What can companies learn about you by analyzing how you hold and move your mobile devices (e.g., smartphone/-watch)? In this thread, I summarize our study on the astounding privacy implications of accelerometer sensors #privacy #dataprotection #machinelearning #AI #IoT 1/n 
Link to paper (open access): dl.acm.org/doi/pdf/10.114…. In it, we provide a structured overview of personal information that can be inferred from accelerometer data by using machine learning techniques. 2/n
While this may sound like a topic for tech nerds, the paper is digestible for laypeople and relevant for anyone curious about the information we unknowingly reveal to companies through embedded sensors. 3/n
Accelerometers (ACCs) measure acceleration. They are present in almost all mobile devices & wearables (smartphones/-watches, tablets, fitness trackers, VR headsets, etc.) and are regularly accessed by device vendors, mobile apps & visited websites without users even noticing. 4/n
Some common uses of built-in ACCs are photo stabilization, auto screen rotation & shake detection. In contrast to sensors like GPS, microphones and cameras, ACCs are widely regarded as not privacy-intrusive, and therefore less protected/access-restricted. 5/n
However, experimental research has shown that, with the help of modern data analytics, ACC data can be exploited as a side channel to infer highly sensitive information about people. 6/n
Drawing from patents and literature of diverse disciplines, our paper shows that ACC data alone can be sufficient to obtain information about a device holder’s daily routines, physical activities, social interactions, health condition, gender, age, and emotional state. 7/n
“physical activities” not only include high-level motion states (e.g., walking, cycling, sitting, climbing stairs) but – with ACC data from wrist wearables – also more fine-grained activities (e.g., writing, eating, smoking, sorting paperwork, searching the Internet). 8/n
ACC data can also be used to uniquely identify users (based on biometric movement patterns) and to reconstruct sequences of text entered into a device, including passwords (based on micro-motions of the user’s hand). 9/n
Further, ACC data can be analyzed to assess a user’s driving style, to estimate a user’s level of intoxication by the way they move, and to locate a user - even when GPS is disabled(!) 👀 10/n
There is even research suggesting it may be possible to reconstruct words spoken by a user from ACC data (based on sound vibrations). However, these published findings are still inconclusive, as we have summarized in another recent paper, see Sect. 4: link.springer.com/content/pdf/10… 11/n
Inference methods are mostly developed & deployed behind closed doors, subject to non-disclosure agreements. Based on R&D investments, some companies likely have far greater capabilities than what is known from published research. 12/n
Of course, drawing inferences from ACC data is not trivial & inference methods are never faultless. However, for many attacks and profiling purposes, 100% accuracy is not needed. Inaccurate methods will be used nonetheless, causing additional discriminatory side-effects. 13/n
There is no question that embedded sensors improve our lives in many important ways. But to use this potential in a socially acceptable manner, adequate privacy protection is needed. How can this be achieved? 14/n
One seemingly obvious solution would be for mobile operating systems to give users more control and transparency, e.g., by asking them every time a mobile app or visited website wants to access ACC data (which happens ALL the time). 15/n
Unfortunately, this “solution” won’t help much. As inferences are often based on complex patterns and algorithms, ordinary users cannot be expected to understand what information is indirectly revealed. 16/n
Even in much less complex settings, people’s privacy choices are typically irrational, involuntary and/or circumventable due to human limitations, corporate tricks and legal loopholes – as we discuss in-depth in other recent work: ssrn.com/abstract=38817… 17/n
Thus, the issue discussed in this thread is yet another reminder that we urgently need to challenge the misleading notion of “informed consent” when it comes to our privacy choices. The prevalent data protection paradigm of “notice-and-choice” is completely dysfunctional. 18/n
We have outlined alternative approaches here (under Sect. 7): ssrn.com/abstract=38817…. Note that most existing ideas in this area are still vague and hypothetical. To arrive at actionable policy recommendations, further research on this issue is urgently needed. 19/n
We are grateful for the attention our ACC paper has received so far, incl. 40k downloads on ACM Digital Library, numerous discussions on Reddit, academic citations, and 100s of tweets (e.g. by Joe Biden’s former cybersecurity expert @hackingbutlegal). altmetric.com/details/803564… 20/n
Of course, the threat of unexpected inferences goes far beyond ACC data, encompassing countless other sensors and data sources. In other recent work, we have examined inferences from speech data (e.g., voice messages, voice memos, voice commands): rd.springer.com/content/pdf/10…. 21/n
… and eye-tracking data (link.springer.com/content/pdf/10…). 22/n
Thank you so much for reading. I will post more information/updates soon.
Also, feel free to share your thoughts and ideas. How should our society deal with the obvious failure of the “notice -and-choice” approach?
Also, feel free to share your thoughts and ideas. How should our society deal with the obvious failure of the “notice -and-choice” approach?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
