Every time you see a little banner ad at the bottom of an app, there’s an instantaneous auction to show you that ad space. Google forwards info to bidders, who calculate how much they will spend to show you the ad. This means even the losers of the auction get a firehose of data. There are companies set up right now whose purpose is to lose that auction but collect the data anyways.
It should not surprise you to learn, then, that In-Q-Tel (the non classified investment arm of the CIA) has invested in some of these analytics (read: digital surveillance) companies.
The ads customers do not see data. A handful of exchanges do.
Participating in header bidding gives you data similar to what you would see from operating a popular mobile website.
I don't know. It doesn't surprise me that In-Q-Tel makes investments in good arbitrage businesses like exchanges. I'm sure many good investors make good investments. It isn't some kind of cynical surveillance play.
It isn't some kind of cynical surveillance play.
The overwhelming experience of the contemporary internet says it always is.
This link specifically says they get the data even if they don’t win the auction.
https://www.ftc.gov/news-events/news/press-releases/2024/12/...
> When Mobilewalla bid to place an ad for its clients on a real-time advertising bidding exchange, it unfairly collected and retained the information in the bid request, even when it didn’t have a winning bid, according to the complaint. The FTC’s complaint alleges that from January 2018 to June 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with consumers’ precise location data. The raw location data Mobilewalla collected was not anonymized and the company doesn’t have policies to remove sensitive locations from the data set, meaning that such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited. The company sold access to this raw data to third-parties, including advertisers, data brokers and analytic firms.
That doesn't mention Google anywhere in it that I can find.
I think you meant to reply to someone who replied to me.
It was meant to reinforce your comment. :)
How does one sign up for such a firehose? I was naively under the impression google did this bidding internally.
> There are companies set up right now whose purpose is to lose that auction but collect the data anyways.
Which is against Google's terms, but of course they don't police it because it's their way of selling user data without explicitly selling user data.
If I understand this right, Google isn’t actually selling user data to auction losers because auction losers are collecting the data without spending any money.
They leak data that enables the marketplace they run and profit from. That's the indirection. They count on this obfuscation (lack of an explicit transaction for the bid request data) to keep people from thinking of them as selling data.
Collectively the participants use this data to optimize their future bids and other surveillance/marketing efforts outside the Google ecosystem.
I'm sure Google would prefer there not be any parties involved that are purely leeches. But they may not be able to or may not care enough to tell the difference between leeches and parties that are still working out their infrastructure and bidding strategy and will begin bidding eventually. Or perhaps making a certain number of low bids you don't intend to win is what keeps you in the game.
comm -12 <(cat gravy_app_list\ -\ count.csv| uvx --from csvkit csvcut -c 2 | rg '\.' | sort) <(adb shell pm list packages -3 | cut -f 2 -d ":" | sort)
Two questions from looking at my list:
1. What do you replace PodcastAddict with? Will all ads traffic (not just the display of the ads on the screen) cease on a paid version?
2. How would MS Outlook get on the list in the first place?
Easier just to block the ad servers at the DNS level. I use NextDNS [1] as it lets me configure it, but AdGuard [2] DNS probably also works well.
> 1. What do you replace PodcastAddict with? Will all ads traffic (not just the display of the ads on the screen) cease on a paid version?
AntennaPod
I love AntennaPod. One app that does its job perfectly
This list is suspect. PodcastAddict doesn't even request location permissions[1]. How can it possibly get access to your location? If you read the article carefully, it caveats that the location might not even be sourced from gravy apps. At best, it's getting your ip location, which you're broadcasting to every website you visit anyways.
>Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.
[1] https://play.google.com/store/apps/details?id=com.bambuna.po...
Can it get the wifi SSID? Is that a permissioned property on Android/iOS? I believe there are companies that build databases of SSIDs and their locations by driving around, so if an app can get wifi info it could be pinpointed to a pretty specific location.
>Can it get the wifi SSID? Is that a permissioned property on Android/iOS?
It requires location permissions since forever ago, specifically because of the risk you described.
One point I do not see addressed in the article is how the location is collected.
It'd be a little bit of a stretch to call IP geolocation as collecting location data as it is usually no more accurate than just procuring the geolocation yourself, so there's no need to get it from a broker. However, on an Android for example, both ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION require permission dialogs, so how does it exactly work?
It's a stretch to call out a game for tracking every IP use use and trying to location track you using that? A game should not be trying to track my location at all, not get a pass because technically it's not very accurate.
At least some, if not the majority, is likely derived from the IP address used in the ad bidding process.
> Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS [Global Navigation Satellite System]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”
Tinder is location based, so probably through that.
Not sure about other apps.
Advertising is a virus that will infect every ecosystem
It's more like the ideal vector for some nasty stuff. There's nothing inherently wrong with it but folks doing evil stuff love it.
