Skip Navigation

Cross-Device Tracking

Cross-device tracking (XDT) consists of a set of techniques to associate different devices with the same user. By recognizing that several devices are used by the same person, XDT offers advertising companies (and others) the ability to link together otherwise separate tracking profiles, creating a robust profile of a person. This type of tracking is of increasing concern as more and more devices gain “smart” or “connected” capabilities, providing a larger attack surface against an individual user.

Page Contents

Video Lecture


Watch at Internet Archive

Tracking Phones

Although most of the research to date focuses on mobile devices (cell phones, in particular), the problems with cross-device tracking extend to other devices as well. In particular, so-called “smart” televisions have the ability to run arbitrary code, much of which includes tracking technology that is designed to measure user engagement and the delivery of ads. With the development of clandestine mechanisms for making devices communicate with one another, the television can also output signals that are picked up by applications running on a smartphone. As of 2022, the state of the art still appears to involve the phone in some way, as cell phones are ubiquitous, and people willingly install random applications on them without understanding the privacy implications of code contained within those applications.

Device Advertising Identifiers

While ad companies have had to develop fingerprinting techniques for desktop browsers, the mobile space has been much simpler. Both Apple and Google provide unique advertising identifiers that are transmitted by the browser when using a mobile device to surf the Internet. In Apple’s case, the unique identifier is called the Identifier for Advertisers (IFA or IFAD).1 On Android devices with Google Play services, this identifier is known as the Advertising ID.2

On both platforms, it is possible to restrict or reset the advertising identifier. However, the default settings (which many people do not change) enable the identifier, which is frequently never reset for the life of the device. Since both Android and iOS devices require the user to log into a cloud-based account as part of the device setup procedure, and the browsers on the devices tend to be logged into the respective company’s services automatically as a result, it isn’t much of a stretch to see that the advertising ID can be linked to a specific person. Whether or not Apple or Google attempt to make such an association is another story, which is probably detailed in the respective privacy policies of those companies, either of which is subject to change at any time for any reason.

In 2017, researchers at the University of Washington discovered that it is possible to track a person in an urban area with a precision of about 8 meters, using only targeted advertising.3 Only the mobile advertising identifier is required for this purpose. In this particular study, the advertising identifier was obtainable either by eavesdropping on communications with an insecure wireless access point or by infiltrating a home router. (The latter attack vector is quite plausible when intentionally targeting an individual, since many people do not change the default passwords on their routers.)

Therefore, it is highly likely that companies are able to make associations between the advertising identifier and the human user, even if companies try not to disclose that fact. As I discussed previously in browser fingerprinting, it is possible to associate a fingerprint with a person if they log into a site with the same uniquely identifiable browser. To make a cross-device association, all that remains is to link the advertising identifier transmitted from the mobile device with the browser fingerprint of the desktop device. This is easy to do if the user is logged into a service on both devices. It is also easy to do if the user of the mobile device installs applications that can communicate using covert side channels.

Ultrasonic Sounds

One covert side channel for XDT is for devices to communicate using ultrasonic sounds that are above the range of human hearing. Microphone-equipped devices within range of the sound can then recognize the signal. This approach has been implemented by SilverPush Pte Ltd, a Singapore-based advertising technology company.4 In the SilverPush implementation, ultrasonic beacons are embedded in advertising content. Devices with microphone support can recognize ads containing the beacons, and the beacons are sufficiently targeted to identify individual users across devices.5 In 2017, 234 unique Android applications were found to be using the ultrasonic cross-device tracking (uXDT) technologies from SilverPush and other companies.6

References and Further Reading

  1. Jim Edwards. “Apple Has Quietly Started Tracking iPhone Users Again, And It’s Tricky To Opt Out.” Business Insider. October 11, 2012. 

  2. Jim Edwards. “Google’s New ‘Advertising ID’ Is Now Live And Tracking Android Phones – This Is What It Looks Like.” Business Insider. January 27, 2014. 

  3. University of Washington. “For $1000, anyone can purchase online ads to track your location and app use.” ScienceDaily. October 18, 2017. 

  4. Dan Goodin. “Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC.” Ars Technica. November 13, 2015. 

  5. Bill Budington. “Panopticlick: Fingerprinting Your Web Browser.” USENIX Association: Enigma Conference, San Francisco, CA, January 26, 2016. Presentation 

  6. Catalin Cimpanu. “234 Android Applications Are Currently Using Ultrasonic Beacons to Track Users.” Bleeping Computer. May 4, 2017. 

Fingerprinting

Online Tracking
Telemetry
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.