Online behavior tracking by Web advertisement agencies attempting to better target consumers with products and other ads is a pervasive, persistent, and contentious practice on the Internet. The ad firms generally do this by installing small amounts of data on the user’s browser. These data are known as tracking cookies. New research from Stanford University found that the accelerometers in our smartphones produce uniquely identifiable measurements that these firms could exploit to track users even more reliably and accurately, a troubling breakthrough for those that advocate for online privacy.
An accelerometer is more or less a piece of hardware that measures the degree of acceleration experienced by the device it is embedded into. Pragmatically, for a smartphone at least, the accelerometer is the piece of equipment that enables the device to be aware of its orientation and allow you to play those flying and driving-related games.
According to an article in SFGate, researchers from the security lab within Stanford University’s Computer Science department realized that each accelerometer is subtly and uniquely flawed because of nearly unrecognizable variations in the accelerometer manufacturing process. Of course, like most modern manufacturing, the building of accelerometers is largely automated and highly precise, but it is not perfectly precise.
In theory, according to research cited by SFGate, an accelerometer should pick up the weight of gravity on a phone resting on a flat surface and quantify that measure as positive on when the phone is upright and negative one when the screen is facing downward. These measurements end up being close to, but not exactly negative or positive one respectively. As luck would have it, because of these unique manufacturing imperfections, the Stanford researchers believe they can prove that each accelerometer’s output is slightly different from every other accelerometer.
If you haven’t guessed it yet, this of course would mean that measuring the differences in output between different accelerometers is a reliable way of identifying a particular device and, at the very least, the person who owns it, which is generally the person who is using it as well.
Generally, when I read about a uniquely identifiable characteristic, I think about the potential to apply such characteristics – often based on human biometric measures – for device and online authentication in ways that might work better and provide more security than passwords, which are at once completely imperfect and almost entirely universal.
In fact, sometime last year, a different set of researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researcher working on the “physically unclonable functions found in standard PC components” project is capable of discerning these fine differences. The magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another.
It’s not totally clear how or why the Stanford researchers came to believe that advertisers might someday use these measurement to track our behavior online, but we’ll probably be able to figure it out in the near future when Stanford publishes the results of the full research.
You can check if your own phone’s accelerometer is uniquely identifiable by running it through Stanford’s Web-based proof-of-concept.