Accelerometer IDs smartphones in seconds

Hristo Bojinov was part of a group studying the feasibility of identifying devices using various sensors. Hristo Bojinov was part of a group studying the feasibility of identifying devices using various sensors. Photo: Carlos Avila Gonzalez, The Chronicle Photo: Carlos Avila Gonzalez, The Chronicle Image 1 of / 4 Caption Close Accelerometer IDs smartphones in seconds 1 / 4 Back to Gallery

One afternoon late last month, security researcher Hristo Bojinov placed his Galaxy Nexus phone face up on the table in a cramped Palo Alto conference room. Then he flipped it over and waited another beat.

And that was it. In a matter of seconds, the device had given up its "fingerprints."

Code running on the website in the device's mobile browser measured the tiniest defects in the device's accelerometer - the sensor that tracks movement - producing a unique set of numbers that advertisers could exploit to identify and track most modern smartphones.

The accelerometer enables, among other things, the browser to shift from landscape to vertical as a user tilts the phone. It turns out every accelerometer is predictably imperfect, and slight differences in the readings can be used to produce a fingerprint. Marketers could use the ID the same way they use cookies - the small files that download from websites to desktops - to identify particular users, monitor their online actions and target ads accordingly.

It's a novel approach that raises a new set of privacy concerns: Users couldn't delete the ID like browser cookies, couldn't mask it by adjusting app privacy preferences - and wouldn't even know their device had been tagged.

"I don't know if it's been thought of before," said Dan Auerbach, staff technologist at the Electronic Frontier Foundation. "It's very alarming."

Bojinov, a doctoral candidate in computer science at Stanford originally from Bulgaria, set out about a year ago with several collaborators at the Stanford Security Laboratory to test whether it was technically feasible to identify devices using various sensors. Bojinov wanted to make device manufacturers, software designers, policymakers and advocates aware of this potential avenue for tracking in the hope that the industry would take steps to guard against it.

"People need to consider the whole system when they think about privacy," Bojinov said.

More to worry about

Indeed, accelerometers aren't the only thing to worry about. The Stanford research team, which plans to publish its results in the months ahead, was also able to identify phones using the microphone and speaker. They found they could produce a unique "frequency response curve," based on how devices play and record a common set of frequencies.

Meanwhile, a team at the Technical University of Dresden in Germany recently developed a tracking method that exploited variations in the radio signal of cell phones, according to a story in New Scientist. The "collection of components like power amplifiers, oscillators and signal mixers ... can all introduce radio signal inaccuracies," researcher Jakob Hasse explained.

Asked if this sort of work risks putting ideas into the heads of online advertisers, Bojinov said he'd be surprised if someone in the industry wasn't already exploring these approaches.

The private sector and U.S. government have repeatedly demonstrated a willingness to make use of a mobile phone's hardware in ways users wouldn't expect. Apps like Color, Shopkick and IntoNow activated smartphone microphones to detect when people were in the same room, entered a particular store or watched a specific TV show, as Computerworld reported.

Likewise, the FBI has famously flipped on the microphones of investigation targets to eavesdrop on conversations.

To be sure, the smartphone is already a compromised device for anyone keenly concerned about ad tracking and privacy. Unique users can be identified, for targeting ads and other purposes, through cookies in the mobile browser or unique ID numbers associated with the device or particular apps. In addition, many apps can tap into the phone's location, contact list, photos and more.

But conscientious users can at least exercise choices to minimize these capabilities - by selecting browsers that block certain tracking cookies by default, like Apple's Safari, carefully picking apps that are less intrusive and managing which services access certain data.

Fingerprinting devices through the accelerometer and mobile browser, however, could eliminate such control, potentially undermining choice and transparency for the user. That's what troubles privacy advocates the most.

"The fight to make it easier or harder to identify users is being lost by privacy advocates right now," the EFF's Auerbach said. "There are a lot of novel techniques that are making it difficult to even know that tracking is even happening, because the fingerprinting is occurring" online rather than on the device itself.

Unlike with cookie files, there are no digital bread crumbs lining the advertiser's trail.

Sidestepping controls

Ryan Calo, an assistant professor of law focused on privacy at the University of Washington, said these forms of identification are merely the latest examples of broad and long-running trends in online advertising: Every new privacy protection tool or ad-blocking plug-in is met with new technologies that allow companies to sidestep such controls.

He believes the struggle will only continue as long as there is a misalignment of incentives between companies and consumers. If the core business model of major tech companies is collecting personal data to target ads, they will continue to find ways to do so - limited only by the law or whatever line users themselves draw.

In a forthcoming paper for George Washington Law Review, Calo argues that if companies like Facebook and Google offered users paid options, like Pandora does, it would encourage these businesses to improve service for their users, rather than for their advertisers - or "reorient the consumer from being a product to being a client."

"I'm increasingly convinced that we need to change the basic incentive structure around tracking," he said. "Absent that, we're just going to see an arms race, whether in fingerprinting phones or fingerprinting browsers. If there's money in identifying individual consumers, and if it's not specifically illegal, people will do it."