Saturday, May 6, 2017

Got an Android Phone? Ultrasonic Tracking is Growing

In November of '15, I reported on a story about how advertisers were embedding ultrasonic tones, 18 to 20 kHz, in TV ads and using it for a whole new level of user tracking.  These tones are beyond normal human hearing, but within the bandwidth of most phones' audio paths.
These sounds, above the range of human hearing, are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser.  While you can't hear the sound, nearby tablets and smartphones can detect it.  When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.  Of course, they also know the location of all those appliances, too. 
While I don't see how they could know "how long a person watches the ads" - you could leave your phone in the room with the TV or computer and be somewhere else.  I could see, though, that if your phone shows you were exposed to a TV ad for something and some time later did a web search on that subject, they might conclude you saw it and were influenced by it. 

In that article, I wrote about industry-leader SilverPush, a rapidly growing (50% per quarter) Indian software company.  Under pressure from the Federal Trade Commission, they promised in March of '16 that they were going to kill off their product, a Software Development Kit (SDK) that allows others to write software that does the tracking and correlating.  Yesterday, ARS Technica reported the use of their SDK seems more widespread than ever.
As of January, there were 234 Android apps that were created using SilverPush's publicly available software developer kit, according to the paper, [pdf warning] which was published by researchers from Technische Universitat Braunschweig in Germany. That represents a dramatic increase in the number of Android apps known to use the creepy audio tracking scheme. In April 2015, there were only five such apps.
A representative sample of just five of the 234 apps have been downloaded from 2.25 million to 11.1 million times, according to the researchers, citing official Google Play figures. None of them discloses the tracking capabilities in their privacy policies.
SilverPush is denying everything.  Founder Hitesh Chawla said his company abandoned the ad-tracking business in late 2015.
"We respect consumer privacy and would not want to build our business foundation where the privacy is questionable," he told Ars. "Even when we were live, our SDK was not present in more than 10 to 12 apps. So there is no chance that our presence in 234 apps is possible. Every time a new handset gets activated with our SDK, we get a ping on our server. We have not received any activation for six months now."
In a case like this, I trust the German researchers over the software company.  The team that did the research says all 234 apps positively contain the SilverPush SDK.  That means phones that have the apps installed are silently listening for ultrasonic sounds without the knowledge or consent of their owners.  On the other hand, the researchers were unable to find any ultrasonic beacons in TV audio, although they thought their tests were too limited in time and scope to really know.  For their part Google said everything in the Google Play store had to meet their requirements for developers to "comprehensively disclose how an app collects, uses and shares user data, including the types of parties with whom it's shared."  They never answered the question (from ARS) asking why none of five apps cited in the research findings disclosed the SilverPush functions.  As of yesterday, when the ARS published the story, those apps were still in the store. 

There are uses for this technology that are considered ethical.  Marketers can track the whereabouts of shoppers as they move throughout a large department store. Promoters using other companies' audio-beacon technologies can also use them to push ads or coupons to people who are near a certain store or service. The researchers said two services—Shopkick and Lisnr—use ultrasonic beaconing for legitimate purposes such as these, and they disclose the tracking prominently.
 (Graphic from the Technische Universitat Braunschweig pdf)
There are some other possible uses that are considered rather less ethical.  Note in particular the last sentence here:
Advertisers, for example, may use the beacons with no disclosure at all to measure how often a particular TV ad is viewed. The technology can also be covertly used to perform cross-device tracking that allows marketers to tie a single person to the multiple media devices she uses. The researchers said the beacons could similarly be used to identify people using the Tor anonymity service.
The German paper was presented at the recent (late April)  2nd annual IEEE European Symposium on Security and Privacy in Paris, France. In the paper, the researchers wrote:
In summary, an adversary is able to obtain a detailed, comprehensive user profile by creating an ultrasonic side channel between the mobile device and an audio sender. Our case study on three commercial ultrasonic tracking technologies reveals that the outlined tracking mechanisms are not a theoretical threat, but actively deployed (e.g. Shopkick and Lisnr) or at least in the process of being deployed (e.g. SilverPush).
I'm somewhat paranoid about privacy (a blogger with a pseudonym?  Who would've guessed?) and this technology creeps me out.  I don't want things running on my devices that I don't know about.  It even creeps me out when the Weather Channel app puts a little footer on my iPhone that says, "Good morning" and uses my name.  My policy on all software is "when I want something out of you, I'll ask you".  This stuff brings to mind the increasingly prophetic scene in Minority Report, where Tom Cruise's character is walking into a store and the ads are calling him by name - everything targeted at him.  Along with everyone else in the store creating a constant cacophony of ads.  I don't like the idea of being watched, listened to or tracked at all, and I don't particularly like the idea of ads being shoved in my face all the time.



  1. I suspect that my LG A380 flip phone with no apps does not do this to me.

    Understand that Big Silicon loves them some Big Government, and one should expect that ALL their products provide unlimited access to the FedPigs. Without any requirement for a warrant.

    But then of course the FedPigs are so honest that surely none of them would distribute the ability to access such backdoors outside the FedPig community...

  2. I really doubt that the people in India who developed SilverPush give a damn about privacy - our least of all. I am still using my old Motorola flip that I got back in 2003 or 2004. I've got zero interest in all of the apps I could be using on an iPhone or Android device, and not only do I have SIRI shut off (I _think_ it is ;-) on my Mac laptop, but I have electrician's tape over the camera and microphone. Call me paranoid, but my concern is - am I paranoid enough?

  3. But SiG, with an Android phone you can root and flash a different version of your OS.

    There are even tools to restrict access to the services apps can access.

    1. According to the article on ARS Technica, these apps are not playing nice. They say, "None of them discloses the tracking capabilities in their privacy policies." There are also comments that said you may need to be more preemptive than usual.

      People won't know to go after this problem unless they know it's a problem. Hence the post.

    2. In the newer versions of Android, you have to give (or deny) access to phone capabilities for each app - GPS, network, contacts, microphone, camera, etc; if an odd app tries to use the microphone, it'll ask permission and if you are thinking, you may start wondering why it wants it ...