By now, most of us are probably used to the idea that large corporations track our preferences and activities every time we go online. It’s the price we pay for the custom, convenient experiences we seek on the internet. But tracking your activity online isn’t exclusive to high-flying FAANG companies. For a modest sum, anyone can use the similar tracking tools to essentially spy on another person’s activities.

To illustrate the ease of web-based voyeurism, researchers from the University of Washington purchased ads from a common network and used them to track a person’s location and behavior, all for the price of about $1,000. So far, there are no reported instances of this method being applied to nefarious ends in the real world, but it reveals worrying vulnerabilities in the ways that technology companies gather, disseminate and monetize personal information.

More Than An Annoyance

The researchers exploited the way ads are shown to us whenever we open up an app or visit a website on our phones. Platforms known as demand-side providers (DSPs) buy up ad space on apps and sites and place their client’s promotions there. Most DSPs offer fairly sophisticated targeting options, such as by gender, language, age, interests, location, type of app and more. This allows a potential attacker to target ads at very specific groups of people, such as those who use different kinds of religious apps or gay dating sites, for example. They could also target a specific app or location.

To connect their ads to specific people, the researchers relied on the mobile advertising ID (MAID) assigned to every smartphone. It’s a code that allows advertisers to track how frequently they serve content to a specific user, and also a convenient means of identifying them. It’s quite easy for potential attackers to get a target’s MAID, and the researchers detail several means of doing so, from eavesdropping on unsecured WiFi connections to intercepting cellular traffic to simply buying it online. Through the ad service, a MAID and a little snooping, the researchers could connect the dots to an actual person.

For their experiment, the researchers bought their own ad space through one of these networks and input ads from their university. The tracking tools allowed them to monitor every time their ad got served, as well as where and to whom, and the bits of data were enough to give them potentially damaging information about users.

Setting up an ad-buying profile is both easy and cheap, they say, which means anyone could do it. They presented their work at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society last month.

What, Where and When

With this information, researchers could map out the route a study participant took on their way to work. To track physical movement, they simply created a grid of ads tied to a very specific location. When the target opened up an app on their morning commute, an ad would get served and the researchers were notified. Seeing when and where the ads popped up let them piece together the route their subject took.

It wasn’t perfect — it took a few minutes for an ad to be served, and the target had to have the app open for it to work. But stopping for a coffee, waiting at the bus stop, or having a brief conversation while also using an app turned out to be enough for the researchers to pin down a person’s location.

Advertising DSPs also reveal which app they serve ads on. While using the Facebook app isn’t very incriminating, using the gay dating app Grindr, or a Quran app, could be dangerous in other parts of the world. Targeting ads to certain apps, as most DSPs allow for, could also help attackers ferret out information.

Keeping Safe

Again, there’s no evidence that anyone has tried to exploit this vulnerability for nefarious purposes, but you can do a few things to protect yourself regardless. One of the most basic is to simply limit your phone use. If you don’t open up apps that serve ads, you can’t be tracked by them. You could also disable location services on your phone, although that means you can’t use some apps that rely on it, like Google Maps. You could also restrict location tagging to just those apps that don’t serve ads.

Another way to confuse would-be attackers is to change the mobile advertising ID on your phone. This is relatively easy to do, and means that it’s harder to tie a specific MAID to you. Always using secure WiFi connections and be careful about the information you send over the internet are good rules of thumb as well.

For ad companies and DSPs, the researchers say that their research should be a warning about the potential for abuse their services offer. In the future, watching out for hyper specific or suspicious-looking ad buys could be a way to ferret out individuals attempting to use them for tracking and targeting, they say. Machine-learning algorithms could also provide a layer of security.