SOTL-15.1. Make Targeted Advertising Campaign

> [!info] > Input: [[Email Address|email address]] > Output: [[Geolocation|location]], [[Interests|interests]], [[Age|age]] > > Types: [[Behavioural Weakness|behavioural]], [[Business Weakness|business]] > Weakness: [[SOWEL-21. Exposing Interests]] > Functionality: [[SOFL-7. Advertisements]] ### Explanation ADINT, or using targeted advertising for information gathering and surveillance, is enabled by the vast amounts of data collected and shared within the online advertising ecosystem. Ad networks and data brokers gather and trade an extensive array of personal information, including demographics, interests, website visits, app usage, purchases, location data, and more. This data allows advertisers to serve highly targeted ads to specific individuals. The core concept of ADINT is using ad targeting as an oracle to learn sensitive information about targets. By uploading a target's identifier (like an email address) and experimenting with different targeting parameters, an attacker can infer attributes like the target's age, interests, or location, based on which ads get served. A case study of a demand-side platform (DSP) specializing in mobile advertising demonstrates the real-world feasibility and capabilities of ADINT attacks. By serving ads to real and fake user devices, the researchers found that an attacker could consistently win ad auctions for as little as $0.005 per ad. Attacks included determining a target's home and work locations, identifying sensitive locations they visited even once, enumerating what apps they have installed, and knowing when they use certain apps. The attacker only needed a $1000 initial deposit and the target's mobile advertising ID, which could be obtained by sniffing network traffic, getting the target to click an ad, or other methods. Surveying 21 DSPs reveals that ADINT capabilities are widespread, with over 80% having a low initial cost barrier of under $2000. Many DSPs offer precise location targeting, interest and demographic targeting based on sensitive categories, and even targeting by personally identifiable information like email addresses. Using active ad content like JavaScript enables attackers to perform additional surveillance through techniques like device fingerprinting and ID exfiltration. The potential ADINT threat actors are diverse, ranging from burglars and stalkers to journalists, investors and law enforcement. User defenses against ADINT are limited, especially on mobile devices. Some ad networks have instituted minimal self-policing measures, but most have little incentive to restrict their targeting capabilities. Ultimately, regulatory action may be needed to address the privacy implications of ADINT in light of the advertising ecosystem's data collection and sharing practices. However, the current trend is still towards ever more granular targeting and specificity. In summary, ADINT turns the vast surveillance apparatus of the online advertising ecosystem into a tool that individual attackers can exploit to obtain sensitive information about their targets. It is a potent emerging threat that will require concerted efforts across technical, policy and legal domains to mitigate. ### Examples - [ADINT: Using Targeted Advertising for Personal Surveillance](https://adint.cs.washington.edu/) - a research about use of online advertising to track individuals - [ADINT: Using Targeted Advertising for Information Gathering (presentation)](http://paulvines.com/vines_ADINT.pdf) ### Tools {{some links to tools}} ### See also - {{ Internal links to similar weaknesses }}