[HN Gopher] How The Pentagon learned to use targeted ads to find...
___________________________________________________________________
How The Pentagon learned to use targeted ads to find its targets
Author : nova22033
Score : 132 points
Date : 2024-02-28 17:01 UTC (5 hours ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| nova22033 wrote:
| How the Pentagon Learned to Use Targeted Ads to Find Its Targets
| --and Vladimir Putin
| vaylian wrote:
| Not putin himself, but his entourage who frequently traveled
| together with putin.
| jdawg777 wrote:
| https://archive.is/wNxjS
| winstonprivacy wrote:
| Excellent article and the methods described are accurate. I was
| speaking extensively about this from 2017-2020 and the usual
| reaction when I talked about this was disbelief. I was not
| surprised when In-Q-Tel came calling. I pitched them a military
| grade privacy protocol but my suspicion was that they were more
| interested in spying on our users (a non-starter).
| unethical_ban wrote:
| Any additional info on the subject you recommend?
| lifestyleguru wrote:
| One can be in process of making the most unfortunate or
| catastrophic decision or action, and their phone with adtech will
| only worry how to display them ad for a rope.
| hnburnsy wrote:
| >Working with Grindr data, Yeagley began drawing geofences--
| creating virtual boundaries in geographical data sets--around
| buildings belonging to government agencies that do national
| security work.
|
| Are you seriously telling me that government phones of national
| security employees allow for the installation of apps that track
| your location and/or these employees are allowed to bring
| personal cell phones into these buildings?
| Jtsummers wrote:
| Employees are generally allowed to bring phones into federal
| buildings. There are areas within the buildings they may not be
| able to take them to, and there are some buildings with a total
| ban. In that case, though, the phones would still be left
| somewhere nearby, like the parking lot.
| schaefer wrote:
| There are buildings that do not allow cell phones. For these
| buildings, it's common to leave your phone in your car.
|
| So... still close enough?
| voxic11 wrote:
| Even if not allowed in the building people will still want to
| carry a personal phone so it likely just stays in their car
| right outside the building in the parking lot.
| mandevil wrote:
| When we had to go into SCIFs, generally phones went into
| lockers. At some locations, phones stayed in cars. But that
| doesn't make it any harder to figure out.
|
| But this isn't the first time people are encountering this
| problem. Strava has given away plenty of US military bases:
| https://www.theguardian.com/world/2018/jan/28/fitness-tracki...
|
| Russia has the same problem, VKontakte has given away plenty of
| secret Russian military bases and troop positions over the past
| few decades. I've never read of this on Weibo or WeChat, but my
| guess is they have the same problem, just English language open
| source accounts are keeping it more discrete for now.
|
| The WashPost about a week ago had an article about how at a
| recent NTC rotation out at Fort Irwin the OPFOR was trying to
| figure out how an Apache had gotten past their air defenses, so
| they looked up commercial cell phone tracking data and were
| able to spot how a phone had gone across the desert at 120 mph
| and plug the hole in their air defenses.[1]
|
| Adtech on the cell phone we all carry in our pocket is better
| at surveillance than the best tools a military has. And it's
| one of those things where not being part of the surveillance
| can make you stand out too. Think about a spy operating under a
| real cover, how long is their Facebook (or Weibo or VK or
| TikTok or whatever is appropriate for the person they are
| trying to be) account history? If you found someone claiming to
| be a 45 year old woman living in an American suburb and she had
| a Facebook account that was three months old, wouldn't you
| investigate further?
|
| 1: https://www.washingtonpost.com/national-
| security/2024/02/22/...
| nradov wrote:
| Supposedly a Ukrainian agent was able to assassinate a
| Russian military officer by tracking his regular running
| route on Strava.
|
| https://www.bbc.com/news/world-europe-66162502
|
| Strava actually has extensive privacy controls that work
| well. Users can keep activities private by default and hide
| their tracks near sensitive locations. But of course if you
| don't use the privacy control and make everything public then
| obviously everyone can see exactly where you were.
| HenryBemis wrote:
| It brought this to mind: Fitness tracking app Strava gives
| away location of secret US army bases
|
| https://www.theguardian.com/world/2018/jan/28/fitness-
| tracki...
