Cross-device tracking via imperceptible audio beacons threatens user privacy

As consumers use multiple devices through the day, and tracking cookies become increasingly less effective, the advertising industry is looking for new ways to track users’ online behavior.

As they pursue that goal with single-minded dedication, it falls on government institutions, privacy advocates and the users themselves to find ways to assure that individuals’ privacy doesn’t get trampled.

The Federal Trade Commission (FTC) hosted a workshop to examine the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes. When the workshop was announced in March, the FTC called for public comments about the issue, in order to get a good handle on the current situation.

Among those who shared their knowledge and opinions was the Center for Democracy & Technology (CDT), a non-profit organization that works “to preserve the user-controlled nature of the Internet and champion freedom of expression,” and supports laws, corporate policies, and technology tools that protect the privacy of Internet users.

Among the questions the FTC wanted know the answer to was “What are the different types of cross-device tracking, how do they work, and what are they used for?”

After enumerating a number of ways advertisers try to track users (accounts, cookies, supercookies, web beacons, browser fingerprinting), the CDT pointed out that cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons.

“The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices,” they explained.

“The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not ‘divulge the names of the apps the technology is embedded,’ meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 6-7 apps and the company monitors 18 million smartphones.”

Although not all advertising companies are using cross-device tracking, many are tempted, especially as the Internet of Things is growing exponentially.

“This level of detailed and pervasive surveillance creates obvious privacy issues. At a basic level it is very difficult for a user to make sensitive purchases without companies logging and tracking this activity. Further, when a company combines the information from the different devices, an extremely detailed picture emerges,” the organization noted.

“For example, a company could see that a user searched for sexually transmitted disease (STD) symptoms on her personal computer, looked up directions to a Planned Parenthood on her phone, visits a pharmacy, then returned to her apartment. While previously the various components of this journey would be scattered among several services, cross-device tracking allows companies to infer that the user received treatment for an STD. The combination of information across devices not only creates serious privacy concerns, but also allows for companies to make incorrect and possibly harmful assumptions about individuals.”

The CDT is obviously against this type of tracking if the user doesn’t know about it, can’t decide on whether or not to accept it, and doesn’t know what specific data is collected, with whom it is shared with, and how they benefit from the practice.

This type of tracking should be transparent to the user and opt-in, and it should be regulated by the FTC to ensure that users “are informed and given a meaningful choice to protect their data,” the CDT concluded. “By providing meaningful industry guidance and investigating practices that are opaque to consumers, the FTC can help Americans gain further control over the privacy.”