A couple of years ago, some German scientists created a proof of concept to see if it was possible for data to jump across the air gap, using inaudible high frequency audio waves.
“Using nothing more than the built-in microphones and speakers of ordinary computer systems, the researchers had been able to transmit passwords and other small bits of data from distances of almost 65 ft.”
Now it seems, the same technology is being used by many marketing corporations to track individuals. Privacy advocates are warning federal authorities of a new menace that makes use of inaudible, high-frequency sounds, inaudible to human ears, to surreptitiously track an individual’s online habits throughout a range of devices, including smartphones, TVs, tablets, and personal computers.
The ultrasonic pitches are embedded into TV commercials or are played when a person encounters an advert displayed in a pc browser. While the sound cannot be heard by the human ear, close by tablets and smartphones can detect it. Once they do, browser cookies can now pair a single person to a number of gadgets and keep track of what TV commercials the individual sees, how lengthy the particular person watches the adverts, and whether or not the individual acts on the advertisements by doing a Net search or shopping for a product.
Cross-device monitoring raises vital privacy issues, the Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. Typically, individuals use as many as 5 connected units throughout a given day—a computer, smartphone, tablet, a wearable health gadget, and an RFID-enabled access fob. Till now, there has not been an easy technique to observe activity on one and tie it to the other.
“As an individual goes about his business, his activity on every device generates different data streams about his preferences and behavior that are siloed in these devices and services that mediate them,” CDT officials wrote. “Cross-device tracking permits marketers to combine these streams by linking them to the same individual, enhancing the granularity of what they know about that person.”
The officials said that companies with names including Flurry, Drawbrudge and SilverPush are working on methods to pair a given consumer to specific gadgets. Adobe is developing similar technologies. Undoubtedly, the most concerning of the companies the CDT talk about is the Indian startup, and now San Francisco-based SilverPush.
Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking via browser fingerprinting, the use of audio beacons is a more accurate method to track users across devices. The industry leader of cross-device monitoring using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the net, the advertiser drops a cookie on the computer while also playing an ultrasonic audio via the use of the speakers on the pc or the gadget. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the person).” The audio beacon enables corporations like SilverPush to know which adverts the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, together with other information that adds to the profile of every user that’s linked across devices.
The user is unaware of the audio beacon, but when a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this type of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.
SilverPush’s ultrasonic cross-device tracking was publicly reported as long ago as July 2014. More recently, the company received a new round of publicity when it obtained $1.25 million in venture capital. The CDT letter appears to be the first time the privacy-invading potential of the company’s product has been mentioned in detail.
Cross-device tracking already in use
The CDT letter went on to quote articles reporting that cross-device tracking has been put to use by more than a dozen marketing companies. The technology, which is usually not disclosed and cannot be opted out of, makes it possible for marketers to assemble a surprisingly detailed snapshot of the individual being tracked.
“For example, a company may see that a person searched for sexually transmitted disease (STD) symptoms on her pc, looked up directions to a Planned Parenthood on her cellphone, visits a pharmacy, then returned to her apartment,” the letter stated. “While previously the various elements of this journey would be scattered amongst several services, cross-device tracking allows companies to infer that the user obtained treatment for an STD. The combination of data across gadgets not only creates serious privacy concerns, but also permits for corporations to make incorrect and possibly harmful assumptions about individuals.”
We at GadgTecs believe there might already be viruses and malwares out there utilzing this technology, however, none has been discovered by the mainstream security researches yet (a researcher did publish some work on his findings but others were skeptical). It is only a matter of time when they become even more common and harder to avoid.