Ask HN: Girlfriend is being shown ads depending on what we do together. How?
My girlfriend came to check out some open houses with me yesterday after work. By 10 PM, she was seeing ads on Instagram for new houses. She hasn't shopped for a house before, or even done any searches on Google on that topic. I simply invited her to come with me and she did.
Similarly, we were at her place the other day and watched a kung fu movie on my laptop (connected to her wifi), and then went to bed. The next morning she started seeing ads for martial arts schools in the area.
What is happening?
She doesn't have an Amazon Echo or anything else that might be listening, although she does have an Android phone. She most likely has the default (stock) settings and apps. Regardless, I want to help her improve her privacy. What steps should I take (other than installing ad-blockers on her phone)?
Corollary: Is this what the Internet is like for "regular" people? If so, holy shit. I'm glad I use uBlock Origin on my computers and an iPhone.
95 comments
[ 3.6 ms ] story [ 102 ms ] thread1. Checking Open houses: Many apps are authorized by most users to access their location. Ads space providers qualify their data, that is the way they earn their life. Then if one Ad client works in real estate, the Ads space, sorry your girlfriend phone screen, is a nice target for real estate Ads.
2. Kung fu ads: A Ads space provider for some of the ads may have noticed that several different user agents come from the same IP adress, so it inferred incorrectly that they belong to the same person.
I'd like to add that Android by default tracks your location constantly [1]. I recently got a Pixel and was staying in a hotel. Every night I came back to the hotel room it would ask me to rate it or upload pictures of it to Google Maps. It can be disabled in Settings, iirc.
[1]: https://www.google.com/maps/timeline?pb
Somewhere, in a dark corner in a AWS datacenter in Oregon, some third-party tracking software records "Hey, the only user within five-mile radius that blocks our ad links just finished watching a kung fu movie."
The way to avoid this is to opt out of interest based ads. iOS and Android both have options for this.
1) Facebook (ie instagram) knows you are in a relationship
2) Facebook knows girlfriend's location from being signed in (on Instagram)
3) Facebook knows locations are at open houses from data gathered from other users or around the web. Or maybe Facebook knows that going to a few totally new random residential locations in a short period of time, combined with girlfriend's other engagement activities means user is looking for a new place to live.
You can geofence users (probably the realtor does it) and then send targeted ads to audiences that touch more than one geofenced area.
For the kung-fu panda and martial arts. Do you share wifi and (public) ip addresses with your girlfirend?
Cellphone tower is similarly equivalent to location.
Cell phone towers don’t correlate to IPs at all; the IP layer is added way above all that at the GGSN in the carrier’s network, which doesn’t even know nor care which tower you’re connected to.
There you go.
Speaking of wifi, by correlating IP address and MAC broadcasts, ad networks could figure out your MAC address. This could also be used to track your location.
MAC addresses are never transmitted past the first layer 2 hop, so it would require either a compromised switch/access point (like public WiFi) to be nearby and the phone to connect to it (phones randomise MACs when searching for networks to protect against that).
The Android permissions are still not enough; there is a lot of nasty stuff you can do on Android (get low-level cell tower information, WiFi, Bluetooth, etc) that is outright impossible on iOS.
As far as you know.
Since their OS is proprietary, security research is severely hindered, and they are inherently incentivized to hide security flaws.
Still better than leaving the capability right there in the open, no?
Also you do understand critical parts of Android like Google Play Services are closed source, and also outright malicious when it comes to a privacy standpoint (it’s right there in the name - Google Play Services).
Sure, you can build a privacy-conscious Android from scratch if you’re tech-savvy and have lots of free time and courage. We’re not talking about a tech person here, we’re talking about someone who just wants to sort this problem out and get on with their life. Buying an iPhone solves that problem easily and in little time.
https://www.wired.com/2016/11/block-ultrasonic-signals-didnt...
https://thehackernews.com/2017/05/ultrasonic-tracking-signal...
https://www.wired.com/2017/05/hundreds-apps-can-listen-beaco...
Say that the average within-microphone-range presence of each user is five hours per day. Probably a huge underestimate.
Do you really think that Facebook would devote enough server time to parse five billion hours of mumbling audio each and every day? That's several times longer than the total viewing of YouTube each day.
Its likely a passive listening for keywords kind of thing.
