The research team used 10 Moto G Android phones for testing, a mobile banner ad they created, and a website that served as the landing page if someone clicked on the ad. Then they spent the minimum $1,000 deposit to place orders with a so-called demand-side platform—think Facebook, Google AdWords, MediaMath, Centro, Simpli.fi, and others—that allows ad buyers to specify criteria like where their ad appears, for which unique phone identifiers, and in which apps. (They declined to reveal which specific DSP they tested, arguing that nothing about that platform was more intrusive than many others in the industry.)

They then used that DSP to place a geographic grid of location-targeted ad buys around a 3-mile-square section of Seattle, which for their tests they set to appear on the popular ad-supported calling and texting app Talkatone.

Every time a target phone had Talkatone open near one of the coordinates the researchers had set on their grid of ad buys, the ad would appear on it, the researchers would be charged 2 cents, and they'd receive confirmation from the DSP of approximately where, when, and on which phone the ad had been shown. With that method, they they were able to follow their test phones' locations within a range of about 25 feet any time the phone user left an app open in one location for about 4 minutes or opened it twice in the same location during that time span. They registered just a 6-minute delay in the ad network's real-time reporting of the phone's location. Following a human test subject carrying each test phone over seven days, they were able to easily identify the person's home and work address, based on where their target stopped. (See the map above.)

"You’re using whether or not your ad gets served as an oracle to tell you whether or not an event happened: that this particular device was at this location," Vines says. They note that the DSP they used never flagged their behavior as unusual or cut off their account for attempting targeted surveillance.

That tracking method has a couple of serious limitations. The target would have to have a certain app open on their phone at the time they're being tracked, so that the ad can appear. And to track a specific phone, any ad-buying spy would have to know a unique identifier of the target phone, known as a mobile advertising ID, or MAID.

But to get around the first of those limitations, a spy could buy ads against a range of popular apps in the hope that one of them would show the ad. And for the second, the researchers suggest a variety of ways to obtain that MAID, including placing an "active-content" ad that uses javascript to pull the MAID from a phone at a certain location, then use that identifier to continue to track the phone with normal ads. Perhaps more simply, they point out, MAIDs can also be intercepted by someone on the same Wi-Fi network as the target phone.

"It’s not a particularly high bar to entry for a very, very highly targeted attack," says Adam Lee, a professor at the University of Pittsburgh who reviewed the University of Washington study.

'It’s not a particularly high bar to entry for a very, very highly targeted attack.' Adam Lee, University of Pittsburgh

A domestic abuser could, for instance, obtain a spouse's MAID from their home network, and then use it to closely track him or her by placing ads in apps he or she uses frequently. A person on a laptop at a nearby table at Starbucks could steal your MAID when you connect your phone to Wi-Fi, or a coworker could do the same in the office, and then either could receive periodic pings of your location whenever you see an ad they've placed. Or an ad buyer could use active-content ads to gather the MAIDs of the people at a specific location, like a protest, or users of a potentially sensitive app like gay-dating apps or religious apps—plus other demographics provided by ad networks—and then track those targets' movements. (The researchers found that their DSP did in fact allow them to place location-based ads on the most popular gay-hookup app, Grindr, though they didn't test whether it implemented other protections to prevent continuous location tracking of users. Grindr didn't immediately respond to WIRED's request for comment on the researchers' work.)