Every time you see a little banner ad at the bottom of an app, there’s an instantaneous auction to show you that ad space. Google forwards info to bidders, who calculate how much they will spend to show you the ad. This means even the losers of the auction get a firehose of data. There are companies set up right now whose purpose is to lose that auction but collect the data anyways.
It should not surprise you to learn, then, that In-Q-Tel (the non classified investment arm of the CIA) has invested in some of these analytics (read: digital surveillance) companies.
> When Mobilewalla bid to place an ad for its clients on a real-time advertising bidding exchange, it unfairly collected and retained the information in the bid request, even when it didn’t have a winning bid, according to the complaint.
The FTC’s complaint alleges that from January 2018 to June 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with consumers’ precise location data. The raw location data Mobilewalla collected was not anonymized and the company doesn’t have policies to remove sensitive locations from the data set, meaning that such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited. The company sold access to this raw data to third-parties, including advertisers, data brokers and analytic firms.
The ads customers do not see data. A handful of exchanges do.
Participating in header bidding gives you data similar to what you would see from operating a popular mobile website.
I don't know. It doesn't surprise me that In-Q-Tel makes investments in good arbitrage businesses like exchanges. I'm sure many good investors make good investments. It isn't some kind of cynical surveillance play.
> Participating in header bidding gives you data similar to what you would see from operating a popular mobile website.
A popular mobile website can only geolocate its own visitors based on IP and will have no idea what apps they have installed and what they do whenever they are not visiting that website.
The ad exchange gets information any time the users opens any of thousands of apps, without them ever interacting with the exchange.
"This device opened Grindr at this exact GPS coordinate, then Candy Crush at the church wifi, then a month later played Yahtzee for three hours near a military base in Afghanistan"
Then they package up that historical data and sell it. You can have years of location data for whatever purpose you can think of.
A thread on using this for surveillance from about a year ago:
As I commented there, while the antitrust case against Google is well-deserved, one effect of breaking their ad monopoly is opening up for even more actors to receive real-time header bidding data.
A look at the resolution of position data you can get:
If I understand this right, Google isn’t actually selling user data to auction losers because auction losers are collecting the data without spending any money.
You need to get your ad platform technically certified and a very good reason to join (several millions in marketing budget will do the job), and a very good contact at Google, once this is done, this is what you have access to in real-time:
One point I do not see addressed in the article is how the location is collected.
It'd be a little bit of a stretch to call IP geolocation as collecting location data as it is usually no more accurate than just procuring the geolocation yourself, so there's no need to get it from a broker. However, on an Android for example, both ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION require permission dialogs, so how does it exactly work?
At least some, if not the majority, is likely derived from the IP address used in the ad bidding process.
> Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS [Global Navigation Satellite System]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”
It's a stretch to call out a game for tracking every IP use use and trying to location track you using that? A game should not be trying to track my location at all, not get a pass because technically it's not very accurate.
This list is suspect. PodcastAddict doesn't even request location permissions[1]. How can it possibly get access to your location? If you read the article carefully, it caveats that the location might not even be sourced from gravy apps. At best, it's getting your ip location, which you're broadcasting to every website you visit anyways.
>Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.
Can it get the wifi SSID? Is that a permissioned property on Android/iOS? I believe there are companies that build databases of SSIDs and their locations by driving around, so if an app can get wifi info it could be pinpointed to a pretty specific location.
I asked the developer of Podcast Addict about this and shared the article. This is their response verbatim:
"Hi,
I'm sorry but I don't understand your email. Of course every podcast app connects to 3rd party content to stream it and therefore hosting platforms and tracking services and ad services used by the podcasters will have access to your IP address.
Sorry but saying that a podcast app leaks your IP address is as stupid as saying that a web browser does. It's just a tool that connects to 3rd party content, so yes unless you're using a VPN the server you connect to will always have access to your IP address
The app doesn't have your location. As you can see it doesn't ask for location permission so the app doesn't have anything to share, but yes your IP will of course be public to any server you connect to
I think my question still makes sense because from what I gather, the AdSense(?) SDK will get more info from the phone than just the IP address - make/model of the phone, unique IDs etc. But for now I happily did an OPML migration to AntennaPod - smooth sailing so far.
Even better if you have the hardware/bandwidth, setup a wireguard vpn and use adblocking on your home network. Then all your stuff is at least mildly encrypted while out and about, plus you get robust adblocking protection.
This also has the added benefit of encrypting DNS if you set that up. It's all relatively easy to setup. If your hardware is running linux there are simple configuration scripts you can run to get everything going in 5 minutes or so.
I'm also a fan of 1Blocker on iOS (and macOS). It's another subscription, but it's not that expensive; updates its blocking lists frequently; and blocks trackers in apps.
