Everyone knows your location: tracking myself down through in-app ads
256 comments
·February 2, 2025qingcharles
A4ET8a8uTh0_v2
<< find an exec and buy their details for pennies and call them up on their cellphone. (this is usually successful, but can backfire badly -- CashApp terminated my account for this shenanigans)
Honestly, kudos. The rules should apply to the ones foisting this system upon us as well. This is probably the only way to make anyone in power reconsider current setup.
<< As soon as your cousin clicks "Yes, I would like to share the entire contents of my contacts with you" when they launch TikTok your name, phone number, email etc are all in the crowd.
And people laughed at Red Reddington when he said he had no email.
IgorPartola
There was a post from someone a long time ago who has an email address and name similar to Make Cuban but not quite. He got quite a few cold call emails meant for Cuban. A lot of them were quite sad (people asking for money for medical procedures and such).
gruez
>One big privacy issue is that there is no sane way to protect your contact details from being sold, regardless of what you do.
>As soon as your cousin clicks "Yes, I would like to share the entire contents of my contacts with you" when they launch TikTok your name, phone number, email etc are all in the crowd.
Fortunately this is changing with iOS 18 with "limited contacts" sharing.
https://mobiledevmemo.com/wp-content/uploads/2024/09/image.p...
The interface also seems specifically designed to push people to allow only a subset of contacts, rather than blindly clicking "allow all".
The far bigger issue is the contact info you share with online retailers. Scraping contact info through apps is very visible, drawing flak from the media and consumers. Most of the time all you get is a name (could be a nickname), and maybe some combination of phone/email/address, depending on how diligent the person in filling out all the fields. On the other hand placing any sort of order online requires you to provide your full name, address, phone number, and email address. You can also be reasonably certain that they're all accurate, because they're plausibly required for delivery/billing purposes. Such data can also be surreptitiously fed to data brokers behind the scenes, without an obvious "tiktok would like access to your contacts" modal.
create-username
People will share their whole list because it’s simpler
taneq
Or because they were tricked. eg. LinkedIn’s “Connect with your contacts” onboarding step which sounds like it’ll check your contacts against existing LinkedIn users but actually spam invites anyone on your contact list that doesn’t have an account.
null
sneak
How about a no/limited internet setting? So many apps spy on you and they don’t need network at all to function.
x0x0
I think it's not properly appreciated that Apple fully endorses all of this. For two reasons: (1) the provision of the output of billions of dollars of developer time to their users for no up front cost (made back via ads) is super valuable to their platform; and (2) they uniquely could stop this (at the price of devastating their app store), but choose not to.
In light of that, perhaps reevaluate their ATT efforts as far less about meaningful privacy and far more about stealing $10B a year or so from Facebook.
gruez
>I think it's not properly appreciated that Apple fully endorses all of this. [...] they uniquely could stop this (at the price of devastating their app store), but choose not to.
A perfectly privacy respecting app store isn't going to do any good if it doesn't have any apps. Just look at f-droid. Most (all?) of the apps there might be privacy respecting, but good luck getting any of the popular apps (eg. facebook, tiktok, google maps) on there.
>In light of that, perhaps reevaluate their ATT efforts as far less about meaningful privacy and far more about stealing $10B a year or so from Facebook.
What would make you think Apple's pro-privacy changes aren't "about stealing $10B a year or so from Facebook"? At least some people are willing to pay for more privacy, and pro-changes hurts advertisers, so basically any pro-privacy change can be construed as "less about meaningful privacy and far more about stealing".
liontwist
> find an exec and buy their details for pennies and call them up on their cellphone
There is a vendor for this very thing in relation to business and government position called “zoominfo”
hughesjj
> CashApp terminated my account for this shenanigans
Did you call to complain about the termination?
nehal3m
Assuming these marketplaces operate within the bounds of the law, would it break HN’s ToS to post them? I’d be interested in pursuing the same strategy.
amelius
I'm not familiar with these marketplaces. Could you name a few examples?
vlan0
Actually this could prove very useful for a resistance movement. Take them down with with their own medicine.
null
everdrive
I'm really happy to see this level of detail and research. So many privacy-related articles either wholly lack in technical skill, or hysterically cannot differentiate between different levels of privacy concerns and risks.
