Bad password
Examining infosec and our ever-eroding privacy.

Sponsored Links

Advertising's hottest surveillance software is surprisingly legal

SilverPush knows which ads you see on TV, the web, and much, much more.

Illustration by D. Thomas Magee
Illustration by D. Thomas Magee
Violet Blue
Violet Blue|@violetblue|March 25, 2016 5:33 PM

You may have heard that the FTC this week sent out a dozen strongly worded letters to apps using the SilverPush framework. The FTC politely told 12 app developers that they needed to let users know that SilverPush was collecting data and selling it to third parties.

SilverPush responded two days ago by issuing a statement claiming it no longer uses the "Unique Audio Beacons" (UAB), and has "no active partnership with any US-based developers."

Well, if this is true, then perhaps SilverPush should remove UAB as a core product from its website -- and from the heart of its business model, as well.

SilverPush is in a predicament of its own making. That's because, in the interest of serving advertisers, the company has created and implemented spying technology that goes above and beyond most modern surveillance tools.

If you're online and come across a SilverPush advertiser, while the ad drops its tracking cookie on your computer, it also emits an (inaudible) Audio Beacon sound. If your phone or tablet has any app that uses the SilverPush software development kit on it, your device will be "listening" for the advertiser's Audio Beacon. If you're watching TV, commercials from SilverPush's ad partners will also emit their own identifying tones for your devices to hear.

Then, it identifies what ads you're looking at while matching the information with your phone, tablet, and computer, and you as the user. German antivirus security company Avira analyzed the SilverPush tracking code and found an upsetting level of detailed data being collected and sent insecurely back to SilverPush. This included "the exact ID of the device, the Wi-Fi router MAC address, details about the device's operating system, and best of all –- the user's phone number." Because of this, Avira's security software now detects SilverPush as Trojan malware.

Co-founder Mudit Seth told press in 2013 that SilverPush identifies a smartphone device (as in, its user) "through 50 parameters, based on data collected through ad exchanges, app owners and advertisers." So if someone looks at sites that sell plane tickets, later they'll be shown airfare ads on a different device, within a game or on a social network.

With this, the company claims it has the most accurate cross-device tracking tool in the business. The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.

It's like having someone look over your shoulder pretty much all the time, anxiously waiting for you to look at a product so it can tell its advertising clients what you're seeing. SilverPush runs in the background of apps, so you'll never know it's there. Repulsively, it also runs when the apps aren't in use.

All of this information is compiled into a machine-learning-massaged profile of you, along with device information and other details, to create a dossier that SilverPush's parent company SilverEdge tells its advertising clients is both "immediate and accurate."

When the Center for Democracy in Technology (CDT) first raised the alarm about SilverPush last November, the internet reacted by being predictably angry and creeped out. The CDT elaborated on the technology's implications, saying:

"For example, a company could see that a user searched for sexually transmitted disease (STD) symptoms on her personal computer, looked up directions to a Planned Parenthood on her phone, visits a pharmacy, then returned to her apartment... While previously the various components of this journey would be scattered among several services, cross-device tracking allows companies to infer that the user received treatment for an STD. The combination of information across devices not only creates serious privacy concerns, but also allows for companies to make incorrect and possibly harmful assumptions about individuals."

With this in mind, the FTC's letters to developers this week seem tepid. It seems the only thing the FTC might take action on is that SilverPush is doing all of this without a "we collect your information and share it" note to users. This is a surprisingly mild reaction to technology that's so invasive. But that's only the tip of the iceberg here.

Maybe "just the tip" is all the FTC can see (it certainly didn't seem to acknowledge the company's internet ad surveillance practices). When the CDT's letter started making a few headlines last November, SilverPush hustled to pull detailed information about its product off the Internet. A researcher who was examining code in the company's demo apps grabbed screencaps as SilverPush pulled its YouTube channel, all of its Library videos and its "help" page on Google Plus.

The company has given the impression that it's only doing business in India. This was echoed in its statement to press this week, saying that it's not working with US-based devs.

Which is weird, because the company announced its expansion into the US market in 2013, when SilverPush received $1.5 million in seed funding from Dave McClure's 500 Startups and IDG Ventures. That was followed by a couple years of press citing the company as based in San Francisco, plus the company's LinkedIn page saying it's based in SF, the Philippines and Guragon.

Making it even more difficult to get clarity on the situation, SilverPush was quoted in the CDT's November letter to the FTC saying, "SilverPush's company policy is to not 'divulge the names of the apps the technology is embedded.'"

Well, that's convenient. Though in the years before that, SilverPush was pretty happy to brag about its clients and connections to press outlets interested in writing about the company.

Two years ago, SilverPush told press that the company "is now serving mobile ads in six countries for 50 global brands, including Google, Dominos, Samsung, Candy Crush, Airtel, P&G, Kabam and Myntra."

In a 2014 feature about its Audio Beacon technology, TechCrunch reported that "some SilverPush advertisers (including Procter & Gamble and messaging app Line) are already using these capabilities, as are 'a few' mobile publishers (mostly game developers). It works on both iOS and Android."

Just one year before that, SilverPush's founder didn't mind naming the ad networks it partnered with. In an interview with Business Standard, Hitesh Chawla rattled off names that included MoPub (acquired by Twitter), and that SilverPush had ad inventory from publishers / app makers Facebook and Angry Birds.

The 2013 article explained that SilverPush bids for this inventory through ad exchanges. "We process a billion ad requests a day for India alone; now, we are starting in the US as well," Chawla said.

So those apps that tell you they need to use your microphone in order to use the app at all, even when you're not sure why? Yeah, those are now an out-of-control problem.

The FTC's letter hinted that SilverPush is naughty to do the spying for companies and data dealers while the apps are off, and that it should really look at the FTC's 2013 Mobile Privacy Disclosures guidelines -- which are sadly only suggestions -- for behaving better toward users.

But what's particularly troubling is that among the many egregious issues here, the only real problem the FTC seems to have with SilverPush is that the apps using it aren't telling users they're being spied on. You know, like when you're required to agree to Terms that make you uncomfortable (or wonder if you're being exploited) in order to use an app. For this, the company could be in violation of section 5 of the FTC Act (Unfair or Deceptive Acts or Practices, .pdf).

That's right: Apparently if any of these apps would just put a few lines about using your microphones to sell amazingly detailed data about you to third parties somewhere in their 6,000-word terms of use, then it's all greenlit. We reached out the FTC to help clarify the issue and what action it planned to take, but so far we haven't heard back.

And here's our problem of the ages: Intimate and individual privacy violations at scale, agreements we don't understand and that "Agree to Our Terms" mistakes compliance for informed consent, all enacted by companies doing everything possible that's technically not illegal.

Meanwhile, our shadow profiles -- our doppelgangers in the clouds, who invisibly bleed out our secrets and personal moments for pennies on the dollar -- only grow more monstrous with the privacy they take.

Advertising's hottest surveillance software is surprisingly legal