Watch "the economics of happiness" if you think there's nothing wrong with advertising. Sure, maybe it can be done without manipulating people's self-image into thinking they're not good enough, not beautiful enough, not wealthy enough, but if you're into maximizing revenue you're not going to simply advertise "here's our invention, take it or leave it"
> Sure, maybe it can be done without manipulating people's self-image into thinking they're not good enough, not beautiful enough, not wealthy enough, but if you're into maximizing revenue you're not going to simply advertise "here's our invention, take it or leave it"
Well, yes, that's it exactly. The problem is not advertising, it's trying to maximize revenue. That is the virus that is killing our world.
I believe there's nothing _inherently_ wrong with advertising.
> but if you're into maximizing revenue
In the space of ideas, there is a way for advertisement to exist without revenue. Even without money!
> manipulating people's self-image into thinking they're not good enough, not beautiful enough, not wealthy enough
You can do all of that _without_ advertising.
I can’t think of any positives of advertising that are not solely to the benefit of the advertiser.
That knife you bought because it looked cool, not the sharpest or most suited for your tasks. Cheerios aren’t really good for your heart. Dentists don’t universally recommend your flavored grain-infused fluoride paste.
It’s legalized lying where high end marketing companies are so good at it you might as well not try with a small budget. It’s not just bad from any angle, it’s also entrenched.
> You can do all of that _without_ advertising.
I want to double-emphasize this. Most advertising sucks, but the effect it has on people is not unique to advertising. Given your five senses, you are being consistently and constantly blasted with information people want to put in front of you in the hopes of effecting your future behavior in a way that makes you think that you’ve talked yourself into it.
But given a non-intrusive ad that isn’t trying to also surveil you and isn’t making demands on your attention, they can be informative. The problem is that non-intrusive ads that don’t make demands on your time and attention don’t support advertising-reliant companies with market caps as big as TV broadcasters, and if you want to also be as big as Google or Facebook, you also need the surveillance aspect of it, so if we ever get our shit together as a society and do something about that and they haven’t diversified their revenue streams sufficiently, they’re in for a very bad time.
> manipulating people's self-image into thinking they're not good enough, not beautiful enough, not wealthy enough
Unfortunately, social media is much more effective at ruining people's self-image and happiness than advertisers could ever dream to be
I think there's something inherently wrong with it. At it's core is a fundamental disregard for consent which harms people after prolonged exposure. The consequences of turning control of over our technology to people with an incentive to degrade our sense of dopamine hygiene have been very bad and continue to worsen.
Whatever legitimate needs ads can meet we can find better ways to meet. That is, if we could only get a break from life in a Skinner box.
Imagine there is a cause, mission, or vision that you care deeply about.
And you want larger numbers of people to care about it, too.
And you're willing to pay someone to help you distribute the message that will persuade those people to care.
That's advertising.
There's a tobacco lobby. There's also an anti-tobacco lobby.
I understand that, but what's your point? It doesn't get less sleazy when it happens to be a cause that I like. Maybe I have terrible taste. Why should I be allowed to subject people to my terrible taste without their consent? Why should being rich increase my ability to do so?
If it's actually such a good idea it should be possible to spread it consensually--that is, unless the intervening space was weaponized against us by advertisers.
And that person you pay fakes the numbers on your invoice, because everyone else does.
Imagine you're a small burger place that opened somewhere other than the center of town and you want people to at least know there's a new option besides slop from McDonald's.
In our world, where the advertisers are already making so much noise that the only way to be heard is to pay an advertiser to shout louder than the others... yes, that's probably what you have to do.
But in the absence of all of that noise in the first place, I think we could design something that does a much better job than ads do. As it is you have to pit your bank account against McDonald's and compete for attention, but think about how much money you could save (or spend on tastier things) if it was instead the quality of your burger that determined how widely known you ended up being.
I don't have the game theoretic secret sauce that would make that happen, but I believe that it's out there and that it would be cheaper and more effective than what we're doing if we just collectively stopped tolerating ads of any kind and focused on solving the where-can-I-get-a-good-burger type problems directly.
In my experience nearly every decent product ive ever wanted I either sought out myself first or found through word-of-mouth, almost none of it through marketing materials which these days I completely disregard because it is 99.99% bullshit. And I believe word-of-mouth would be even more effective and useful if mass advertising simply didn't exist to pollute peoples thoughts and preferences with a bunch of deceptive marketing garbage. I firmly believe over 99% of marketing could be easily replaced by simple word-of-mouth if it wasn't drowned out by marketing materials and advertisements.
> more like the ideal vector for some nasty stuff
Advertising is mosquitoes. Fits.
There are still many mysteries to unravel about viruses, they may be more important to a functioning ecosystem than we realize, and there are useful tricks which only they can do.
I think it's more like lead poisoning.
The two app lists from the article:
https://docs.google.com/spreadsheets/d/1Ukgd0gIWd9gpV6bOx2pc...
https://gist.github.com/fs0c131y/f498b21cba9ee23956fc7d76292...
Related FTC takes action against Gravy Analytics, Venntel for selling location data (194 points, 158 comments) https://news.ycombinator.com/item?id=42309429
Do I understand correctly that these apps are able to bypass OS permissions of whether to allow location data?
