Your phone is like your best friend. It holds all of your secrets, and there's a bond of trust—at least, you hope that there is. Advertisers may already be exploiting this trust and turning your phone against you, by using its tiny quirks to track you across the web.
Because people are becoming savvy to advertisers' bag of tricks, the usual methods of following folks around online just aren't paying off like they used to. Now and in the future, advertisers may track you with "fingerprinting"—identifying a particular device by, say, tracking its screen dimensions and plugins, alongside lots of other personalized information which is then communicated and collected through a browser before being sent to advertisers.
Recent research has pointed to a method of device fingerprinting that uses the miniscule, unique imperfections in each phone's accelerometer and gyroscope—basically, its hardware—to create a profile of that phone that can be used to track its user's activities across the web, without her knowledge. Unlike location data, most sites don't ask for permission to access a phone's motion sensors.
But this was mostly theoretical, until now.
"Motion sensor fingerprinting is a realistic threat to mobile users' privacy"
Many websites already collect this type of information, possibly for advertising purposes, according to new research from investigators at the University of Illinois at Urbana-Champaign and the Hong Kong University of Science and Technology.
"We can conclude that motion sensor fingerprinting is a realistic threat to mobile users' privacy," the researchers write in a paper published to the ArXiv preprint server. The paper is currently being peer reviewed.
"Smartphone users who use private browsing or clear their cookies to avoid tracking would find that these protection measures are rendered ineffective by fingerprinting, and they can still be tracked," said Nikita Borisov, one of the study's authors.
In 2011, the Office of the Privacy Commissioner of Canada released a report dealing with device fingerprinting, which stated that if there is no option for users to opt out of this kind of information-collecting, "then organizations should not be employing that type of technology for online behavioural advertising purposes."
Borisov and his colleagues found that 1,000 of the top 100,000 sites on the web—that's just 1 percent, an admittedly a paltry number—collect motion sensor hardware information from mobile devices. These sites may use this data to detect screen orientation or to generate random numbers for encryption, Borisov said, but oftentimes, we have no idea what these sites are doing with it. A few of the scripts, according to the study, were downloaded from advertisers as the site's pages loaded.
Watch more from Motherboard: All the Ways to Hack Your Phone
Device fingerprinting using motion data today is rare, if it happens at all, Borisov said, but it may still be occurring. The infrastructure is in place, and it looks like fingerprinting is the wave of the future for advertisers.
Some technologists are building protections against fingerprinting into some of their products, in the hopes of coming out ahead. The ad-blocking Brave browser, for example, has some protections built into its desktop browser client. But mobile users are still out of luck.
"I do believe technology companies should take the lead in offering protections by adopting some of our proposed countermeasures in private browsing modes," Borisov said. These countermeasures include an option for phones to correct for the slight imperfections in motion sensing that might identify a phone—basically, fudging the numbers a teensy bit.
"I am optimistic that these protections will be available to more users in the future," said Borisov.
In the game of cat and mouse between users and advertisers, digital rabble-rousers can hardly afford to rest on their laurels. Especially, perhaps, since advertisers seem set to use the tiny quirks in our phones to track us, if they aren't already.