https://theintercept.com/2017/11/24/staggering-variety-of-cl
andestine-trackers-found-in-popular-android-apps/

Photo: Dave J Hogan/Getty Images
Staggering Variety of Clandestine Trackers Found In Popular
Android Apps
Yael Grauer

2017-11-24T11:00:28+00:00

Researchers at Yale Privacy Lab and French nonprofit Exodus
Privacy have documented the proliferation of tracking
software on smartphones, finding that weather, flashlight,
rideshare, and dating apps, among others, are infested with
dozens of different types of trackers collecting vast
amounts of information to better target advertising.

Exodus security researchers identified 44 trackers in more
than 300 apps for Google's Android smartphone operating
system. The apps, collectively, have been downloaded
billions of times. Yale Privacy Lab, within the university's
law school, is working to replicate the Exodus findings and
has already released reports on 25 of the trackers.

Yale Privacy Lab researchers have only been able to analyze
Android apps, but believe many of the trackers also exist on
iOS, since companies often distribute for both platforms. To
find trackers, the Exodus researchers built a custom
auditing platform for Android apps, which searched through
the apps for digital "signatures" distilled from known
trackers. A signature might be a tell-tale set of keywords
or string of bytes found in an app file, or a
mathematically-derived "hash" summary of the file itself.

The findings underscore the pervasiveness of tracking
despite a permissions system on Android that supposedly puts
users in control of their own data. They also highlight how
a large and varied set of firms are working to enable
tracking.

"I think people are used to the idea, whether they should be
or not, that Lyft might be tracking them," said Sean
O'Brien, a visiting fellow at Yale Privacy Lab. "And they're
used to the fact that if Lyft is on Android and coming from
Google Play, that Google might be tracking them. But I don't
think that they think that their data is being resold or at
least redistributed through these other trackers."

Among the Android apps identified by the researchers were,
with six or seven trackers each, dating apps Tinder and
OkCupid, the Weather Channel app, and Superbright LED
Flashlight; the app for digital music service Spotify, which
embedded four trackers, including two from Google;
ridesharing service Uber, with three trackers; and Skype,
Lyft, Accuweather, and Microsoft Outlook.

(A Spotify spokesperson wrote, "We take data security and
privacy very seriously. Our goal is to give both our users
and advertising partners a great experience while
maintaining consumer trust." An Uber spokesperson referred
The Intercept to its published details on its use of
cookies, which lists some of their third-party cookie
providers but is not intended to be comprehensive. Users who
visit the privacy policy section of Uber's website can
follow an opt-out link which appears to only apply to
interest-based advertising on web traffic. The preferences
do not work if a user disables third party cookies, and
users must opt out again after deleting their cookies.)

Some apps have their own analytics platforms but include
other trackers as well. For example, Tinder uses a total of
five trackers in addition to its own.

"The real question for the companies is, what is their
motivation for having multiple trackers?" asked O'Brien.

"Data is the oil in the machinery here, and I think
they're just trying to find different ways to extract it."

Tinder's heavy use of trackers means the company has been
able to make use of behavior analytics, and also to accept
payment from shaving supply company Gillette for highly
targeted research: Do college-aged male Tinder users with
neatly-groomed facial hair receive more right swipes than
those with untidy facial hair?

Capabilities of the trackers uncovered by Exodus include
targeting users based on third-party data, identifying
offline movement through machine learning, tracking behavior
across devices, uniquely identifying and correlating users,
and targeting users who abandon shopping carts. Most
trackers work by deriving an identification code from your
mobile device or web browser and sharing it with third
parties to more specifically profile you. App makers can
even tie data collected from trackers with their own
profiles of individuals, including names and account
details. Some tracking companies say they anonymize data,
and have strict rules against sharing publicly identifiable
information, but the sheer wealth of data collected can make
it possible to identify users even in the face of such
safeguards.

Although some or all of the apps identified by Exodus and
Yale researchers may technically disclose the use of
trackers in the fine print of their privacy policy, terms of
service, or app description, it is difficult, to say the
least, for smartphone users to get a clear handle on the
extent and nature of the monitoring directed at them. The
whole point of using a mobile app, after all, is often to
save time.

"How many people actually know that these trackers are even
there?" said Michael Kwet, another visiting fellow at Yale
Privacy Lab. "Exodus had to create this software to even
detect that they were in there."

A few of the trackers offer users the option to opt out via
email or through their privacy settings. But tracking can
resume even after this step is taken. For example, one app
requires that users who clear their cache set up the opt-out
again. Some opt-outs are temporary. Even if the opt-outs do
end up being permanent, few users would even know to
activate them in the first place.
FILE - In this May 28, 2015, file photo, David Singleton,
director at Android Wear, speaks during the Google I/O 2015
keynote presentation in San Francisco. With the upcoming M
version of Android, you give permission as apps need it. (AP
Photo/Jeff Chiu, File)

David Singleton speaks during the Google I/O 2015 keynote
presentation in San Francisco.

Photo: Jeff Chiu/AP
Meet the Trackers

Google has a vested interest in allowing liberal use of
trackers in apps distributed through Google Play: One of the
most ubiquitous in-app trackers is made by Google's
DoubleClick ad platform, which targets users by location and
across devices and channels, segments users based on online
behavior, connects to personally identifiable information,
and offers data sharing and integration with various
advertising systems. DoubleClick's tracker is found in many
popular apps, including Tinder and OkCupid, Lyft and Uber,
Spotify, the Weather Channel and Accuweather, and the
popular flashlight apps Superbright LED flashlight and LED
light.

A Google spokesperson confirmed that its ad platforms
DoubleClick for Publishers and AdMob serve ads on both
Android and iOS devices, and that it ties information
collected by the networks to a persistent identifier to
measure engagement. Although users can control information
Google uses to show them ads, they cannot specifically opt
out of DoubleClick.

DoubleClick prohibits vendors from sharing personally
identifiable information or other unique identifiers, and
states that it only stores general location data like city
and zip code rather than precise location information unless
users enable location history in their Google account. App
developers who use the DoubleClick Ad Exchange are required
to disclose in their privacy policies that the user's
identifier will be shared unless the user opts out of ad
tracking, and to explain how the user can reset their
identifier. Google shares attribution data with advertisers
and third party measurement partners using these
identifiers.

Perhaps the most invasive of the trackers is Fidzup, a
France-based mobile performance marketing platform for brick
and mortar retailers. The company has stated in its
advertising copy that it has developed communication between
a sonic emitter and a mobile phone (either iOS or Android)
by emitting an inaudible tone to locate a user within a
shopping mall or a store. User phones receive the signal and
decode it to give away their location. The company further
uses geofencing to track users to a so-called "catchment
area," such as a specific section within a store, where it
can serve them targeted ads, possibly for a competing
retailer.

Mathieu Vaas, a spokesperson for Fidzup, said that the
company has not used inaudible tones in two years, but is
instead using wifi-based technology to obtain data regarding
how customers behave within stores and to retarget them with
ads. But information on sonic technologies is posted on
Fidzup's website (as of November 21st) and detailed further
in an older version of the site accessed on October 15. Vaas
stated that these pages are outdated and inaccessible from
the main page, and will be scrubbed from a new website
that's currently being prepared.

Vaas also confirmed that, even just using wifi technology,
Fidzup can track highly specific in-store behavior such as
aisles visited, the time spent in them, the number of visits
to a store, and so forth. Fidzup can also leverage other
apps to obtain geolocation data, but the only third parties
receiving that data are retailers that have installed the
company's wifi technology within their store, he added, and
the data it is only related to behavior within the store.
Vaas later said that Fidzup does not share information with
third parties.