People commonly point to Mozilla's research regarding vehicle's privacy policies. (https://foundation.mozilla.org/en/blog/privacy-nightmare-on-...) But that research only states what the car company's lawyers felt they must include in their privacy policies. These policies imply (and I'm sure, correctly imply) that your conversations will be recorded when you're in the vehicle. But, they never drill down into the real technical details. For instance ..... are car companies recording you the whole time and streaming ALL of your audio from ALL of your driving? Are they just recording you at a random samples? Are they ONLY recording you when you're issuing voice commands, and the lawyers are simply hedging their bets regarding what sort of data _might_ come through accidentally during those instances? Once they record you, where is the data stored, and for how long? Is it sent to 3rd parties, etc? Which of these systems can be disabled, and via what means? Does disabling these systems disable any other functionality of the vehicle, or void its warranty? Lastly, does your insurance shoot up if you have a car without one of these systems? etc ...
The list of questions could go almost indefinitely, and presumably, would vary strongly across manufacturers. So much of the privacy news out there is nothing but scary and often not very substantiated worst case scenarios. Without the details and means to improve privacy, all these stories can do is spread cynicism. I'm really glad to see this level of discourse for the author.
jjeaff
I'll answer the, "Does disabling it void your warranty?" question. The answer is almost always "no". Unless the modification you make to something actually directly or indirectly caused damage to it, companies in the US cannot "void the warranty".
lesuorac
I'm sure the company will argue the warranty is voided akin to how trucks have "not liable for damage from rocks" or w/e (they are).
IIRC, this is under the Magnuson-Moss act but I didn't find it when skimming wikipedia.
https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...
AlotOfReading
Those aren't questions that have fixed answers. The data available is pretty far beyond what I'm personally comfortable with though.
One OEM I'm familiar with had such a policy. My org determined that we needed a statistical reference to compare against within a certain area. Some calls were made to the right people and shortly after we had a (mildly) anonymized map of high precision tracks for every vehicle of that brand within the area over some period.
inahga
There are quite a few interesting tracking flows out there.
My rent is paid through a company called Bilt.
I discovered that when I shop at Walgreens now, Bilt sends me an email containing the full receipt of what I bought like so:
> Hey [inahga],
>
> You shopped at Walgreens on 12/1/24 and earned Bilt Points with your
> Neighborhood Pharmacy benefit.
>
> Items eligible for rewards
> TOSTITOS HINT OF LIME RSTC 11OZ
> $3.50
>
> +3 pts
> TOSTITOS RSTC 12OZ
> $3.50
>
> +3 pts
> Other items*
> EXCLUDED ITEMS
> $0.07
>
> *May include rewards-ineligible items and/or prescriptions.
I'm curious how this data flows from Walgreens to my rent company, but maybe I'd rather not know and just use cash/certified check from now on.
curiousthought
This is called Level 3 data, and any merchant can choose to provide it for a reduction in the transaction fees they pay.
Here's a small comment thread from a few months back: https://news.ycombinator.com/item?id=41213632
baxtr
So in essence the merchant pays with my data?
liontwist
This is the real reason why they can afford to give you cash back.
bredren
Yes, though people also welcome the extra cash back or other card benefits.
Apple Card does not sell this data, IIRC. But offers a lower cash back than many other cards.
anon7000
It’s honestly crazy that we allow companies to sell our data — and even financially incentivize companies to share our data like this.
kortilla
The problem is that to you it seems like your data but to Walgreens they see it as theirs. They generated it with their point of sale system.
The data is about a transaction that you made, but they generated all of it.
Until we have agreement as a society about what “my data” means, this kind of stuff is going to run rampant.
sixothree
It’s amazing how little control we have over information that is the most personal essence of our lives.
Why do we have zero insight, no control. Nothing.
I hate it so much.
inahga
Thanks for the details.
> choose to provide it for a reduction in the transaction fees they pay.
That would explain why I can use my credit card for rent without a transaction fee! No free lunch!
coin
Who is Level 3 data shared with, ie who is the aggregator? Is it the credit card bank then aggregates and sells it?
uoaei
Is there any documentation on this to read further? I.e. what the different levels contain and how much on average is the cost reduction for the merchant.
devmor
Here is implementation documentation from Mastercard about l3: https://na-gateway.mastercard.com/api/documentation/integrat...
The cost reduction is very small, it’s applied to interchange fees. I’ve been directly responsible for implementing this functionality on payment gateways for multiple processors because it helps reduce fraud holds as well.
andrewfromx
"Bilt Members can earn points on Walgreens purchases made using any card linked to their Bilt account."
https://support.biltrewards.com/hc/en-us/articles/2901187842...
