We've learned to be highly suspicious that the GPS, camera and microphone in our smartphones can be used to track our every move, listen into our conversations and watch our most intimate moments. But what about the act of tapping and swiping our screens? Can that be used by a bad actor? Researchers from CSIRO's Data 61 have found just that.
Touch-based tracking, as it's been dubbed by the researchers, was used to identify individual users who shared a single device. Using an app they created, called TouchTrack, the researchers were able to capture and use gesture data by quantifying and measuring the information carried by touch-based gestures. The researchers "argue and verify that touch gestures constitute a privacy threat as they enable a new form of tracking of individuals".
The researchers worked with a relatively small set of just 89 users to test their hypothesis and software. They found:
- Writing samples (on a touch pad) can reveal 73.7% of information (when measured in bits)
- Left swipes can reveal up to 68.6% of information
- Combining different combinations of gestures results in higher uniqueness, with the combination of keystrokes, swipes and writing revealing up to 98.5% of information about users.
The researchers could correctly re-identify returning users with a success rate of more than 90%. It didn't matter if the users were sitting, standing, or walking. The results showed high levels of uniqueness and accurate re-identification of returning users.
The Android-based TouchTrack app created by the researchers leveraged three open source games. 2048 was used to capture and analyse swipes, Lexica was used for taps and Logo Maniac was used for keystrokes. They developed a bespoke app for hand-writing. The idea was that the gestures used by the test subjects would be natural rather than contrived in a more sterile environment. The researchers did not collect actual names or other personally identifiable information in their study.
Although the researchers said they needed multiple samples of gestures to reveal accurate information about a user, they noted that swipes and handwriting were more useful than taps and keystrokes for identifying users. This is because swipes and handwriting offer richer information that their models could use as taps and keystrokes are simpler gestures.
Even though they weren't able to get 100% accuracy in identifying users, they noted that advertisers would likely be satisfied with lower accuracy when targeting ads and special offers.
However, it's not all bad news. The researchers said that identification of multiple users using the same device may help in providing content more suitable for each of them. For example, when the device detects that a child is using their parent’s smartphone, it could automatically enable parental controls. They also noted the commercial benefits where user-specific discounts and sales on the products of interest could be offered.
Earlier this year, Facebook's Mark Zuckerberg was forced to testify to the US Congress that his company wasn't secretly using microphone's to pick up conversations in order to target ads. And the Cambridge Analytica scandal put data collection and access well and truly in the spotlight.
Earlier this week, researchers from Guardian App found a number of iOS apps collect location data, with users' permission, but then share it, without permission.