It should come as no surprise to anyone that things you do on your smartphone can be used to track you. Dodgy apps, cookies on websites, even the Wi-Fi connections you use – all of these things can be used by the determined to identify you. But the way you swipe and prod at your handset? Et tu, touchscreen?
According to researchers from CSIRO Data61 in Australia, this is absolutely possible, even if it’s not the easiest way of tracking people.
Related: Internet security
Presenting their research paper at the Privacy Enhancing Technologies Symposium in Barcelona this week, they claimed that “touch gestures contain sufficient information to uniquely identify and track users”.
The paper – somewhat tortuously entitled “Touch and You’re Trapp(ck)ed” – explains how touch-based tracking can be used to identify a person even if they switch devices.
First, the researchers made an Android app based on three open-source games: 2048 (to collect swipes), Lexica (for taps) and Logo Maniac (for keystrokes). It also included a custom-built section for handwriting entry.
The researchers developed an information theoretic method to measure the amount of information leaked by the various prods, pokes and swipes modelled as feature vectors.
Using this method, the team found that writing samples from a touchpad can reveal 73.7% of information, while left swipes offer a surprisingly high 68.6%.
By combining interactions from every kind of input, the researchers reckon they hit 98.5% of the information. This can even be used to identify returning users with an accuracy of over 90%.
“While regular tracking tracks virtual identities such as online profiles, touch-based tracking has the potential to track and identify the actual (physical) person operating the device,” the researchers explain in the paper. “It can distinguish and track multiple users accessing the same device.”
Read more: Best VPN
Although a fiddly and currently theoretical way of snooping, this is one that’s quite hard to prevent. After all, apps need to collect information about gesture input for quality control reasons, and APIs have to cater to this.
It’s not intended to be used for snooping, of course, but at the very least this paper proves that such a nightmare scenario is theoretically possible.
Is this making a big deal out of nothing or a serious threat? Let us know your view on Twitter by messaging @TrustedReviews.