There's that FSA/HSA benefit section at the bottom which explicitly states that Bilt receives item-level data:
gruez
That just sounds like a standard cross-merchant loyalty program? I don't think there are many examples in the US, but once you realize it's a loyalty program you really shouldn't be surprised that they're tracking your purchase history. That's basically the entire premise.
jkaplowitz
In Germany, the major cross-merchant loyalty program Payback gives you one or two rounds of extra consent choices about the tracking, and the type we see here is absolutely not mandatory for participating. It does of course let them give you more personalized and useful coupons, but one can participate while declining that permission.
mistrial9
> it's a loyalty program
calling something loyalty does not make it "loyalty" ..
crazygringo
I believe that's opt-in. At least it seemed to be when my landlord switched to Bilt.
There's a section of your Bilt profile that shows your other credit cards and whether you want them linked. It's pretty freaky to see them listed in the first place.
I definitely keep them off.
Bilt is ultimately a big points/reward program though, so you might get points for having them connected.
I still haven't figured out exactly what Bilt's business plan is, but the main part seems to be trying to get as much financial data on people as possible, and partnering with landlords to do so, and since it's how to pay your rent you can't unenroll completely. (Unless you maybe mail your landlord a paper check?)
inahga
It was opt-out for me. Or at least, I was never given informed consent that this data exchange going to take place.
The landlord of course makes it _seem_ like you have no other modes of paying rent. The cashier’s check option is buried in the fine print.
Dark patterns all around IMO.
inetknght
> just use cash/certified check from now on
You might want to discover about sophistication and pervasive facial recognition technology used by major retailers. Paid by cash? It can still be tracked to you. For "fraud prevention", of course.
gruez
>Paid by cash? It can still be tracked to you. For "fraud prevention", of course.
They can already track you through your phone and/or credit cards. Why bother setting up a massive facial recognition system for people paying with cash when they only account for 10% (or whatever) of overall shoppers, and have less disposable income than average?
spencerflem
idk why, but they do
londons_explore
Are you aware of cases where it is used for more that theft prevention/manual review of CCTV?
I'm not aware of any big retailers using facial data for targeting vouchers or anything similar.
Simple things like "did walk through the door with a child" would be pretty valuable data, yet as far as I know, nobody uses it.
kortilla
Is there actual evidence of this, like anywhere?
Facial recognition on a small corpus of known faces (what everyone experiences on Facebook, their phones, etc) is an easy problem.
Walmart picking up a face walking into a store and matching it against 30 million possibilities is going to return so many false positive matches it’s going to be completely useless.
random3
I'm assuming you're using your Bilt card when this happens. Your Bilt agreement stipulates how itemized transaction data (level 3 in payment terms, with level 2 being "enriched" with subtotals/tax and merchant information- which is what you typically see with your normal bank)
Card networks (Mastercard, VISA) have different fee structures that incentivize more detailed information like level 3 for lower processing fees for merchants - here's more details on levels https://na-gateway.mastercard.com/api/documentation/integrat...
https://support.biltrewards.com/hc/en-us/articles/5536526023...
Perhaps more interesting in your case is that if you had your card issues in or before 2022, it's likely with Evolve bank which was breached - https://medium.com/@HackLaddy/when-your-bank-doxxes-you-9152...
jrockway
What's most interesting to me about that is that they are willing to disclose that data to your email provider. Amazon, for example, is pretty cagey about what you've bought when sending emails, probably because they don't want Google to be able to use that information to target ads to you. (Not because they are Good and care about your privacy, but because they think they're going to beat Google at advertising. How's that going?)
So yeah, I don't get why they would do this. It gives their advertising competitors valuable data for free, and it pisses off customers by telling them that they're being tracked when they shop at Walgreens. Strange stuff.
kevin_thibedeau
Loyalty cards are one avenue for data brokers to get your purchase history. Credit cards can also sell your purchase data. Currently the only safe-ish way to be anonymous is with cash. That may disappear with pervasive face recognition and cell phone tracking.
theptip
> Why do they need to know my screen brightness, memory amount, current volume and if I'm wearing headphones?
This is clearly adding entropy to de-anonymize users between apps, rather than to add specificity to ad bids.
jmward01
It would be amazing if you could build and send fake profiles of this information to create fake browser fingerprints and help track the trackers. Similarly, creating a lot of random noise here may help hide the true signal, or at least make their job a lot harder.
nickburns
Unfortunately fingerprinting prevention/resistance tactics become a readily identifiable signal unto themselves. I.e., the 'random noise' becomes fingerprintable if not widely utilized.