| Aerbil313 wrote:
| This is a scary thought. Not because I think I'm worthy of
| being targeted, but because I think in the future there'll be
| enough compute and incentives to automatically scan everyone
| for out-of-the-ordinary behavior via neural models.
| ok_dad wrote:
| When I was in the military cell phones were extremely new,
| but I honestly don't see why most commands don't say "leave
| phones and other electronics at home when coming to base" and
| then you just tell anyone who needs to contact you to call
| the command quarterdeck or whatever. Examples you just gave
| are good reasons to do this, much like how in the 90's during
| Desert Storm several people figured out (post-hoc, but still)
| that there were a buttload more pizza orders from government
| offices relating to the invasion of Iraq. I'm a former
| shithead officer, though, so it's easy for me to just say
| "ban the phones!" instead of trying to figure out a smarter
| solution. Maybe beepers will make a comeback, since you can't
| track a multicast, receive-only client?
| mschuster91 wrote:
| > When I was in the military cell phones were extremely
| new, but I honestly don't see why most commands don't say
| "leave phones and other electronics at home when coming to
| base" and then you just tell anyone who needs to contact
| you to call the command quarterdeck or whatever.
|
| Because soldiers will just go and take their phones anyway
| - they will want to keep in touch with their families.
|
| The solution to this problem is to kill off the targeted
| ads market _in its entirety_. Maybe national security is
| the only way to actually make that go through.
| mckn1ght wrote:
| Seems like something the NSA should be in charge of,
| maintaining a custom Android ROM or even a fully custom
| built OS/device.
| mschuster91 wrote:
| Just browsing the web is enough to deliver enough
| metadata to RTBs to make correlations possible.
| nova22033 wrote:
| Personal phones, not government phones. Bringing your personal
| phone to Langley and leaving it in your car doesn't do much.
| XorNot wrote:
| Whether they take it into the building or not is irrelevant.
|
| If they drive nearby and leave it in the car, you can find
| them.
|
| If they drive nearby and turn it off then, you can find them
| (improve it by bracketing by the average 9-5 workday, add
| correlation of world events to late-night anomalies - i.e. the
| Washington pizza index[1]).
|
| If they leave their phone at home and switch it off, then you
| can still find them by that data.
|
| If they leave their phone at home, switched on, then this also
| applies - you filter by public holidays.
|
| The key is that the "phone policy" is effectively public
| information - so you don't have to guess, you can just go find
| out what it is to set your search parameters.
|
| [1] https://www.washingtonpost.com/wp-
| srv/politics/special/clint...
| ourmandave wrote:
| Apropos to nothing...
|
| Choose which apps use your Android phone's location
|
| https://support.google.com/android/answer/6179507?hl=en
|
| Control app tracking permissions on iPhone
|
| https://support.apple.com/guide/iphone/control-app-tracking-...
| unethical_ban wrote:
| I found that OnePlus android allows you to toggle mobile data
| _and_ WiFi data per app, by the way. Pixel and Samsung only
| allow that for mobile. Semi related.
| HnUser12 wrote:
| Same on iOS. You can only disable mobile data per app.
| ametrau wrote:
| Paywalled (after getting sufficient traffic from the share)
| Jtsummers wrote:
| https://web.archive.org/web/20240228004529/https://www.wired...
|
| Easily solved.
| 082349872349872 wrote:
| At least I'm old enough that I can still go places without a
| phone.
| panzagl wrote:
| A friend of mine had a girl he was dating drop him because she
| couldn't understand why he didn't text her all the time- never
| mind that he worked at a Navy facility that didn't allow cell
| phones.
| mucle6 wrote:
| I don't understand how targeted ads on Grindr can be used to get
| peoples locations.
|
| Does the ad auction tell the users current location? Does grindr
| let you run your own auction bidder on your own machine?
| prepend wrote:
| Ad serves up an image hosted by the advertiser. Phone makes an
| http get for the image and gives out its IP.
|
| You can also target ads by geography and do a lat/long box over
| your target area and show a specific ad so you know how many
| unique users are in that area.
| 082349872349872 wrote:
| > _so you know how many unique users are in that area_
|
| would you like to know more?
