As if you aren’t already spied on everywhere you go, as if your purchases aren’t cataloged and your metadata a government smorgasbord, now the ads spy on you too—literally, through inaudible sounds embedded in them. From Ars Technica:

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

What does this mean? It means that the crazy guy you know at work who talks about how “They” are tracking him through all his devices is not nearly as crazy as you may have thought. Bruce Schneier offered his own analysis:

Surveillance is the business model of the Internet, and the more these companies know about the intimate details of your life, the more they can profit from it. Already there are dozens of companies that secretly spy on you as you browse the Internet, connecting your behavior on different sites and using that information to target advertisements. You know it when you search for something like a Hawaiian vacation, and ads for similar vacations follow you around the Internet for weeks. Companies like Google and Facebook make an enormous profit connecting the things you write about and are interested in with companies trying to sell you things.

Now that has been taken even further, in the form of cross-device tracking, or CDT. Here’s the breakdown of how one of the worst companies does their thing. Oh, and by the way…you can’t opt out of it. You’re stuck with the intrusion.

The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual.

The fact that ads spy on you should bother you. These companies are literally using your own gadgets against you, and going to great lengths to hide what they do and how they do it.  It should drive you to research, to seek out training and learn as much as you can. Simply complaining about it isn’t enough.

You can start with some of the upcoming classes we’ll be announcing this week. In addition, we’ll be holding another Cryptoparty this spring. In the meantime, start getting serious about your privacy, if you haven’t already.

Educate. Empower. Resist.

Clef two-factor authentication