There are still many mysteries to unravel about viruses, they may be more important to a functioning ecosystem than we realize, and there are useful tricks which only they can do.
Watch "the economics of happiness" if you think there's nothing wrong with advertising. Sure, maybe it can be done without manipulating people's self-image into thinking they're not good enough, not beautiful enough, not wealthy enough, but if you're into maximizing revenue you're not going to simply advertise "here's our invention, take it or leave it"
I think there's something inherently wrong with it. At it's core is a fundamental disregard for consent which harms people after prolonged exposure. The consequences of turning control of over our technology to people with an incentive to degrade our sense of dopamine hygiene have been very bad and continue to worsen.
Whatever legitimate needs ads can meet we can find better ways to meet. That is, if we could only get a break from life in a Skinner box.
No, advertising is the nasty stuff. the vector is obviously our communications infrastructure. (of course, this doesn't mean that advertising itself cannot also be a vector.)
advertising is designed to manipulate without consent.
I wonder if apps are abusing background app refresh to do this on iOS.
My understanding is that it isn't difficult to create a background task that can periodically make network requests. Just have a background task make a HTTP request including some unique identifier to some ad network server, then have the server handle IP geolocation.
While the accuracy won't be great on a lot of mobile networks, you can get pretty granular on wifi as some ISPs have their IPs as granular as a neighborhood.
I disable background app refresh for almost all apps in anticipation of this and haven't had a degredation in app experience.
I noticed something when using 1Blocker on iOS, which creates a dummy on-device VPN to block tracker IP requests. After I turned off background app refresh, I noticed that the number of blocked requests went down a lot. While some were innocuous diagnostics, like Sentry, the vast majority were not.
I'd appreciate if someone familiar with iOS development could weigh in on if this would be practical or not, given the all of the execution limits of background tasks.
> you can get pretty granular on wifi as some ISPs have their IPs as granular as a neighborhood
I’ve heard that this might be the case in some places in the USA. Meanwhile, I have not seen that level of granularity for residential IP addresses in Norway for example.
Has anyone done analysis on the MaxMind GeoIP data to see how the granularity of the data differs between different cities and countries and published anything about that online?
What app actually needs background refresh? I suppose messaging (sms, iMessage) and email. Assuming you want those async fetched and not pulled on app open. Curious what you’ve found you left enabled or had to enable because I agree with overly restricting apps.
"a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS [Global Navigation Satellite System]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK."
Probably it would use the location if the permission was enabled, otherwise fall back to IP geolocation
Real-time bidding is a privacy nightmare - basically spraying your actions in real-time to every ad provider, with a pinky promise that they won't abuse it.
Personally I can't wait until tinder is hit by the government, absolutely ridiculous the sort of monopoly power their amalgamation of dating apps has.
People bitch and moan about negative externalities on society from the rise of the internet but for me it's hard to imagine few variables more imperative to a state's success over the longterm.
What about tinder exactly is the problem? Asking as someone who has never used it but assume it’s Facebook for sex basically. Is it any worse than Metas properties?
Readit News
It should not surprise you to learn, then, that In-Q-Tel (the non classified investment arm of the CIA) has invested in some of these analytics (read: digital surveillance) companies.
https://www.ftc.gov/news-events/news/press-releases/2024/12/...
> When Mobilewalla bid to place an ad for its clients on a real-time advertising bidding exchange, it unfairly collected and retained the information in the bid request, even when it didn’t have a winning bid, according to the complaint. The FTC’s complaint alleges that from January 2018 to June 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with consumers’ precise location data. The raw location data Mobilewalla collected was not anonymized and the company doesn’t have policies to remove sensitive locations from the data set, meaning that such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited. The company sold access to this raw data to third-parties, including advertisers, data brokers and analytic firms.
Participating in header bidding gives you data similar to what you would see from operating a popular mobile website.
I don't know. It doesn't surprise me that In-Q-Tel makes investments in good arbitrage businesses like exchanges. I'm sure many good investors make good investments. It isn't some kind of cynical surveillance play.
A popular mobile website can only geolocate its own visitors based on IP and will have no idea what apps they have installed and what they do whenever they are not visiting that website.
The ad exchange gets information any time the users opens any of thousands of apps, without them ever interacting with the exchange.
"This device opened Grindr at this exact GPS coordinate, then Candy Crush at the church wifi, then a month later played Yahtzee for three hours near a military base in Afghanistan"
Then they package up that historical data and sell it. You can have years of location data for whatever purpose you can think of.
A thread on using this for surveillance from about a year ago:
https://news.ycombinator.com/item?id=38289337
As I commented there, while the antitrust case against Google is well-deserved, one effect of breaking their ad monopoly is opening up for even more actors to receive real-time header bidding data.