Everyone would need to be generating the same 'random noise' for any such tactics to be truly effective.
jmward01
A sufficient number of people would need to, not everyone. And if I were the only one then tracking companies wouldn't adjust for just me. Basically, if this were to catch on then ad trackers wouldn't adjust until there was enough traffic for it to work. Also, that doesn't negate the ability to use this to create fake credentials that aids in tracking ads back to their source.
GeoAtreides
> adding entropy to de-anonymize users
_removing_ entropy, by adding more information bits
ohisaysir
Technically, information are the bits you DON'T know. Once you know the bits, it isn't "information" in the Shannon sense, in that it takes no energy to reset a message if you know all the bits, but takes N-units of energy for N unknown bits of information. (See; Feynman's lectures on computation)
Xen9
It's also useful for making ads more effective & manipulation overall. As long as you can connect the data you track & buy, you can use Thompson sampling. In fact, why would we think knowing the name of a person is anything but bad business?
gruez
Everything listed changes way too often to be useful for tracking. My guess is that it's for anti-fraud purposes. Someone setting up fake devices and/or device farms is likely to get similar values, which means they can be detected via ML or whatever.
Groxx
> screen brightness, memory amount, current volume and if I'm wearing headphones
None of those are likely to change when you navigate from one website to another, with tracking/ads disabled, which is what they want to be able to track. Otherwise they'd just use their cookies.
One device visits a site where you sell ads. A minute later, an unknown device with identical battery, volume, headphone, brightness, model number, browser version, and boot time to the second arrives on another site you run ads on. There's a pretty good chance they're related, because the odds of all those being the same plus those two sites and recent timings involved is rather low: https://coveryourtracks.eff.org/
Plus it doesn't have to be perfect. It just has to be good enough in bulk to sell.
AyyEye
> There's no "personal information" here, but honestly this amount of data shared with an arbitrary list of 3rd parties is scary. Why do they need to know my screen brightness, memory amount, current volume and if I'm wearing headphones?
Screen brightness, boot time, memory, and network operator could probably fingerprint any device all by itself.
maximilianthe1
A lot of people have "autobrightness" on. I'd think brightness doesn't help much here
sky2224
Automatic brightness probably helps honestly. It could help confirm whether someone is in fact in an area that has high levels of lighting around them (e.g., in a store, at a beach on a sunny day, etc.)
Everything little piece of data that is gathered and used can help even if it isn't immediately apparent.
Now I could be wrong on this, but I feel like advertisers don't need to know something is true about a user, they just need to be confident something is true about a user and that's where data points like screen brightness can be of help to them.
landr0id
Kind of a joke, but it could be useful for determining if they should serve light-mode or dark-mode ads. But I suppose they could just detect if dark/light mode are enabled.
atum47
Reddit app has no permissions on my phone, but the feed suggests communities based on my location never the less. I've been traveling for the last two months, every city I've been has been suggested
gruez
>If it was LTE, I bet the lat/lon would be much more precise.
False. Apps don't have access to cellid information unless they also have location permissions, in which case they can just request your location directly.
>the free apps you install and use collect your precise location with timestamp [...]
This is alarmist and contradictory given that the author admits a few paragraphs up that the "location shared was not very precise". It might be possible for the app to request precise location via location services, but the app doesn't request such permissions (at least on android, you can't check for requested permissions on iOS without installing the app and running it), so such apps are most definitely limited to "not very precise" locations.
>At the same time, there is so much data in the requests that I'd expect ad exchanges to find some loophole ID that would allow cross-app tracking without the need for IDFA.
At least in theory they're not supposed to do that, but it'd be hard to enforce.
"If a user resets the Advertising Identifier, then You agree not to combine, correlate, link or otherwise associate, either directly or indirectly, the prior Advertising Identifier and any derived information with the reset Advertising Identifier. "
https://developer.apple.com/support/terms/apple-developer-pr...
anon7000
Eh. Zip code level location + timestamp is still pretty invasive, even if, pedantically, that’s not very precise.
We should compare if there a differences in the data sent in countries with better data privacy laws.
eli
"Precise" has a specific meaning for iOS Location Services and this ain't it. Presumably it's just doing IP geolocation which could be the same post code, or it could be the wrong city entirely. I'd expect it to be much worse on LTE than WiFi.
gruez
>Eh. Zip code level location + timestamp is still pretty invasive, even if, pedantically, that’s not very precise.
