Ultrasonic cross-device tracking (uXDT) apparently represents an apocalyptic threat to privacy . The techis being embedded in many apps but despite its significant intrusive abilities it is not complying – in most cases it would seem – with explicit consumer optin / optout choices.
At best it is an underhand advertising trick, at worst it stands to become one of the alphabet agencies handiest IoT mass surveillance piggybacking collection methods for device ownership cross referencing and tracking.
What the debate regarding uXDT and audio beacons does indicate though is that as IOT devices expand exponentially they are accompanied by many little known and little understood elements that potentially expose consumers to threats ranging from low level adware to full scale identity theft and in the processinadvertently or intentionally expand the toolset available for mass surveillance .
The concept of cross device tracking has been pitched as every marketers wet dream. In basic terms using audio beacons it can cross reference your habits across multiple devices to tell advertisers – amongst other things – what and where you are watching TV and more importantly use that to refine advertising.
“Audio Beacons” – As Used by SilverPush
The issue with creepy emerging tech is well demonstrated by Silverpush which researchers from University College london last month again alleged could expose millions of devices to malicious hacking . Signal360 and Audible Magic who have attracted investment from several VC leading lights and interest from a host of major companies are also engaged in rolling out uXDT services.
Even after silverpush withdrew the previous version of their software after an FTC warning to developers in March 2016 their current website still has very vague descriptions of their service offerings which fall squarely in the “creepy” category of marketing speak.
Chaps – I would have the marketing guys take another look at that choice of branding if I were you.
Using Inaudible Sounds To Link Device Ownership
In a Techcrunch article in 2014 SilverPush‘s original approach was explained by their CEO Hitesh Chawla. The company he said used “ultrasonic inaudible sounds.” If you are browsing and engage with a SilverPush advertiser then as they drop their cookie they also ping one of those “inaudible” sounds.
You didn’t hear it but the app did and so did any app that used the SilverPush product suite. It passively listened for these sounds in the background. When an “audio beacon” was detected it was then able to establish that a desktop, laptop, phone, tablet or any other IoT device in range with the app installed belonged to the same person.
Who Uses / Used It
Sound.ly based in korea and Shopkick are other examples of a couple of startups embedding the tech in their stack. Before the FTC warning there were twelve app developers whose apps were available fordownload in the google play store who had the tech embedded in their product suites or apps.
The FTC was explicit about what it could mean for those developers “If your application enabled thirdparties to monitor television-viewing habits of U.S. consumers and your statements or user interfacestated or implied otherwise, this could constitute a violation of the Federal Trade Commission Act,” the FTC’s letter to developers warned.
At that point several products and apps were voluntarily withdrawn.
Researching The “Threat”
There are now several research groups who have declared that they are planning to explore the uXDTecosystem, dig into the inner workings of popular uXDT frameworks, and perform an in-depth technicalanalysis of the underlying technology, exposing both implementation & design vulnerabilities, and criticalsecurity & Privacy shortcomings.
I look forward to reading their findings.