|
| see also: https://www.jstor.org/stable/27862533
|
| Baryshnikov & Ghrist, _Target Enumeration Via Euler
| Characteristic Integrals_ (2009)
|
| > _We solve the problem of counting the total number of
| observable targets (e.g., persons, vehicles, landmarks) in a
| region using local counts performed by a network of sensors,
| each of which measures the number of targets nearby but
| neither their identities nor any positional information. We
| formulate and solve several such problems based on the types
| of sensors and mobility of the targets._
| eastbound wrote:
| Giving up the IP is against the GDPR.
| victorbjorklund wrote:
| this about US not EU
| iamacyborg wrote:
| That hasn't stopped RTB (real time bidding) mechanisms from
| leaking personal data to hundred/thousands of third parties
| yet.
| KTibow wrote:
| All network requests give out your IP.
| partiallypro wrote:
| SnapChat does the same thing, we (not me technically, I am just
| a developer that worked with our ad team) set up Geofences
| around events to serve ads and we could continue to target
| those users for continuous remarketing as soon as they stepped
| foot into and out of a location of our choosing. In our case it
| was mostly a concert and car race. We knew -a lot- more than we
| probably should have. You could push filters, and all kinds of
| stuff within those custom geofences. Facebook & Google have
| similar, but it's not near as granular as what I saw with Snap.
| They might have changed it by now, this is when they first were
| getting into advertising. It honestly wasn't very effective,
| probably because of the demographic that uses SnapChat.
|
| Tiktok was used to find and track/monitor Chinese dissident
| whereabouts a few years ago by the CCP in Hong Kong.
| brutus1213 wrote:
| I don't work in the ad industry but am quite curious to learn the
| high level software components. For instance, I have heard of
| Audience Intelligence Platforms from the likes of Google and
| Adobe. Curious if anyone has come across a book, blog or lecture
| that lays out the landscape.
| fma wrote:
| So, what's the best weather app to use that's not going to sell
| my location?
| lifestyleguru wrote:
| Why you need an app for the weather, what's wrong with
| websites?
| vineyardmike wrote:
| More convenient, more location-accurate, can integrate with
| the OS like widgets.
|
| What a terrible take. People like apps, we should make apps
| private I stead of telling people not to use apps. FWIW,
| websites can gain access to your location too, so plenty of
| people will still be tracked.
| bhouston wrote:
| iOS/Apple Watch has a built in weather app.
| vineyardmike wrote:
| Apple bought a weather company for this purpose. So probably
| Apple's honestly. Everything else needs to make money somehow
| while freely giving you data.
| hellojesus wrote:
| A browser, where it can't get that data expect by ip. At least
| it would be approx only and totally unrelated with a vpn.
| overstay8930 wrote:
| Buy an iPhone?
| nonameiguess wrote:
| Just don't give it access to your location. Not like I've
| widely sampled all of them, but Apple's weather app I do
| currently use does not require location services. I can simply
| tell it the zip code I care about knowing the weather for,
| which may or may not be where I am physically located at the
| time.
| edsimpson wrote:
| The Windy privacy policy seems decent.
|
| https://account.windy.com/agreements/windy-privacy-policy
| alwa wrote:
| +1 for Windy! Note that there are two apps named Windy, one
| with a red icon and one with a blue icon. The one you linked
| to has a red icon and lists its developer as Windyty, SE.
|
| The one with the blue icon has a site at Windy.app. Their
| privacy policy is much more hand-wavy, with lines about how
| they "don't sell" but "share" your personal information:
|
| https://windyapp.co/CustomMenuItems/26/en
|
| One of the techniques they list explicitly is to use the Meta
| pixel for targeted advertising. I'm not aware of any way to
| remove geo data from, for example, the Meta pixel and the
| auctions it sells into. It suggests to me that perhaps
| they're thinking of your geo data as incidental to placing
| targeted advertising.
| severine wrote:
| yr.no
| JackFr wrote:
| A thermometer, a barometer and a radio.
| quickthrowman wrote:
| The default iOS weather app is safe to use.
