How you swipe or touch your phone's screen could make you identifiable and trackable to companies, researchers from CSIRO's Data61 have discovered.
Most people know they can be tracked by internet ads and cookies — but CSIRO researchers found that apps can collect enough information on how a person gestures, swipes, and taps on their smartphone to track them no matter what screen they're touching.
To test this out, the researchers built an Android app with four games in it: 2048, Lexica, and Logo Maniac, and an app for handwriting to capture swipes, taps, and keystrokes.
They then got 89 people to use this app and captured 40,600 gestures, and researchers were able to correctly identify users using information from all of the gestures.
Dali Kaafar, who is the chief scientist at Optus Macquarie University Cyber Security Hub and group leader for information security and privacy at CSIRO Data61, told BuzzFeed News that the app measured the acceleration, the velocity of the swipes, the tap pressure, and the way people write characters, and used all that information to identify people.
Kaafar said that by collecting and processing this information, the researchers were able to identify and track individual users purely based on how they used their phones.
He said the data could be used to identify people quickly on multiple devices.
"If you have a phone at home, and a phone you use at work, it is quite trivial to identify that behind these two screens sits the same person, the same individual," he said.
Whereas most tracking nowadays is via email accounts, logins on certain pages, or cookies that track what a device is doing, Kaafar said that this sort of tracking would allow companies to track a person.
"With touch-based tracking, it's really about tracking the physical person, and individuals."
Kaafar said that the scariest part was that apps did not have to seek permission to track this sort of information.
"All of this information is accessible without even asking for permissions," he said. "On both Android and iPhone, by the way. The information is there and it can be used by the apps. The system doesn't have proper permissions that would be required for [other information]."
Kaafar said that was probably because the information is viewed as harmless, but also potentially because apps need that information for user interaction optimisation, such as figuring out how users actually use the apps.
There were good applications of the capability, he said, such as locking down devices for people who don't have permission to access it, and allowing for better customisation of some apps like Netflix.
Josh Taylor is a Senior Reporter for BuzzFeed News and is based in Sydney.
Contact Josh Taylor at firstname.lastname@example.org.
Got a confidential tip? Submit it here.