An Israeli surveillance firm called ‘Bsightful’ is reportedly engaging in smartphone user tracking by deploying a novel and pretty clever way to do it through the delivery of ads. As Forbes explains in an exclusive report, Bsightful is backed by ‘Verint’ and ‘Rayzone,’ two industry giants who have been connected with mass surveillance operations in the past. The trick is to exploit the mobile advertising ecosystem by running the “Demand Side Platform” (DSP) to figure out where a subscriber's number (SIM) is. This gives them an accuracy within a single meter, even if it comes with a time delay.
To put this simply, DSP is a system fed with location data from app developers and is meant to help advertisers push their marketing campaigns to the right audience. For example, a coffeehouse based in Quebec doesn’t have any reason to pay for advertising on people's devices in Reykjavik, and DSP is there to filter out irrelevant targets.
Bsightful uses a simple yet clever way to abuse this system by creating shell DSPs to accept the location data from app developers. They collect that otherwise freely available information, categorize it, and then sell it to governments, law enforcement agencies, or even private organizations. While the location data derived through this method isn’t as accurate as other tracking methods, it would still be useful in a range of ways and scenarios. Respectively, it still constitutes a case of blatant privacy breach for the users.
The anonymous sources that talked to Forbes about this claim that Bsightful isn’t the only company involved in this secretive business. This means the DSP system has been under abuse for an unknown period of time already, and by multiple firms, something that digital rights activists have been suspecting and warning about since years ago. The risk was easily identifiable, so it should have been plugged already, but those responsible for dealing with it were on the same side that benefited from this “silent” data collection system.
The only way for the users to protect themselves from this tracking is to either use a phone number that hasn’t been connected with their real identity or to block all ads on the phone. Most apps that want to serve ads ask the user to allow the inclusion of phone and user information for targeted advertising, so setting this to "disabled" should be enough to prevent DSP tricks against you.