ISP Privacy Lab Publishes Research on Hidden Trackers


On November 24, 2017, Privacy Lab, an initiative of the Information Society Project at Yale Law School, published details from its research into 25 trackers hidden inside popular Google Play apps such as Uber, Tinder, Skype, Twitter, Spotify, and Snapchat. Publication of this information reveals clandestine surveillance software that is unknown to Android users at the time of app installation, according to the research. These trackers vary in their features and purpose, but are primarily utilized for targeted advertising, behavioral analytics, and location tracking, according to the Privacy Lab.

The Privacy Lab investigation was spearheaded by Sean O’Brien and Michael Kwet, both visiting fellows at the Information Society Project. O’Brien and Kwet provided forensic analysis of app software in conjunction with the tools developed by Exodus Privacy, a non-profit organization in France. They also provided detailed reports on the most popular app trackers identified by Exodus. These reports reveal the interconnections and surveillance practices occurring in the background of many popular apps.

“Exodus initiated a daring attempt to catalog these trackers, and this is just the first step in analyzing a worldwide market of approximately 3.3 million apps from a privacy and security perspective,” said Privacy Lab researcher Sean O’Brien.

“The existence of trackers in app software is a grave threat to privacy,” said Privacy Lab researcher Michael Kwet. “There has been almost no transparency to the public.”

The 25 trackers are a sample of the 44 identified-to-date by security researchers at Exodus Privacy. Privacy Lab’s investigation into app trackers explores an extensive data mining market buried within the mobile app ecosystem. The research suggests that trackers enable the physical surveillance needed to merge the online and offline worlds of targeted advertising. Trackers also help marketers identify individuals across devices in order to build persistent profiles despite the use of separate devices.

Privacy Lab found that marketers are increasing the scope of their real-world surveillance through precise location tracking in physical space. Companies are making use of WiFi, Bluetooth, and in some instances, ultrasonic sound inaudible to the human ear, in order to track users’ geolocations in real time. Major players like Google and Oath now offer services to track in-store behavior, while smaller players like Fidzup have developed cutting-edge technologies for WiFi and ultrasonic solutions, according to the data.

This investigation revealed that Google, in its role as steward of the Google Play app store, has permitted the distribution of clandestine tracking software to Android users. Google offers its own DoubleClick and Crashlytics trackers for mobile apps, the two most popular trackers analyzed by Exodus Privacy and Privacy Lab. Many of these trackers are also available in the Apple iOS app store, though technical and legal barriers limit privacy and security analysis.

Exodus’ web-based privacy auditing platform analyzes apps available via Google Play. Exodus scans apps for the signatures of known trackers and identifies Android operating system permissions. To coincide with Privacy Lab’s publication, the Exodus organization has made its app auditing platform available to the public at is releasing the code as Free and Open-Source Software.

“Privacy Lab is calling upon the developers of mobile apps as well as Google, the distributor of these apps and steward of Google Play, for increased transparency into privacy and security practice as it relates to these trackers,” said O’Brien. “Privacy Lab recommends Free and Open-Source Software F-Droid as an alternative to Google Play, due to its trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code.”

The Information Society Project (ISP) is an intellectual center at Yale Law School. It supports a community of interdisciplinary scholars who explore issues at the intersection of law, technology, and society.