By Yael Grauer via Medium –  Let’s put something to rest: Facebook isn’t spying through your phone’s microphone to serve you ads for sweatshirts and seltzer water. It probably couldn’t even if it wanted to. But if the social network isn’t listening to you, that doesn’t mean the rest of the world isn’t watching.

Advertisements in the real world are becoming more technologically sophisticated, integrating facial recognition, location data, artificial intelligence, and other powerful tools that are more commonly associated with your mobile phone. Welcome to the new age of digital marketing.

During this year’s Fashion Week in New York, a digital billboard ad for New Balance used A.I. technology to detect and highlight pedestrians wearing “exceptional” outfits. A billboard advertisement for the Chevy Malibu recently targeted drivers on Interstate 88 in Chicago by identifying the brand of vehicle they were driving, then serving ads touting its own features in comparison. And Bidooh, a Manchester-based startup that admits it was inspired by Minority Report, is using facial recognition to serve ads through its billboards in the U.K. and other parts of Europe as well as South Korea. According to its website, Bidooh allows advertisers to target people based on criteria like age, gender, ethnicity, hair color, clothing color, height, body shape, perceived emotion, and the presence of glasses, sunglasses, beards, or mustaches.

We’ve been on the path here since at least a decade ago when the New York Times reported that some digital billboards were equipped with small cameras that could analyze a pedestrian’s facial features to serve targeted ads based on gender and approximate age. Things have progressed as you’d expect: In 2016, another Times report described how Clear Channel Outdoor Americas had partnered with companies including AT&T to track people via their mobile phones. The ads could determine the gender and average age of people passing different billboards and determine whether they visited a store after seeing an ad.

Clear Channel Outdoors says its partnership with AT&T has ended, but it’s now teaming up with Ubimo and Cuebiq, business intelligence firms, to help advertisers map billboards against audience behaviors, demographics, and location to reach consumers more effectively — and to see how well a given campaign performed. Think of it as a tracking cookie in real life.

Companies like Ubimo and Cuebiq often insist that the data they use to help their clients is anonymous and aggregated and that they are only sharing reports to help companies determine which billboard locations are most effective. In some cases, that may be true. But these firms admit that they do, in fact, collect mobile advertising IDs that can help identify individual people. Your phone has one of these numbers, which facilitates ad targeting according to your behavior. Though many don’t know about mobile advertising IDs, you can reset or even disable yours on iOS and Android, which may result in random, less-relevant ads being served to you.

Mobile advertising IDs aren’t exactly anonymous. “Only a few data points are necessary to identify individuals. Our activity in our social life and where we were are at least as identifiable as a name,” said Sean O’Brien, lead researcher at Yale Privacy Lab, a program within the university’s law school.

Though a mobile ID might be “anonymous,” an advertiser could combine that data with additional information obtained elsewhere to profile individuals, effectively marrying online shopping profiles with brick-and-mortar retail to see if someone visited a store after seeing an ad.

Some ad tech firms, like Cuebiq, say they don’t share location data with their clients and that there would be no reason for advertisers to pinpoint individual users with their mobile ad IDs. But privacy advocates are suspicious of these claims because correlating data could be useful to advertisers in targeting potential customers.

“There’s a whole industry behind linking brick-and-mortar and physical-world information with network information in real time,” said David Carroll, associate professor of media design at the Parsons School of Design. “Advertisers are going to take any available window of technology that they can find to figure out a way to track you with it, and if they can make that data actionable and worth money, they’re going to do it.”

In addition to triangulating location data and how long people might be looking at a billboard, advertisers have used data gathered by third-party tracking companies to target specific segments of customers. Some companies, like REI, have even uploaded their own customer information through data management companies. This allows them to get more information on current customers, like what locations they frequent and how often they walk into local stores.

While advertisers find this information valuable for knowing the best billboard locations or which demographics to target, privacy advocates point out that people often aren’t even aware that their location and behavior is being tracked. Some users may not know how to opt out, and in some cases, opt-out options are insufficient. Additionally, companies often combine mobile device tracking data with the online behavior of consumers for detailed dossiers on those individuals.

“As with past trackers on mobile apps, users don’t know who they’re giving their data to or what that data is,” said O’Brien.