That's basically sent to multiple parties (ISPs, transit providers, CDNs, analytics/advertising/diagnostics/security vendors) everytime you visit a website. If this counts as "invasive" to you, you shouldn't be connected to the internet at all, much less buying a tracking device (a smartphone) and installing random ad-supported apps on it.
jmward01
A long time ago I had the idea to create an 'accountability server'. The high level idea was for it to generate unique credentials so that you could track to the source who sold your info. There are some ways to do that now, but I wonder if it is time to start exploring that idea again. If you exposed it as a VPN/proxy+app that ran on a server in your home, so that you could collect your own data and provide unique credentials on account creation, then I wonder how much that combination could figure out. Since it could act as a man in the middle it potentially could annotate credential source and see the ads and potentially track them to source. "This male enhancement pill ad is linked to your tire purchase." There is a lot of hand waving here, but I wonder if something like this could be built. The first step to stopping things like this is showing people who did it to them.
aorloff
There's no question about who the players involved are.
https://developers.google.com/authorized-buyers/rtb/openrtb-...
gruez
Wouldn't this require access to bid side data? The OP mentions it's pretty easy to get, but any company using this to expose advertisers is going to get their access cut off pretty fast. As the saying goes, "snitches get stitches".
jmward01
My thought here is that there is likely a lot of leaked data on ads themselves, that is one of the reasons why you would need the VPN/proxy. Additionally you could (potentially) create fake browser fingerprint credentials on the fly to feed sites and have the VPN/proxy track the ads that show up for those credentials. (other credentials like email and the like could also be created by the app for you) You don't see the bid data, but you may be able to control the tracking that spurs it and you can see the results of it so a setup like this could likely make some inferences.
I don't know this industry well and the tech here has long sense eclipsed me so I really don't know what is possible but I imagine there are possibilities with this setup.
BubbleRings
I clicked the link at the beginning of your article, that led to the Google sheet with the list of apps. That list had 12,373 lines, not “over 2,000”, fyi. And while most of the apps looked like small time games that I have never downloaded and would probably not download, I saw included there “Microsoft Office 365”. Interesting.
psanford
Don't use mobile apps that could just be websites.
dylan604
Extended to add don’t use websites without blockers. If they are willing to track via app, why would we think they would not track via browser?
nicbou
The browser has less access to your system, and usually only if you give a specific website permission to use these features. Mobile operating systems are slowly changing that though.
daghamm
At least on android the browser is limited by the android permission system, i.e. if you dont give browser GPS permissionit cannot give pages dito. In addition the browser will ask if you want to grant an app access to something like positioning data.
Furthermore, it is hard for a web page to run in background and receive user data.
anurag
I'm a very happy paying customer of NextDNS (https://nextdns.io) which blocks known adware and tracking hosts across all mobile and desktop platforms.
nickburns
Which does absolutely nothing if your device or the app in question is permitted or otherwise not prevented from making DNS-over-HTTPS (or, less commonly because of its discrete port, DNS-over-TLS) queries.
madeofpalk
Don't all the ad-blocking DNS providers also support DNS-over-HTTPS now as well? I use it with AdGuard Home, and I saw PiHole supports it as well.
nickburns
I'm referring to devices and apps that are 'hard-coded' to query specific DoH servers/providers, therefore bypassing and regardless of any user-configured DNS server/s. And because DoH operates on outbound TCP/443, the lookups are indistinguishable from any other 'web' traffic.
Even some of the most popular desktop web browsers are configured to utilize DoH by default nowadays.
The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers and otherwise PAT all outbound 53 (and 853) traffic to a local stub resolver (like a local Pi-hole instance, for example).
Argonaut998
Facebook hard-code IP addresses when their domains are blocked. I found this out while using NextDNS alongside that logging functionality that iPhones have. It’s insane the lengths that they go to.
ssklash
It's not insane at all. It is the entirety of their business model, so it makes sense that they will do everything possible to keep that sweet surveillance cash flowing.
ornornor
One more reason I don’t use Facebook and will never install their app on my phone.
EveOffline
Very interesting and disturbing research, definitely a wake up call for me. Does anyone know/can anyone recommend me software that can block these sorts of requests from going through? I know of pihole which blocks adds but does it also filter out these sorts of things?
One big privacy issue is that there is no sane way to protect your contact details from being sold, regardless of what you do.
As soon as your cousin clicks "Yes, I would like to share the entire contents of my contacts with you" when they launch TikTok your name, phone number, email etc are all in the crowd.
And I buy this stuff. Every time I need customer service and I'm getting stonewalled I just go onto a marketplace, find an exec and buy their details for pennies and call them up on their cellphone. (this is usually successful, but can backfire badly -- CashApp terminated my account for this shenanigans)