests
  • Personally-Identifying Information (PII)
  • Domain (a usage taxonomy)
  • Location
  • Identifiers
    • Cookie Identifier
    • Mobile Ad Identifier (e.g. IDFA, GPSAID)
  • Technographics
    • Device (Make Model OS)
    • Network (Carrier)
  • Search

Media Types

Supply-Side Platforms (SSPs)

  • Adbund
  • InnerActive
  • MobFox
  • Smaato
  • Xapas

Supply (the adware itself, The Applications, The Apps)

  • Adult Diapering Diary
  • BitTorrent
  • FrostWire
  • Grindr
  • Hide My Texts
  • Hide Pictures vault
  • Hornet
  • iFunny
  • Imgur
  • Jack’D
  • Meet24
  • MeetMe
  • Moco
  • My Mixtapez Music
  • Pregnant Mommy’s Maternity
  • Psiphon
  • Quran Reciters
  • Romeo
  • Tagged
  • Talkatone
  • TextFree
  • TextMe
  • TextPlus
  • The Chive
  • uTorrent
  • Wapa
  • Words with Friends

Demand-Side Platforms (DSPs)

  • Ademedo
  • AddRoll
  • AdWords
  • Bing
  • Bonadza
  • BluAgile
  • Centro
  • Choozle
  • Criteo
  • ExactDrive
  • Facebook
  • GetIntent
  • Go2Mobi
  • LiquidM
  • MediaMath
  • MightyHive
  • Simpli.Fi
  • SiteScout
  • Splicky
  • Tapad

Promotions

References

  • Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the ACM Conference on Computer and Communications Security.
  • Rebecca Balebako, Pedro Leon, Richard Shay, Blase Ur, Yang Wang, L Cranor. 2012. Measuring the effectiveness of privacy tools for limiting behavioral advertising. In Web 2.0 Security and Privacy.
  • Hal Berghel. 2001. Caustic Cookies. In His Blog.
  • Interactive Advertising Bureau. 2015. IAB Tech Lab Content Taxonomy.
  • Interactive Advertising Bureau. 2017. IAB Interactive Advertising Wiki.
  • Giuseppe Cattaneo, Giancarlo De Maio, Pompeo Faruolo, Umberto Ferraro Petrillo. 2013. A review of security attacks on the GSM standard. In Information and Communication Technology-EurAsia Conference. Springer, pages 507–512.
  • Robert M Clark. 2013. Perspectives on Intelligence Collection. In The intelligencer, a Journal of US Intelligence Studies 20, 2, pages 47–53.
  • David Cole. 2014. We kill people based on metadata. In The New York Review of Books
  • Jonathan Crussell, Ryan Stevens, Hao Chen. 2014. Madfraud: Investigating ad fraud in android applications. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services. ACM, pages 123–134.
  • Doug DePerry, Tom Ritter, Andrew Rahimi. 2013. Cloning with a Compromised CDMA Femtocell.
  • Google Developers. 2017. Google Ads.
  • Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, pages 1388–1401.
  • Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, Edward W Felten. 2015. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web. ACM, pages 289–299.
  • Go2mobi. 2017.
  • Aleksandra Korolova. 2010. Privacy violations using microtargeted ads: A case study. In Proceedings of the 2010 IEEE International Conference on IEEE Data Mining Workshops (ICDMW), pages 474–482.
  • Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, XiaoFeng Wang. 2012. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and Communications Security. ACM, pages 674–686.
  • Nicolas Lidzborski. 2014. Staying at the forefront of email security and reliability: HTTPS-only and 99.978 percent availability.; In Their Blog. Google.
  • Steve Mansfield-Devine. 2015. When advertising turns nasty. In Network Security 11, pages 5–8.
  • Jeffrey Meisner. 2014. Advancing our encryption and transparency efforts. In Their Blog, Microsoft.
  • Rick Noack. 2014. Could using gay dating app Grindr get you arrested in Egypt?. In The Washington Post.
  • Franziska Roesner, Tadayoshi Kohno, David Wetherall. 2012. Detecting and Defending Against Third-Party Tracking on the Web. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI).
  • Sooel Son, Daehyeok Kim, Vitaly Shmatikov. 2016. What mobile ads know about mobile users. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS).
  • Mark Joseph Stern. 2016. This Daily Beast Grindr Stunt Is Sleazy, Dangerous, and Wildly Unethical. In Slate, 2016.
  • Ryan Stevens, Clint Gibler, Jon Crussell, Jeremy Erickson, Hao Chen. 2012. Investigating user privacy in android ad libraries. In Proceedings of the Workshop on Mobile Security Technologies<e/m> (MoST).
  • Ratko Vidakovic. 2013. The Mechanics Of Real-Time Bidding. In Marketingland.
  • Craig E. Wills and Can Tatar. 2012. Understanding what they do with what they know. In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES).
  • Tom Yeh, Tsung-Hsiang Chang, Robert C Miller. 2009. Sikuli: using GUI screenshots for search and automation. In Proceedings of the 22nd annual ACM Symposium on User Interface Software and Technology. ACM, pages 183–192.
  • Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, Giovanni Vigna. 2014. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference
  • Tiliang Zhang, Hua Zhang, Fei Gao. 2013. A Malicious Advertising Detection Scheme Based on the Depth of URL Strategy. In Proceedings of the 2013 Sixth International Symposium on Computational Intelligence and Design (ISCID), Vol. 2. IEEE, pages 57–60.
  • Peter Thomas Zimmerman. 2015. Measuring privacy, security, and censorship through the utilization of online advertising exchanges. Technical Report. Tech. rep., Princeton University.