A look at the resolution of position data you can get:
https://nrkbeta.no/2020/12/03/my-phone-was-spying-on-me-so-i...
This will be correlated and joined with the geoip data from the apps without location data.
The overwhelming experience of the contemporary internet says it always is.
Which is against Google's terms, but of course they don't police it because it's their way of selling user data without explicitly selling user data.
https://developers.google.com/authorized-buyers/rtb/download...
otherwise you can go through intermediaries like BidSwitch which are essentially resellers, it's much easier but you get less information
Deleted Comment
It started with the Download Valley where companies would monetize search ( https://en.wikipedia.org/wiki/Download_Valley ) and siphon personal data.
The same with location information, plenty of shady SDKs offer to pay you if you leak location of your users.
Again, mostly based in Israel, but sometimes New York.
It'd be a little bit of a stretch to call IP geolocation as collecting location data as it is usually no more accurate than just procuring the geolocation yourself, so there's no need to get it from a broker. However, on an Android for example, both ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION require permission dialogs, so how does it exactly work?
> Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS [Global Navigation Satellite System]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”
Not sure about other apps.
Two questions from looking at my list:
1. What do you replace PodcastAddict with? Will all ads traffic (not just the display of the ads on the screen) cease on a paid version?
2. How would MS Outlook get on the list in the first place?
AntennaPod
>Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.
[1] https://play.google.com/store/apps/details?id=com.bambuna.po...
"Hi,
I'm sorry but I don't understand your email. Of course every podcast app connects to 3rd party content to stream it and therefore hosting platforms and tracking services and ad services used by the podcasters will have access to your IP address. Sorry but saying that a podcast app leaks your IP address is as stupid as saying that a web browser does. It's just a tool that connects to 3rd party content, so yes unless you're using a VPN the server you connect to will always have access to your IP address The app doesn't have your location. As you can see it doesn't ask for location permission so the app doesn't have anything to share, but yes your IP will of course be public to any server you connect to
Xavier"
I think my question still makes sense because from what I gather, the AdSense(?) SDK will get more info from the phone than just the IP address - make/model of the phone, unique IDs etc. But for now I happily did an OPML migration to AntennaPod - smooth sailing so far.
1. https://nextdns.io/
2. https://adguard-dns.io/en/welcome.html
This also has the added benefit of encrypting DNS if you set that up. It's all relatively easy to setup. If your hardware is running linux there are simple configuration scripts you can run to get everything going in 5 minutes or so.
I'm also a fan of 1Blocker on iOS (and macOS). It's another subscription, but it's not that expensive; updates its blocking lists frequently; and blocks trackers in apps.
I think it's more like lead poisoning.
https://m.imdb.com/title/tt1687905/
Whatever legitimate needs ads can meet we can find better ways to meet. That is, if we could only get a break from life in a Skinner box.
advertising is designed to manipulate without consent.
Advertising is mosquitoes. Fits.
https://archive.ph/Danyk
https://docs.google.com/spreadsheets/d/1Ukgd0gIWd9gpV6bOx2pc...
https://gist.github.com/fs0c131y/f498b21cba9ee23956fc7d76292...
My understanding is that it isn't difficult to create a background task that can periodically make network requests. Just have a background task make a HTTP request including some unique identifier to some ad network server, then have the server handle IP geolocation.
While the accuracy won't be great on a lot of mobile networks, you can get pretty granular on wifi as some ISPs have their IPs as granular as a neighborhood.
I disable background app refresh for almost all apps in anticipation of this and haven't had a degredation in app experience.
I noticed something when using 1Blocker on iOS, which creates a dummy on-device VPN to block tracker IP requests. After I turned off background app refresh, I noticed that the number of blocked requests went down a lot. While some were innocuous diagnostics, like Sentry, the vast majority were not.
I'd appreciate if someone familiar with iOS development could weigh in on if this would be practical or not, given the all of the execution limits of background tasks.
I’ve heard that this might be the case in some places in the USA. Meanwhile, I have not seen that level of granularity for residential IP addresses in Norway for example.
The MaxMind GeoIP databases include information about how accurate (granular) the location data is for each entry in their db according to https://support.maxmind.com/hc/en-us/articles/4407630607131-...
Has anyone done analysis on the MaxMind GeoIP data to see how the granularity of the data differs between different cities and countries and published anything about that online?
Probably it would use the location if the permission was enabled, otherwise fall back to IP geolocation
Real-time bidding is a privacy nightmare - basically spraying your actions in real-time to every ad provider, with a pinky promise that they won't abuse it.
I don’t know why Candy Crush would require fine grained data, but I am pretty confident CC doesn’t ask for it.
People bitch and moan about negative externalities on society from the rise of the internet but for me it's hard to imagine few variables more imperative to a state's success over the longterm.