Cross-device Tracking (XDT) is currently the Holy Grail for marketers, allowing them to track a user’s activities across different devices to provide more targeted content. Unfortunately, XDT comes with numerous security and privacy shortcomings which have been widely neglected by advertisers. More specifically, the XDT ecosystem is usually treated as a walled-garden, where it is assumed that only benign actors are participating. Additionally, in most cases the users are participating inadvertently without any clearly usable option to opt-out. One prime example is XDT based on ultrasounds, where unbeknownst to the user inaudible beacons are used to link her across her devices. Existing tools (e.g., Adblock Plus, AdAway, Ghostery) are aimed towards blacklisting all traffic from advertising companies. However, to mitigate the negative effects of XDT the user needs to install a different application on each of his devices and in many cases go through a technically challenging process (e.g., Android OS rooting). Moreover, some of these applications maintain whitelists, with opaque entry procedures.
We argue that blacklisting is not a sustainable security practice and instead we focus on tools providing end-users with full control over their personal data, their profile, and their participation in the XDT ecosystem. Such an approach will protect the user, will raise awareness, and will promote the use of privacy-preserving practices in the advertising industry. Towards this goal, we will initially develop a testbed to study the most commonly used cross-device tracking techniques in practice. We will initially leverage our existing work on cross-device tracking using ultrasounds and extend our current testbed to support multiple XDT techniques. Surprisingly, until now no systematic analysis of the techniques used in the wild, has been conducted and there is very little understanding of the complex device linking methods used by advertisers. Subsequently, based on our findings, we will design and develop a set of tools that will regulate the flow of personal data and the XDT process. These tools will identify interesting portions of source code in websites and applications (e.g., windows binaries, Android apps), and either automatically monitor and filter the flow of personal data, or in cases of compiled binaries, notify the user and highlight areas of interest for a human analyst to study.