Argot

The Suitcase Words

  • Mobile Advertising ID (MAID)
  • Demand-Side Platform (DSP)
  • Supply-Side Platform (SSP)
  • Global Positioning System (GPS)
  • Google Play Store (GPS)
  • geofencing
  • cookie tracking
  • Google Advertising Identifier (GAID)
    Google Play Services Advertising Identifier (GAID)
  • Facebook
  • Snowden
  • WiFi

Previously filled.

Pre-Conference AdTech Summarization | Gubbins

; Things you should know about AdTech, today; In His Blog, centrally hosted on LinkedIn; 2017-08-30; regwalled (you have to login to linkedin).

Occasion

Boosterism in front of the trade shows
  • Exchange Wire #ATSL17
  • Dmexco
  • Programmatic IO

Mentions

  • There be consolidation in the DSP category.
  • There will be more DSPs not less fewer.
  • Owned & Operated (O&O)
  • preferential deals
  • private equity companies
  • party data & a GDPR compliant screen agnostic ID
  • no “point solutions.”
  • Doubleclick Bid Manager (DBM), Google
  • Lara O’Reilly; Some Article; In Business Insider (maybe); WHEN?
    tl;dr → something about how Google DSP DBM guarantee “fraud-free” traffic.
  • Ads.txtAuthorized Digital Sellers, IAB Tech Lab
  • Claimed:
    comScore publishers are starting to adopt Ads.txt

Buy Side

Deal Flow
  • Sizmek acquired Rocket Fuel, (unverified) $145M.
  • Tremor sells its DSP to Taptica for $50M.
  • Singtel acquired Turn for $310M.
No flow, yet
  • Adform
  • MediaMath
  • DataXu
  • AppNexus

Sell Side

  • Header Bidding (HB)
    • Replaces the SSP category
    • <quote>effectively migrated the sell sides narrative & value prop of being a yield management partner to that of a feet on the street publisher re-seller.</quote>
  • QBR (Quarterly Business Result?)
  • Prebid.js
  • With server bidding, too.
  • Supply Path Optimization (SPO)
    • Brian O’Kelley (AppNexus); Article; In His Blog; WHEN?
      Brian O’Kelley, CEO, AppNexus.
    • Article; ; In ExchangeWire; WHEN?
  • Exchange Bidding in Dynamic Allocation (EBDA), Google
Exemplars
The Rubicon Project
a header tag, compatible with most wrappers, no proprietary wrapper, only Prebid.js
Index Exchange
a header tag, compatible with most wrappers, a proprietary wrapper
OpenX
a header tag that, compatible with many (not ‘most’) wrappers, a proprietary wrapper
AppNexus
a header, compatible with many (not ‘most’) wrappers, a proprietary wrapper (that is better than OpenX’s which is not enterprise grade)
PubMatic
a header tag, compatible with many (not ‘most)’ wrappers, a proprietary wrapper.
Other
  • TrustX
    • with
      • Digital Content Next
      • IPONWEB
      • ANA
    • Something about a transparent marketplace.
  • Something about another supply network
    • German
    • trade press in Digiday
Mobile
  • No header bidding, yet.
  • Mobile equals Adware (“in app”)
    • but Apps don’t have “browsers.”
    • but App browsers don’t have “pages” with “headers.”
    • though Apps have SDKs (libraries).
Video
  • RTL acquires SpotX
  • <quote>One could argue video is the perfect storm for header bidding, limited quality supply & maximum demand, the ideal conditions for a unified auction…</quote>
Talking Points
  • The industry is currently debating the pros & cons of running header bidding either client or server side (A lot boils down to latency V audience match rates)
  • Google offer their own version of header bidding, this is referred to as EBDA (Exchange Bidding in Dynamic Allocation) and is available to DFP customers.
  • Facebook recently entered header bidding by launching a header tag that enables publishers to capture FAN demand via header bidding on their mobile traffic.
  • Criteo entered header bidding by offering publishers their header tag (AKA Direct Bidder) that effectively delivers Criteos unique demand into the publisher’s header auction, at a 1st rather than cleared 2nd price.
  • Amazon have launched a server to server header bidding offering for publishers that delivers unique demand and the ability to manage other S2S demand partners for the publisher.
Extra Credit
  • <quote>senior AdTech big wigs</quote>
  • programmatic auction process
  • 1st v 2nd price
  • 2nd price was for waterfall
  • 1st price will be for unified (header bidding)

