When AC/DC penned Touch too Much in 1979 they didn’t realise that this iconic song could later relate to one of the most significant invasions of privacy since the internet took off.
According to Hassan Jameel Asghar and Mohamed Ali Kaafar from CSIRO’s Data61, it appears touch can be used to identify who you are across multiple touch devices. The bottom line is that every move you make, touch-wise helps to identify you.
The two Data61 authors presented a paper to Privacy Enhancing Technologies Symposium (PETS) in Barcelona last week.
It reveals that smartphone/tablet/screen applications can continuously and surreptitiously track and distinguish users. Purely based on how users interact with their handsets. This includes tapping to swiping and zooming.
What’s worse, these behavioural features do not need special app permissions. Developers and companies can then use the information to track individuals and their behaviours with impunity.
Now, this is all theory at present – there is no evidence of use or abuse. Or is there?
They found that
- Writing samples can reveal 73.7% of the identification information about who you are.
- Left swipes can reveal up to 68.6% of .information.
- Combining different combinations of gestures results in higher uniqueness. A combination of keystrokes, swipes and writing reveals up to 98.5% of information.
- This correctly re-identifies returning users with a success rate of more than 90%.
Add to that the data already known about the smart devices owner, location and usage patterns. Developers can track you well beyond what cookies, password logins, and other tracking mechanisms can do.
The authors worry that touch based tracking is wide open to abuse
- While regular tracking tracks virtual identities such as online profiles, touch-based tracking has the potential to track and identify the actual (physical) person operating the device. It can distinguish and track multiple users accessing the same device.
- Touch-based tracking possesses the capability to continuously track users.
- Third, it also leads to cross-device tracking. Multiple mobile devices can track the same user. It introduces additional privacy and security risks.
The worst scenario occurs where user data is sent to advertising companies and third-parties. It can build profiles of user activities on smartphones, tablets, smartwatches and various IoT devices.
GadgetGuy’s take. Hands off, don’t touch my tin-foil hat!
The authors cannot identify examples of misuse, but that does not mean it is not happening. Thanks, guys for putting it out there!
We all know hinformation is the currency of Facebook, Google, Apple. Microsoft et al. This adds another spooky layer. Already apps can gauge how long you look at a screen if something interest you or you leave the screen.
And we thought voice tracking was intrusive.
