Advertisers are increasingly turning to fingerprinting techniques to track users across the web. As web browsing activity shifts to mobile platforms, traditional browser fingerprinting techniques become less effective; however, device fingerprinting using built-in sensors offers a new avenue for attack. We study the feasibility of using motion sensors to perform device fingerprinting at scale, and explore countermeasures that can be used to protect privacy.
We perform a large-scale user study to demonstrate that motion sensor fingerprinting is effective with 500 users. We also develop a model to estimate prediction accuracy for larger user populations; our model provides a conservative estimate of at least 12% classification accuracy with 100,000 users. We then investigate the use of motion sensors on the web and find, distressingly, that many sites send motion sensor data to servers for storage and analysis, paving the way to potential fingerprinting. Finally, we consider the problem of developing fingerprinting countermeasures; we evaluate a previously proposed obfuscation technique and a newly developed quantization technique via a user study. We find that both techniques are able to drastically reduce fingerprinting accuracy without significantly impacting the utility of the sensors in web applications.