I wonder if apps are abusing background app refresh to do this on iOS.
My understanding is that it isn't difficult to create a background task that can periodically make network requests. Just have a background task make a HTTP request including some unique identifier to some ad network server, then have the server handle IP geolocation.
While the accuracy won't be great on a lot of mobile networks, you can get pretty granular on wifi as some ISPs have their IPs as granular as a neighborhood.
I disable background app refresh for almost all apps in anticipation of this and haven't had a degredation in app experience.
I noticed something when using 1Blocker on iOS, which creates a dummy on-device VPN to block tracker IP requests. After I turned off background app refresh, I noticed that the number of blocked requests went down a lot. While some were innocuous diagnostics, like Sentry, the vast majority were not.
I'd appreciate if someone familiar with iOS development could weigh in on if this would be practical or not, given the all of the execution limits of background tasks.
> you can get pretty granular on wifi as some ISPs have their IPs as granular as a neighborhood
I’ve heard that this might be the case in some places in the USA. Meanwhile, I have not seen that level of granularity for residential IP addresses in Norway for example.
The MaxMind GeoIP databases include information about how accurate (granular) the location data is for each entry in their db according to https://support.maxmind.com/hc/en-us/articles/4407630607131-...
Has anyone done analysis on the MaxMind GeoIP data to see how the granularity of the data differs between different cities and countries and published anything about that online?
I'm in the US and my current IP address puts me in an area about 30 miles away currently. However, last year up until a few weeks ago my IP would place me in my current ZIP code (using ipinfo).
My city is comprised of several ZIP codes so you could have figured out where I live within a ~1.5 mile radius.
The granularity may not matter that much though. You can infer a fair bit of data. If you remove mobile network IP addresses, which tend to be quite vague here, you can sort of tell how often someone leaves the house, goes on vacation, or if they visit a friend/family member often.
>I'm in the US and my current IP address puts me in an area about 30 miles away currently. However, last year up until a few weeks ago my IP would place me in my current ZIP code (using ipinfo).
>My city is comprised of several ZIP codes so you could have figured out where I live within a ~1.5 mile radius.
How do you know that it accurately knows your location down to the zip code level, and not just that your zip code just happened to match up? After all, a broken clock is right twice a day.
>The granularity may not matter that much though. You can infer a fair bit of data. If you remove mobile network IP addresses, which tend to be quite vague here, you can sort of tell how often someone leaves the house, goes on vacation, or if they visit a friend/family member often.
That might be useful for stalker-ish reasons, but it requires work to implement, and it's unclear why advertisers would care about this sort of stuff. You go to work 9-5 and visit your friends on weekends, how can you turn that into money? "people with a job and friends" isn't exactly a very lucrative marketing demographic.
Meanwhile, working on legitimate GPS requests in an app, my fiber optic ISP has the GPS of my IP about 2 streets up from where I live. I took a stroll and sure enough there's a big ol' grey communications box there.
You know, I'm totally okay with that.
"a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS [Global Navigation Satellite System]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK."
Probably it would use the location if the permission was enabled, otherwise fall back to IP geolocation
Real-time bidding is a privacy nightmare - basically spraying your actions in real-time to every ad provider, with a pinky promise that they won't abuse it.
Pinky promises from scoundrels. Pretty much with that group asking the pinky promise is to provoke abuse of it.
No. Wherever fine grained location data is available, users granted it.
I don’t know why Candy Crush would require fine grained data, but I am pretty confident CC doesn’t ask for it.
It's not even listed as a permission on the manifest, so it can't even request it: https://play.google.com/store/apps/details?id=com.king.candy...
The truth is, majority of the population doesn't care. Telling people to value their privacy is exhausting because of a stupid argument of "I have nothing to hide". You deserve your data to be up for sale (let's also not forget data breaches) if you are too reckless to calculate the consequences of using these apps
Personally I can't wait until tinder is hit by the government, absolutely ridiculous the sort of monopoly power their amalgamation of dating apps has.
People bitch and moan about negative externalities on society from the rise of the internet but for me it's hard to imagine few variables more imperative to a state's success over the longterm.
> Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location
This seems like a very misleading headline. These apps were (often for no user-beneficial reason) collecting location data. This code was put there deliberately by the app authors. The app authors are accomplices in leaking this data , they are not victims.
As I understand it, the story is not the advertising network getting the private data — we have all known that for a long time. The news is that even the unsuccessful real-time auction bidders can get a lot of this data.
Actually, location tracking was added on purpose..
It is capitalism that has been hacked.
Capitalism hasn't been hacked, it's working as designed. If there's a way to make money, it will be monetized. Decency and morality does not matter if it gets in the way of making more money.
Related:
See the Thousands of Apps Hijacked to Spy on Your Location - https://news.ycombinator.com/item?id=42651087 - Jan 2025
We'll merge those comments hither. Thanks!