In a conference paper, we have analysed the privacy implications of accelerometer data from mobile devices. While this may sound like a topic for computer nerds and ICT experts, the paper is digestible for laypeople and relevant for anyone who is curious about the information we unknowingly reveal to companies through embedded sensors.
Accelerometers are motion sensors (for measuring acceleration forces, as the name suggests) that are found in many types of mobile devices, including tablet PCs, virtual reality headsets, fitness wristbands, smartwatches and smartphones. Some common uses of built-in accelerometers are automatic image stabilisation, device orientation detection, and shake detection.
In contrast to sensors like microphones and cameras, accelerometers are widely regarded as not privacy-intrusive. As discussed in our paper, even researchers describe accelerometer data as “not particularly sensitive” or even “privacy preserving”. This sentiment is reflected in protection policies of mobile operating systems, such as iOS and Android, where installed apps can access accelerometer data without any request or notification to the user. It has been shown in experiments, however, that seemingly innocuous sensors can be used as a side channel to infer highly sensitive information about people in their vicinity.
Drawing from published experimental research, existing commercial products and filed patents, our meta-analysis shows that accelerometer data alone “may be sufficient to obtain information about a device holder’s location, activities, health condition, body features, gender, age, personality traits, and emotional state. Acceleration signals can even be used to uniquely identify a person based on biometric movement patterns and to reconstruct sequences of text entered into a device, including passwords.”
The paper calls for a reconsideration of the widespread perception of accelerometers as non-intrusive, along with corresponding adjustments to technical and legal data protection measures. There is a sense of urgency, as motion sensors are so widely used today. In fact, the accelerometer the most widely used sensor in wearable devices, and also the sensor that is most frequently accessed by mobile apps.
Regarding all types of mobile and IoT devices, we hold the opinion that the privacy implications of sensor data should be assessed in consideration of all inferences that can plausibly be drawn from it using state-of-the-art data analytics, not based on a sensor’s official purpose.
Our paper is titled “Privacy Implications of Accelerometer Data: A Review of Possible Inferences” and was published in the Proceedings of the 3rd International Conference on Cryptography, Security and Privacy (ICCSP ‘19). It is available open-access through the ACM Digital Library: https://doi.org/10.1145/3309074.3309076