Monday, October 14, 2013

Scientists discover invisible method to track online users

The Stanford security research Hristo Bojinov has demonstrated a new method for corporations or governments to track users in an invisible fashion to the users.

smartphone track cookies identify privacy
With smartphones becoming more and more commons, certain privacy issues also arises. For example, on the Apple iPhone, prior to iOS 6, developers could see the unique ID code (UUID) of the device their apps were running on and in this way track and monitor the activity of individual users. Primarily, this has then been used to serve directed advertisements to the users based on their usage patterns. With the release of iOS 6, after massive protests, Apple removed the UUID from being visible for a third-party app and added an alternate ID instead that the users could turn off in their Privacy settings. Users who are concerned with privacy therefore could hide their tracks relatively well by turning off tracking and also browser cookies.

Now, however, the security researcher from Stanford, Hristo Bojinov, has discovered and published a paper on a new way to track and monitor individual users, which is applicable on most smartphones. The presented approach is very different from previous methods as it uses sensor readings in the phone itself to create a unique ID that can be attributed to each individual phone.

The principle is actually quite easy and is based on that all electronics sensors have unique response functions. For example, Bojinov demonstrated that by placing a phone flat on a surface, its reading from the accelerometer at such position is unique enough to be useful for tracking of individual phones, caused by inevitable imperfect manufacturing processes. Furthermore, Bojinov also showed that the frequency response function of the mic could also be used to identify a phone. In principle all sensors that are accessible by the users will carry unique signatures that can be tied to a unique phone.

The implementation as proposed by Bojinov would simply leverage the use of a javascript that executes and retrieves the readings from a phone. While these methods are not as exact as a UUID of a phone, they are, however, completely invisible for the users and also not possible to be blocked by the users. This therefore implies that tracking is enabled for all users, even those that have turned off all the conventional appropriate privacy settings. 

The recent discovery by Bojinov certainly raises some privacy concern but the question is how to remedy this. In essence, to completely render the method useless, the smartphone operating systems would have to offer its users an option to turn off the sensors to be executed in certain apps or environments (such as web browser). However, some apps do use the sensors for legit purposes, and it is likely impossible for a user to both use their sensors in such apps and also prevent them from being tracked unless they can manually modify the sensor readings to send noisy data to the app.

In any case, Bojinov himself expresses that he is surprised that this mean of tracking has not been exploited by any corporations or governments so far.

No comments:

Post a Comment