General Data Protection Regulation’ (GDPR)

  • 2018-05
  • Consent must be collected.
  • Will make 2nd party data marketplaces economical.
  • The salubrious effect.
  • Publishers have a Direct Relationship with consumers.
    this is argued as being “better.”
  • Industry choices
    • collect holistic consent
      <quote>one unified [process] of consumer [outreach] rather than one for every vendor</quote>
    • individual vendor consent
      <quote>for every cookie or device ID that flows through the OpenRTB pipes we have spent the last 10 years laying.</quote>

Viewability & Brand Safety

  • IAB
  • MRC

Talking Points

  • Moat was sold to Oracle for reported number of $800M.
  • PE Firm Providence Equity bought a % of Double Verify giving them a reported value of $300M.
  • Integral Ad Science remains independent, for now

Telcos

  • Telcos have what everybody in AdTech wants:
    • accurate data
    • privacy compliant data
    • scaled data
    • 1st party data.
  • Telcos want what AdTech & publishing companies have:
    • programmatic sell and buy side tools
    • content creation functions
    • distribution at scale.
    • diversification of revenues

Talking Points

  • Verizon buys AOL & Yahoo to form Oath, a publisher, a DSP, a DMP.
  • Telenor buys TapAd, a cross-device DMP-type-thing
  • Altice buys Teads, a streaming video vendor)
  • Singtel buys Turn, a DSP
  • AT&T needs a line in this list; might want to buy Time Warner which is a movie studio, media holding copmany, a cable operator, an old owner of AOL.
Shiny
Smartpipe
Raised $18.75M, Series A. Why?
ZeoTap
Raised $20M, through Series B, Why?

Data Management Platform (DMP)

  • Not a pure-play business.
    • A division, not a business.
    • An interface, not a division.
  • Everyone wants to own one.
Deciderata
  • Should DMP’s also be in the media buying business?
  • What are DMP’s doing to stay relevant for a world without cookies?
  • Do DMP’s plan to build or buy device graph features / functions?
  • For platforms that process & model a lot of 1st, 2nd & 3rd party data, how will they be affected by the pending GDPR?
Talking Points
  • Adobe bought Tube Mogul, a video DSP, for $540M (based on information &amp belief).
  • Oracle bought Moat, a verification feature, for $800M
  • Oracle bought Crosswise, a cross-device database, for <unstated/>
  • Salesforce bought Krux, a DMP, FOR $700M

Lotame remains independent, for now

ID Consortium’s & Cross-Device Players

Claims
Probabilistic “won’t work”
<quote>The GDPR may make it very difficult for a number of probabilistic methods to be applied to digital ID management.</quote>
Walled Garden
They … <quote>are using their own proprietary cross-screen deterministic token / people based ID that in many cases only works within their O&O environments.</quote>
Universal ID
Is desired. <quote>CMO’s & agencies in the future will not be requesting a cleaner supply chain, but a universal ID (or ID clearing house) that will enable them to manage reach, frequency & attribution across all of the partners they buy from.</quote>
Initiatives
The DigiTrust
<quote>This technology solution creates an anonymous user token, which is propagated by and between its members in lieu of billions of proprietary pixels and trackers on Web pages.</quote>
Claim: “Many” leading AdTech companies are already working with the DigiTrust team. [Which?]
AppNexus ID Consortium
  • Scheme: people-based ID.
  • Launch: 2017-05
  • Trade Name: TBD
    • Index Exchange
    • LiveRamp
    • OpenX
    • Live Intent
    • Rocket Fuel
Standalones
  • Adbrain
  • Screen6
  • Drawbridge

Blockchain

BUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ!

