Touch and You’re Trapp(ck)ed: Quantifying the Uniqueness of Touch Gestures for Tracking

Authors: Rahat Masood (CSIRO Data61 and University of New South Wales (UNSW), Sydney, Australia), Benjamin Zi Hao Zhao (CSIRO Data61, Sydney, Australia), Hassan Jameel Asghar (CSIRO Data61, Sydney, Australia), Mohamed Ali Kaafar (Macquarie University, Optus Macquarie University Cyber Security Hub, and CSIRO Data61, Sydney, Australia)

Volume: 2018
Issue: 2
Pages: 122–142
DOI: https://doi.org/10.1515/popets-2018-0016

Download PDF

Abstract: We argue that touch-based gestures on touchscreen devices enable the threat of a form of persistent and ubiquitous tracking which we call touch-based tracking. Touch-based tracking goes beyond the tracking of virtual identities and has the potential for cross-device tracking as well as identifying multiple users using the same device. We demonstrate the likelihood of touchbased tracking by focusing on touch gestures widely used to interact with touch devices such as swipes and taps.. Our objective is to quantify and measure the information carried by touch-based gestures which may lead to tracking users. For this purpose, we develop an information theoretic method that measures the amount of information about users leaked by gestures when modelled as feature vectors. Our methodology allows us to evaluate the information leaked by individual features of gestures, samples of gestures, as well as samples of combinations of gestures. Through our purposebuilt app, called TouchTrack, we gather gesture samples from 89 users, and demonstrate that touch gestures contain sufficient information to uniquely identify and track users. Our results show that writing samples (on a touch pad) can reveal 73.7% of information (when measured in bits), and left swipes can reveal up to 68.6% of information. Combining different combinations of gestures results in higher uniqueness, with the combination of keystrokes, swipes and writing revealing up to 98.5% of information about users. We further show that, through our methodology, we can correctly re-identify returning users with a success rate of more than 90%.

Keywords: Implicit Tracking, Mobile Privacy, Touch Gestures, User Profiling, Risk Quantification

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.