Swiping your identity: how you’re being tracked

By Ketan Joshi

3 August 2018

Close up of hand swiping on smartphone

What can the way you swipe on your phone tell us about you?

Are you a one-handed-thumb-swiper or an index-finger-tapper? On average, we touch our phones over 2000 times per day but what you might not know that every one of us is using our phones in a unique way. Not only are the sites and apps you use generating data about you, but the way in which you swipe around on our touch screens could identify you too. Cue your mum violently tapping away using two hands and with the keyboard sound on.

Why are we telling you this? Well, there’s no chance you missed Facebook’s scandal involving a company called ‘Cambridge Analytica’. A range of high-profile data-breaches and security issues have brought big headlines for big companies, such as fitness-tracking company Strava revealing jogging patterns  on military bases. We’re seeing an onslaught of news about pieces of our identity soaked up by the digital tools we rely on for modern living.

Often, privacy issues are straightforward – they involve the public release of information we’d previously assumed was private. Sometimes, it’s not so simple.

Our Data61 team have been dedicating brain power to investigating these issues through a scientific lens. And now our latest research reveals that personal identity, something we’d largely classify as private and sensitive when we’re interacting with technology like web browsers and apps on smartphones, can be compromised through some surprisingly devilish techniques.

Tracking touch

An unavoidable part of digital life involves being closely tracked by platforms you’re interacting with. This can be part of the functionality of a site (like keeping virtual items in your online shopping cart), or it can be used by people who operate a website to get statistics on how users interact with their site.

A new research paper from Dr Dali Kaafar, Rahat Masood, Ben Zhao and Dr Hassan Asghar from our Information Security and Privacy Group and the Optus-Macquarie University Cyber Security Hub, demonstrated the feasibility of tracking users using only the touch gestures we use on modern devices, and quantified the amount of information in these gestures.

Their team created a custom app, called ‘TouchTrack’, as part of their research project. The app informs users that they’re part of this project and their data is collected, and asks them to interact with a collection of open source games. A total of 40,600 samples were collected from 89 users over two months.

A collection of icons on a white background showing different types of swiping, such as tap, type, and pinch

There’s amazing detail that can be drawn about you from your touch patterns

The researchers could correctly re-identify returning users with a success rate of more than 90 per cent. And piecing together the different combinations of gestures resulted in even higher uniqueness, with the combination of keystrokes, swipes and writing revealing up to 98.5 per cent of information about users.

So in the same way that a fingerprint or facial recoginition software can be used to identify you and unlock your phone for you, the unique way in which you tap and swipe around your phone can also identify you – or figure out that it’s not you and perhaps multiple people use that household iPad.

A collection of screenshots of an app

The TouchTrack app lets you engage directly with the details of personal identity you can extract from physical behavioural biometrics

Do apps need to be tracking us?

Every app you use must intake some form of data to function properly.

“The amount of fine-grained data contained in information from your device’s sensors means apps might be learning more about you than is needed for the functioning of the app,” says Dr Kafaar.

“Touch tracking is a physical identifier – this means it’s different to virtual identities tracked by cookies – your browser data and your IP address. Multiple individuals can be tracked, even if they all use the same device, and one person can be tracked across several different devices.”

Like so many stories about modern technology, there are down side and up sides to the development of a new analytical technique – touch-based tracking could be used to improve security and identification of users for things like logging into secure accounts, or you could use touch identification to limit your child’s use of a smartphone.

What should you do?

“It’s worth remembering that biometrics like touch tracking can be relatively more prone to error, compared to DNA analysis or face recognition.” says Dr Monique Mann, Vice Chancellor’s Research Fellow in Technology and Regulation at the Faculty of Law, Queensland University of Technology.

“Though it’s worth noting these technologies can be wrong sometimes too.

“There’s also limited governing legal frameworks and oversight. Many of these issues are interesting and depend on the context of use.”

Dali reminds us that in addition to being aware of the possibilities, you can do some active things to reduce your work.

“Ad-blockers don’t just block ads – they block the mechanisms used to track users, which can breach your privacy. No single solution is perfect, but there are options out there,” he says.

You don’t need to start plugging a wired mouse into your smartphone – this new research highlights a potential new area for privacy risks, but it doesn’t spell doom and gloom. Remaining aware of the significance of seemingly meaningless pieces of data, like the velocity of your swipe across the screen of a smartphone, and taking action where you can, is the best course of action for now.

 

Dr Mann and Dr Kaafar will be in conversation at D61+ Live, a free technology showcase event held in September, in Brisbane. Register here.

The science of privacy preservation

We do science examining risks and issues around privacy, and we develop technologies that balance the utility of data and the preservation of privacy, informed by scientific research