In 2023, an engineer went to an amusement park with his family. They had a stroller, and one of the parents stayed behind to keep an eye on it while the others went on a ride. When they got off, the park’s app detected that someone had been waiting, sent a notification, and let them in via the fast-track, skipping the lines. This anecdote is just a small example of the precise use of geolocation via Bluetooth and Wi-Fi on our cell phones.
But like all technologies that collect personal data, they can be abused. Similar incidents sparked investigations led by Spanish researchers, which will be presented at the prestigious Pets privacy conference in Washington D.C., which began on July 14. This research explores how some apps exploit Bluetooth and Wi-Fi permissions to track our location indoors, or that of users who don’t enable GPS for that purpose. Technically, it’s no secret that these antennas can detect which cells are passing nearby. What’s new in this research is the hidden ecosystem of those who extract this information, buried in thousands of apps, to target us with ads, profile us, or simply know where we are at all times.
“There are a lot of mysterious uses,” says Juan Tapiador, co-author of the article and a professor at Carlos III University in Madrid. “You can apply this to any anecdote, like the girl who went to an abortion clinic and then saw an ad that made her nervous, or the guy who traveled to a place without telling anyone and then came across an ad that shocked him. The most extreme case is if you go to a supermarket or a liquor store or to pick up a book and then see a related ad.” In cases like these, we often say that our cell phones are listening to us. But that’s not necessary. With this information and how it’s shared, many connections can be made about habits. It’s reasonable for an average citizen to feel suspicious about receiving very subtle advertising based on some intimate detail and not knowing where it originates from.
There are public databases listing the GPS coordinates of Bluetooth beacons or Wi-Fi antennas. With that information, if they detect a cell phone, it’s obvious that its owner has been there. It’s not very complex. But that information should only be available to apps that have permission from their users, not to unknown marketing companies that profile millions of citizens. “Eighty-six percent [of the 9,976 Android apps analyzed] collect at least one sensitive data type, including device and user identifiers such as AAID (Android Advertising ID), email, along with GPS coordinates, Wi-Fi and Bluetooth scan results,” the scientific article says.
Location reveals a lot about our tastes and habits. The precision of this information confirms whether we buy oat or cow’s milk at the supermarket, if we like to linger in the window displays of cheap clothing stores, or whether we are more interested in true crime or science fiction on the shelves of a bookstore. If someone has received a promotional offer from Burger King when walking into one of its restaurants, now they know why. But the commercial use of this information goes much further. It’s one thing to allow Burger King to make us an offer when we download its app, and another to have thousands of apps containing pieces of code that capture this information and send it to unknown marketing companies that traffick that data.
In addition to unsolicited advertising, there are other potentially more delicate uses. “The most serious issue is that it can be used to identify your movements and who you’re with,” says Narseo Vallina, co-author of the paper, a researcher at the Imdea Networks Institute and co-founder of the privacy firm Appcensus. Location data isn’t just used to track where someone goes, but can also be used to determine whether they enter a mosque or a sauna, or even the speed of a vehicle or the location of an undocumented immigrant. These data merchants can sell information not only for commercial purposes, but also, for example, concerning who was on Jeffrey Epstein’s island.
Prefabricated tools
Apps aren’t usually programmed from scratch. They use so-called SDKs (software development kits), which are prefabricated tools that are taken as is and save a lot of programming work. SDKs perform functions that the app needs, and others that are more hidden. “This is an SDK ecosystem that no one has studied,” says Vallina. “Many previous studies of Bluetooth and Wi-Fi abuse data were at a theoretical level. But there were no empirical studies of what types of SDKs implement this, and we started looking for SDKs that advertised themselves as location services and that also provided Bluetooth and Wi-Fi services.”
If you speculate about the possibilities of this system, the hypotheses are unimaginable: “You install a dating app, and you give it access to Wi-Fi. Then you connect to a Wi-Fi hotspot at a location, and at the same time, your dating app scans nearby Bluetooth devices. That way, they know who your date is and where you are,” Vallina explains. The problem isn’t that your dating app, to which you’ve given permission, knows this, but rather a third-party app that has an SDK installed.
“We identify 52 SDKs with Wi-Fi and Bluetooth scanning features integrated into at least 9,976 apps with an estimated cumulative install count [historically] on around 55 billion devices,” the study says. These apps are widespread, from banks to football clubs, hotels, academic centers, and media outlets.
“On a subway, there may be a Bluetooth beacon whose purpose is to count passengers. But nothing prevents an SDK in an app from doing what we’re suggesting, which is to say, knowing precisely that you are on the subway,” says Tapiador. “This means you can then re-identify that person and associate whoever passed through here with whoever passed through there,” he adds. The impossible challenge of these investigations is figuring out exactly where that data ends up and what use it makes of it: knowing what data an SDK extracts is one thing, but knowing how it’s then processed is quite another. “They’re associated with the Android Advertising ID, which is a marker that identifies you and your device, which suggests they’re using it to track the user. They can send you an email, an alert, or aggregate it on a server to create a profile of you with that information,” says Vallina.
This method is designed to obtain something as valuable as a user’s location, avoiding the entire process of obtaining their consent. “If you were to ask a company that thrives on tracking what interests them most about a person and they could only choose one thing, they would probably say location,” explains Tapiador. “It’s not surprising that, technologically, a large part of the tracking effort is geared toward obtaining location data. This way of using beacons is simply the umpteenth derivative of how to obtain a location with something no one has ever looked at before.”
Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition
Source link