  • Blockchain is slow, too slow, way too slow
    Blockchain can handle 10 tps.
  • Does not work in OpenRGB
  • NYIAX
    • New York City
Referenced
  • Some Q&A; In AdExchanger
    tl;dr → interview of Dr Boris WHO?, IPONWEB; self-styled “the smartest man in AdTech and he concurs”

Artificial Intelligence

  • Is bullshit.
  • c.f.(names dropped)
    • Deepmind
    • Boston Dynamics

Omitted

  • DOOH
  • Audio
  • Programmatic TV
  • Over The Top (OTT)
  • MarTech != AdTech

Previously filled.

Graph Processing Using Big Data Technologies | InfoQ

Tapad’s Graph Processing Using Big Data Technologies; Charles Menguy; In InfoQ; 2014-03-17.

Mentioned

  • The article appears to be an interview with Dag Liodden, but rambles on into a general overview of the genre
    • Big Data (which is big)
    • Graph
    • JVM Culture
  • Tapad
    • Dag Liodden
    • Quoted for color, background & verisimilitude.
    • Testifies to participation in the genre.
  • Facebook
  • Factoids
    • U.S. Graph
      • 1.1×109 nodes.
      • “multiple” TB
        • stored in <= 20TB Flash SSD
        • 2TB working RAM
      • 100,000 q/s
      • multiple data centers
      • geographic replication
  • Nodes are classed
    • transient,
    • persistent (non-transient)
  • Persistent
    • 5 edges (around, average)
    • 500 profile facts
  • Scheme
    • Online truth maintenance (real-time serving)
    • Offline usage (dump to HDFS)

Referenced, Cited

Via: backfill, backfill

Online Ads Can Now Follow You Home | Spencer E. Ante, WSJ

Spencer E. Ante; Online Ads Can Now Follow You Home; In The Wall Street Journal (WSJ); 2013-04-29
Teaser: Firms Are Helping Brands Like Expedia Serve Ads to Users Across PCs and Mobile Devices

Mentions

  • Expedia Inc.
    • Jeff Warren, vice president of mobile and online partner marketing
    • Uses Drawbridge Inc.
  • eMarketer Inc.
    • factoids
  • Drawbridge Inc.
    • <quote>which uses a “triangulation” method to try to figure out when a mobile user is the same person as a desktop user.</quote>
    • <quote>Drawbridge sends cookies to desktop and mobile browsers to track the ads being requested by the devices. If the patterns show enough in common—using the same Internet address at similar times, for instance—the company figures there is a good chance they are from one anonymous user.</quote>
  • Apple
    • Advertising Identifier (IDFA)
  • MoPub Inc.
    • Paul Gelb, “head” of strategy.
  • Facebook
    • Gokul Rajaram, product director for ads.
    • Mobile was 23% of Facebook revenue 2012-Q4.
    • Mobile was 0% of Facebook revenue 2012-Q2.
  • Google
    • “enhanced campaigns”
      • Launch 2013-02
      • target ad bids by multiple locations and specific days and times of the week all within one campaign.
    • Not clear why G. is mentioned in the article on “device graph” & “triangulation”
  • Tapad Inc.
    • Are Traasdahl, CEO.
    • Imputes purchasing intent to view & visitation behavior.
    • Has 75 advertisers buying their segments.
    • Had zero business 18 months ago

Fingerprinting And Beyond: The Mobile Ad Targeting Trade-Off | Ad Exchanger

Judith Aquino; Fingerprinting And Beyond: The Mobile Ad Targeting Trade-Off; In Ad Exchanger; 2013-03-29.

Citations & Mentions

  • Judith Aquino; Apple Sets Cut-off for UDID Apps; In Ad Exchanger; 2013-03-22.
  • Adelphic Mobile
    • Ray Colwell, CRO
    • Waltham, MA
    • Founders: “ex Quattro”
    • Funding: $10M, Series A “recently”
    • AudienceCube (product)
      • “real-time mobile signature”
    • Claim
      • Accuracy: 80%-100%
    • Promotion: AdExchanger Q&A 2012-03
  • Drawbridge
    • Kamakshi Sivaramakrishnan, founder
    • Founders: “ex AdMob”
    • San Mateo, CA
    • Funding: $14M “recently”
    • Products
      • “Drawbridge for Mobile Marketing”
      • “Drawbridge for Cross‑Screen Marketing”
    • Claims:
      • Accuracy: 60%-90%
      • Uses “clickstream behavior”; no clicks, no data
      • Accents the opt-out; if opted out on one device, assumes all
    • Promotion: AdExchanger Q&A 2012-11
  • BlueCava
  • TapAd
  • Ringleader Digital (defunct)