There is a new story to add to the list of horrors of Surveillance Capitalism: the United States’ Military is purchasing tracking and location data from companies that track many millions of people. We believe the best solution starts with making people aware of the problem, with tools like Exodus Privacy. Then they must have real options for stepping out of “big tech”, where tracking dominates. F-Droid provides Android apps that are reviewed for tracking and other “anti-features”, and F-Droid is built into mobile platforms like CalyxOS that are free of proprietary, big tech software.
Right now, the most effective method for automatically analyzing
Android APK files is to search for well known strings in the extracted
contents of the APK. Domain names are one example, like if an app is
sending data to google-analytics.com or facebook.com, then it is
clear that it is doing some kind of tracking. These lists of well
known strings must be created and managed by people, then gathered and
reviewed. Exodus Privacy created
their Exodus Tracker Investigation Platform
(ETIP) for exactly this purpose. Yale Privacy Lab, jawz101, Guardian Project, F-Droid, and others have centralized their efforts on εxodus ETIP as the canonical database for these strings.
Searching the open web for key bits of info
Since tracking is mostly done by companies trying to get customers, they advertise and document their services on the web. We spent some time searching for that information to see what we could find. We mostly searched using two bits of information: the API Key Identifiers that we extracted and “top 10” lists of companies that provide tracking and related services. From this, we added over 50 new service profiles to the εxodus ETIP database. We also added upwards of 100 pieces of additional information to existing entries like SDK identity strings, links to documentation, privacy policies, and information on the company’s tracking methods.
From that research, we saved some choice promises from selected tracking companies:
- “Glassbox offers customer experience analytics solutions that doesn’t just tell you what a customer is doing. It tells you why.”
- “Target traffic from all sources, including the 50% from the hidden web where third-party cookies are blocked, to increase targetable inventory.”
- “Collect customer and product data in real time, from anywhere”
- “PlaytestCloud will capture the whole gameplay experience, turning you into a spectator with super powers.”
- “We record the players’ screen, their touches and what they have to say at all times.”
- “We curate geospatial ground truth data sets on a global scale”
- “Take segmentation and analysis from overnight to real-time. Our DMP works in-session for perfect match rates even on passerby traffic.”
Crowdsourcing the hunt for trackers
Tracking the trackers is the kind of work that fits in very well with crowdsourcing. Tracking companies are disappearing and renaming themselves all the time, in order to avoid too much scrutiny. But they still must reach out to developers in order to find customers. That means we can find them. Join in the search! Non-technical people can also contribute, for example, when you read news about a tracking company, search to see if it is already in ETIP. If not, file an issue to request it is added. Android developers with little bits of spare time can add code signatures, domain names, and other key technical details to ETIP. Or even code up quick scripts with new ideas for detecting tracking.
There are a number of forums where you can ask for assistance in getting started. Hope to hear from you soon!
(This work was supported by NLnet’s NGI Zero PET fund.)