And so the future of billboard ad targeting is likely to look much like present-day digital ad targeting: people being hit with uncannily accurate advertisements and not knowing exactly where the information came from, let alone how to or whether they even can opt out.

This confusion understandably drives conspiracy theories. For example, that rumor about Facebook eavesdropping on conversations has persisted for years, even though it’s not based in fact.

“We all have gone on social media profiles and felt that the advertising that appeared was very spot-on,” said Elleen Pann, whose research showed how Android apps, while in use, were recording what was happening on phone screens and sending that information over the internet without a user’s permission.

“For our research specifically, we didn’t find evidence that phones were listening to you per se, but there are a lot of ways that we’re being tracked on the web that we may not think about that aren’t specifically turning on the mic and listening,” she said.

Social media companies, much like data brokers, can collect browsing habits and create dossiers on individuals based on what they interact with online. These efforts are often geared toward serving “digital doppelgangers.” Companies will target people with consumer profiles (in terms of interests, attributes, age, income, marital status, etc.) that match previous customers. In other words, the more data a company has, the more effective its marketing becomes. It is likely that this type of targeting will move offline and to billboards — if it hasn’t already.

Location data companies such as Ubimo and Cuebiq say that users can simply change their privacy settings to limit ad tracking. On iOS devices, “limit ad tracking” is defined as opting out of ads targeted to one’s interests. “In Android, that only means you can’t display targeted ads in-app,” said O’Brien. “It doesn’t do anything to turn off server-side interaction, with data being sent to a data broker.”

And, again, privacy advocates are suspicious of claims that data is gathered in privacy-compliant ways with clear opt-outs.

“I have no idea why they would claim such a thing when they’re basically gathering data from data brokers who are gathering information from the mobile trackers, which, as we know, don’t ask for any consent from the user,” O’Brien said. “To me, that’s a huge red flag.”

A year ago, researchers at Exodus Privacy identified dozens of trackers on smartphone apps that had collected massive amounts of information to better target advertising. Yale Privacy Lab replicated many of Exodus Privacy’s findings. Among the app researchers identified as having Cuebiq’s code signature was iHeartRadio, which is owned by Clear Channel.

The iHeartRadio app isn’t the only one to include Cuebiq’s code, though it’s one of the most popular, with over 50 million downloads from Google Play alone. Because iHeartRadio contains code from Cuebiq’s software development kit (SDK), Cuebiq may be able to harvest user analytics, behavior, location, and other identifying information, which it could then resell to a partner.

“The dirty work of crunching and providing the analytics is done by other companies they partner with, like Ubimo and Cuebiq. However, the iHeartRadio app, developed by another part of the same corporation, contains some of the same mobile app trackers these data launderers rely upon as a data source,” said O’Brien.

Although a Cuebiq spokesman said the company does not comment on specific client relationships — and iHeartRadio did not respond to a request for comment — he pointed out that Exodus Privacy may be incorrect since it includes a list of apps the company has not worked with or that are no longer available to download.

The spokesman also pointed out that it’s not possible to prove whether the data is being transmitted to the company’s servers, though he did not deny it’s possible. Even if the SDK isn’t being used to gather information right now, it could be in the future.

“An application could embed an SDK which is not used for the moment, but can be activated in [an update],” an Exodus spokesperson said. “Exodus Privacy considers that if a piece of code is present in an application, then either it was used or is used or will be used.”

This lack of transparency from ad tech companies, advertisers, and social media platforms is the very reason users end up believing that social media companies are listening in on their phone calls.

“Everything that the technology industry has told us about privacy and security has turned out to be bullshit,” said Bob Hoffman, author of Laughing@Advertising and BadMen: How Advertising Went from a Minor Annoyance to a Major Menace. “Everything they’ve told us in the fullness of time has turned out to be wrong. People are very suspicious of them, and I think rightfully so. After a while, it becomes hard to believe anything these people tell us.”

Although General Data Protection Regulation (GDPR) could have a global effect on privacy laws and the Cambridge Analytica litigation may being more shady practices to light, it’s possible that ad tech could get even creepier.

“Advertising used to be about imparting information, and it’s more and more now about collecting information,” Hoffman said. “I think most people aren’t aware of how dangerous it is for marketers to have so much information about us that they obtain without our permission and without our informed consent.”