| smallerfish wrote:
| Android lets you delete the advertising id that's mentioned in
| the article, as well as reset it. Does anybody who is in Adtech
| know what that does in terms of identifiability on brokers? Am I
| now "anon at location x,y", or am I "anon4321 at location x,y"?
| licheness wrote:
| Never underestimate the power of metadata. An expired ID that
| patterns quite similar to a new ID is quite easy to identify.
| neves wrote:
| it looks like you stay with "no id". There is just an option
| "get a new advertising id"
|
| Here how to delete it in Android and Apple:
| https://www.eff.org/pt-br/deeplinks/2022/05/how-disable-
| ad-i...
| neves wrote:
| here how to delete it: https://www.eff.org/pt-
| br/deeplinks/2022/05/how-disable-ad-i...
| username135 wrote:
| One thing I've always been curious about, and have never been
| able to find a solid answer too, is what data is available to the
| various companies whose software I have on my phone?
|
| What can AT&T/TMobile/etc... learn from my device as my carrier?
|
| What can the apps I have installed decern from my device if I
| allow no access to anything settings?
|
| How does this change if I use a vpn?
|
| I have an idea of whats possible based on my career in tech, but
| I'd love a more solid answer. Happy to read any content answering
| the aforementioned.
| jstarfish wrote:
| I don't know of any carrier hypervisory capability, but there
| has been a lot of discussion about OnePlus phones and the data
| they exfiltrate. There's a bunch of vendor bloatware even on my
| factory-reset phones so it's not out of the question that a
| carrier-locked phone might have snuck something else in there.
|
| Intelligence can be inferred at the carrier level even with
| paranoid privacy settings and all apps using HTTPS. CDNs in
| particular frequently serve content over regular HTTP, and
| there aren't too many reasons why you'd be communicating with
| Grindr's CDN. All of this is visible over the wire.
|
| DNS requests betray a lot about you. VPNs are notoriously leaky
| when it comes to DNS as well. I'd expect that even with a VPN
| running you're not stopping anything, just changing the
| exfiltration route for some of your traffic.
| HenryBemis wrote:
| Chances are yes. On Android, you can control 'some' of the
| permissions - the basic ones (contacts, calendar, location,
| etc.)
|
| There are some though "view Wi-Fi connections", "have full
| network access", "view network connections", "query all
| packages", "advertising ID permission", and so on, that give
| the app (and it's creator) a good view of what's going on in
| your phone. I tend to (by trial & error) block everything with
| NoRoot Firewall. Those who want to be naughty though cannot be
| stopped, as they send both useful and telemetry through the
| same connection/target IP.
| mike_d wrote:
| > but I'd love a more solid answer
|
| Unfortunately that isn't a question you'll get an answer to.
| Anyone who actually knows and has access to sensitive sources
| and methods is under an obligation not to disclose them.
| Further nobody in the know wants to burn these sources -
| because it makes their job harder.
|
| The general advice I can give is use an iPhone (turn on Lock
| Down mode if you believe you might be the target of well
| resourced attackers), use Google suite for your personal data
| (and turn on Advanced Protection), don't use commercially
| available VPNs (set up your own or just don't connect to wifi
| in untrusted places), and periodically delete third party apps
| you don't use (especially any that use location services).
| nova22033 wrote:
| https://www.cnet.com/home/security/life360-app-is-selling-da...
|
| Life360, like other apps that track location data, makes a
| significant portion of its annual revenue from selling this data
| -- about 20 percent in 2020.
| pluc wrote:
| I haven't read it yet, but I have "Means of Control: How the
| Hidden Alliance of Tech and Government Is Creating a New American
| Surveillance State" by Byron Tau in my cart and that feels
| related so.. maybe look it up.
|
| https://www.penguinrandomhouse.com/books/706321/means-of-con...
| glitchcrab wrote:
| This article is taken from that book.
| npilk wrote:
| Reminds me of the guy who pranked his roommate with Facebook ads
| targeted to an audience of one: https://ghostinfluence.com/the-
| ultimate-retaliation-pranking...
| hellojesus wrote:
| Are any of these Real Time Bidding markets open to small
| companies or individuals? I'm curious to see what days exists for
| bidders.
___________________________________________________________________
(page generated 2024-02-28 23:00 UTC)