I have evidence of same and it may not be just FB and Messanger
Last week a co-worker engaged me in a discussion concerning her father-in-laws diagnosis of prostate cancer. This lasted about 20 or 30 minutes. I had my cell phone on me. I do not have FB or Messanger.
I do not deal with cancer cases at work. I did not google any information on prostate cancer. I did not send any mails pertaining to prostate cancer or any other form of cancer.
Two days later I start getting ads and suggestions for prostate cancer treatment options. How unlikely should that be?
I am trying to reproduce the effect by talking about other rare disease conditions with my phone switched on.
If the bugger is spying on me I'd like to know.
2. Did her smartphone location ever correspond with a house that is listed on the MLS in the past week?
I don’t buy the “end to end encryption” argument. If the app used encryption for the benefit of their users it would absolutely make no sense for Facebook to buy them for billions. The reason FB did so anyway is that they have a workaround the E2E encryption like described above.
Jokes aside, these issues are happening way too often for it to just be a coincidence. I've seen multiple friends and strangers, as well as myself, reporting that they were talking about something and then an ad shows up about that.
EDIT: typo
It is very easy to have opinions and explanations on something you didn't experience yourself.
Presumably. Even with the best precautions (ad blocking, etc) some tracking still slips through the cracks. I don’t want to imagine what it’s like for the average idiot who installs every single crappy app, gives it all the permissions and logs in with their Facebook account into them.
If this really is happening (and it seems possible it could be coincidence) the most likely explanation is cross device targeting using IP address.
So, most ad tech companies do cross device targeting, using device maps bought from other companies (Drawbridge being one). These companies attempt to assign a variety of devices from the same person to a single advertising profile. The simplest way they do this is by IP address. So if they have an IP address with a small number of devices, they decide it is probably a household and assign all those devices to the same advertising profile.
So, by being on the same wifi together (either at your place or hers) they will show ads on her devices based on your behavior (and vice versa).
The other explanations are possible, but I think this is the most likely
Advertisers had better be paying through the nose for this sort of access, because it's insanely valuable.
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
https://www.kdnuggets.com/2014/05/target-predict-teen-pregna...
https://www.tamoco.com/blog/location-based-marketing-history
She went house hunting and watched kung fu movies. Has nothing to do with the partners behavior.
Most android (CIAlphabet) phones have CIABook installed by default and it cannot be turned off or deleted without root access. Both listen to microphone and probably take random photos. The phones are both linked to credit cards which are probably also linked to Netflix account.
Why are people still surprised by this?
Instead, I offer different information: I know of a person who is switching back to a pager to avoid smart device-based tracking. This after he received the requested "all information Facebook has about me" and saw how many of the quizzes he took for fun were advertiser-based, articles that seemed to be interesting (and were not about products or services, per se) being brought to his attention by advertisers, as well as other behavior he thought was innocuous but instead resulted in yet more data gathered about him.
It is my understanding he is piecing together different services to allow the pager to still be able to communicate (eventually) via IM with the right hand-offs involving services who rank privacy/no-tracking towards the top of their service offering.
There is some interest among his peers to offer this as a service, for those who might find this idea desirable. Apparently there are refurbished pagers available for purchase that can be used in this way.
He has jokingly referred to it as a "Hi-Tech detox" process...
> Cookie-based retargeting uses online data while IP Targeting uses offline data, which is verified and drastically reduces the potential of non-human bot traffic. IP Targeting essentially takes the traditional direct mail approach and matches home and business postal addresses to computer/device IP addresses.
Source: http://www.accudata.com/why-ip-targeting-takes-the-cake/
https://whotracks.me/trackers/liveramp.html: twitch, okcupid, adobe
https://whotracks.me/trackers/drawbridge.html: etsy, aol, samsung
log into one of those from two devices and anyone who wants to pay will track you as the same person
I'll guess that the following join keys could be used:
IP address or IP address subnet Physical location / postal address Known family or romantic relationship Offline key match such as use of the same credit card
[1]: https://idiallo.com/blog/machine-learning-ads
All your web traffic is tracked too, unless you only use sources that explicitly do not track, such as duckduckgo.com. Check out https://ssd.eff.org, you might find it helpful.
I've been doing it a few days so far and nothing yet.
"All the brightest human minds in the world are working for advertising companies"