It's widely known that companies use advertising on mobile apps that are targeted at groups of people based on their gender, age and where they live.
But a study by the University of Washington has found that not only are these companies able to send targeted ads your way, they can also use them to track your location – even if you didn't click on the ad.
The findings, which you can read here, have implications for internet privacy at a time when we're sharing more and more personal information across cyberspace.
The researchers found that you could track a person's location and learn information about app users with an advertising budget of as little as $1,000.
Ten different apps were tested, including Grindr, iFunny, Imgur, Words with Friends, and Talkatone, all using widely available ad networks.
How do they do this?
Now bear with us on this, it's a little in-the-weeds.
After buying an ad for an app, the advertiser obtains a copy of your Mobile Advertising ID (MAID), which identifies your device for advertising purposes.
This MAID number is handed over to advertisers instantly if you click on an ad – working in the same way as cookies on web browsers.
But even if you don't click, advertisers can obtain it by "WiFi sniffing," intercepting the information your device sends over an unsecured WiFi network or when you're using your mobile data.
Then, the advertiser targets the ads not just at your device, but also at a series of GPS locations. By noting which ads get activated depending on where you are, advertisers can build a GPS grid showing your movements. Like this image to the right.
Franzi Roesner, who co-authored the paper, said it was "so easy" for them to figure out how to track a person's movements, adding: "This is an issue that the online advertising industry needs to be thinking about.”
There are some limitations. You need to have the app open long enough for someone to track you. It's also only accurate to about 8 meters, and you need to stay in a location for about 5 minutes before the information is relayed back to the advertiser.
What are the implications of this?
The report points out numerous ways that this kind of tracking can be used for unseemly means.
Businesses, for example, could use it to identify traffic into the offices of a competitor, or to assess activity at a venture capital firm to see if they're preparing a big announcement that could have investment implications.
Paparazzi could use the techniques to track celebrities, while journalists could do the same to follow politicians.
It could also be targeted to identify people who are visiting specialized medical centers, known activist meeting points, religious centers and weapons ranges.
Not only can you use the ads to track people, but you can learn information about them just via the app they're accessing the ads through.
If an ad is used within pregnancy monitoring or dating apps, it provides ad-buyers with additional valuable information about the user (i.e. they're pregnant or single) that could be used for future targeting.
“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behavior,” author Paul Vines told The Verge.