Republican campaign put beacons on lawn signs to track phones, company says

Chances are you’ve seen lawn signs in your neighborhood before an election. But you probably never imagined they could track you. 

A Republican presidential primary candidate attached devices known as beacons to campaign lawn signs in 2016 to track the phones of people who passed by, according to a company that sells them. 

The company, Beaconstac, which counts tech giants like Google among its customers, wouldn’t divulge which campaigns it worked with. But it’s not hard to see why a campaign would want to use the small, wireless devices, which use Bluetooth to ping nearby smartphones to collect data and trigger notifications. Spread by eager supporters, they’re capable of precisely targeting likely voters in key districts, encouraging them in text messages to get to the polls.

Spread by eager supporters, they’re capable of precisely targeting likely voters in key districts

And it’s something that could be used again this election season. Last month, Mashable to President Donald Trump’s website. Its terms and services added language that allow his 2020 campaign to collect information from smartphones using beacons.  

“Political campaigns stand to gain a lot from leveraging beacons,” a Beaconstac spokesperson said, who claimed the devices have also been used in elections in Nigeria and India.  

Location-based marketing tools aren’t completely new in politics. In 2016, Snapchat’s geofilters, which let voters add graphics to their photos at campaign events, became very popular among candidates. And Trump’s former campaign manager Steve Bannon said he and CatholicVote used GPS-based geofencing to target people who visited Catholic churches in Dubuque, Iowa.

Image: John Minchillo/AP/Shutterstock

“Beacons can get within a few inches of accuracy, with GPS it’s usually within a few feet or a few yards,” EFF staff technologist Bennett Cyphers told Mashable. “A beacon could let a campaign know that this person is standing in this corner on this floor of this building, whereas GPS would just tell you that they’re probably around this building.”

Not only do beacons provide very precise location data, they’re also inexpensive. Beacons can be purchased in bulk for less than $20 a piece, according to Beaconstac’s website. The cost of the company’s cloud-based marketing platform, which manages the devices, starts at around $80 a month. 

Privacy concerns

Back in 2016, when a Republican candidate was reportedly using these beacons, smartphone owners with certain devices — including Android phones and tablets — could receive messages without giving their explicit consent and without installing an app.

Beaconstac, an industry leader that helped Google install 2,000 beacons in India for its free WiFi project, said its devices “do not collect or store any personally identifiable information.” It also said that beacons “can only deliver notifications if the end-user has a beacon-aware app and has their Bluetooth and Location services enabled.”

However, this wasn’t always the case. Apple always required users to download an app to receive beacon notifications. But, once a user installed an app, the device became fair game to beacons. Last month, with the release of iOS 13, Apple finally changed this. An app now requires a user’s explicit permission to access the device’s Bluetooth. Before this, beacons could ping a user’s iPhone even if a user blocked the app from accessing the device’s location data. 

Google, on the other hand, let companies ping Android users over beacons up until Dec. 6 of last year – no app required. That “open beacon format” came under criticism when it was revealed that it was recording audio from phones in order to transmit data. Users also complained of being bombarded by spam notifications.

Beaconstac said it’s now “impossible” to receive a beacon notification without giving permission to an app first. If users don’t want to receive notifications, they can just turn off Bluetooth and location services, or uninstall the app. 

Cyphers from the EFF concurred that phone manufacturers have cracked down on the more invasive practices, like pushing notifications to a user through a beacon with no previous interaction, but points out this wasn’t the case in 2016.

“You phone is constantly sending out little ping requests because it’s always looking for WiFi hotspots,” said Cyphers. “Bluetooth beacons can listen for radio waves over the air and pick up these ping requests just kind of passively.”

“You can setup a beacon, just have it listen for every phone that goes by, and you can collect what’s called MAC addresses from those phones,” he continued. “If you can link a MAC address to a real identity, then you can gather data about where people are going without them ever installing any kind of apps or ever having any kind of interaction with you.”

Smartphone owners complained on Reddit as recently as that measures to avoid beacons from tracking their phones, such as Bluetooth, proved unsuccessful.

Combined with third-party tools, beacons could provide a wealth of additional user information to a campaign. 

“You can pull a lot of information off of a device with Bluetooth,” Jennifer Granick, surveillance and cybersecurity counsel at the ACLU Speech, Privacy, and Technology Project told Mashable over the phone. “There are a lot of identifiers on phones and ultimately you can aggregate and find out who people are and other details about their lives. The potential for privacy invasion is really big there.”

For example, Beaconstac confirmed that users “interacting with beacon campaigns” through the notifications on their phones can be identified and retargeted on Google and Facebook. This sort of location-based microtargeting on Facebook was to Trump’s electoral victory.

“It’s really easy to tell, just given a few hours of data or a few data points, exactly who a person is.”

“If you have data about where someone’s going, you know where they live, you know where they work, you know what their habits are, you know the unique identifier for their device,” Cyphers told Mashable. “There are data marketplaces where with an unique ID for a certain device, you can buy information about who that person actually is — their email, their real name, address, all that stuff.” 

“Even if they don’t have anything except for the location data, research shows that people’s location histories are incredibly unique,” he continued. “It’s really easy to tell, just given a few hours of data or a few data points, exactly who a person is.”

There’s another major issue on the horizon. You don’t need to physically touch a beacon to alter its campaign. You can do that remotely via the cloud. That means a beacon deployed for one purpose can later be used for another. 

It’s not too hard to imagine a future where a user consents to being sent supermarket coupons, only to find the account has been rented out to send you “reelect Trump” messages.