The spy in your pocket

This exercise is a part of Educator Guide: Smartphones Overshare / View Guide

These question are based on the feature article Smartphones overshare.”

Due to the length of the article, you may want to assign each section of the article to a specific group of students. For example, divide your class into four groups, and assign each group a section to become an expert on. The sections include: “Message revealed,” “Tagalong,” “Sensor safeguards” and “The price of privacy.” Each group should also be assigned to read the introduction. Allow time for each expert group to discuss and summarize its segment. Next, assign new groups, each including at least one “section expert” from each of the original four groups. Each “section expert” should summarize his or her section of the article so that the new group has a summary of the whole article. Finally, all groups should work together to answer the questions below.  

1. What type of information can smartphones sense and measure? What type of sensors are not currently permission-protected?

Possible student response: Smartphones can capture and store images, video and sound (including human speech). These devices can also detect and store data on screen touches and keystrokes, fingerprints, proximity of objects to the screen, light levels, barometric pressure, acceleration, vibration, rotation, magnetic fields, gravity and GPS signals. Motion detectors, such as accelerometers and gyroscopes, are not currently permission-protected.

2. In what ways can downloaded apps use a smartphone to potentially spy on a user without the user’s knowledge or permission?

Possible student response: Researchers have designed invasive, proof-of-concept apps that perform some functions while also secretly extracting other sensor data. That data could be used to spy on users. If similar apps are devised in the future, those apps could pose a potential threat to users.

Other apps could be deceptive in the way that they ask for permission to collect certain data. For example, an app could trick a distracted user into allowing it to capture imagery and audio data, rather than just imagery data. Researchers have proposed that such apps would show a user a camera icon several times, then, once the user is comfortable with the button’s location and function, switch to a video camera icon to gain access to the smartphone’s microphone as well as the camera.

Since motion detectors are not currently permission protected, apps can extract motion sensor data and send it to sophisticated computer programs that can relate that data to specific, potentially invasive information about a user, such as finger taps on certain areas of the screen.

3. If an app did not have access to screen images and keystrokes, how could the app use a smartphone’s other sensors to spy on a user’s messages and passwords?

Possible student response: Keystrokes can be reconstructed with fairly high accuracy based on the motions, light levels and sounds detected by the smartphone while its user types.

4. If an app did not have access to GPS, video or screenshots, how could it use a smartphone’s other sensors to spy on a user’s location and movements?

Possible student response: Motion sensors can tell if a person is sitting still, walking or riding smoothly. Monitoring users’ data over time can indicate directions, speeds and distances of travel, which can be matched with subway and other transit maps.

5. Give an example of an invasive app built by a researcher. What was the nefarious goal of the app and how successful was it at meeting its goal? What sensors did it use to extract the necessary data?

Possible student response: A recently-built app reported in the Cryptology ePrint Archive in December uses smartphones’ gyroscopes, accelerometers, light sensors and magnetism-measuring magnetometers to guess user PIN numbers. When tested on a pool of 50 PIN numbers, the app correctly deciphered 99.5 percent of keystrokes.

6. How does the 6thSense system help to protect smartphone users?

Possible student response: The user trains the 6thSense system to recognize his or her smartphone’s normal sensor behavior during everyday tasks such as calling, Web browsing and driving. The 6thSense system continually monitors a smartphone’s sensor activity against these learned behaviors and alerts the user if the system detects unusual activity.

7. How does the DEEProtect system help to protect smartphone users? What is the tradeoff for a greater level of privacy using the DEEProtect system?

Possible student response: The DEEProtect system limits or alters raw sensor data before forwarding that data to other apps. For example, a speech-to-text app would receive a user’s spoken words, but would be unable to identify the user’s voice. A greater level of distortion by DEEProtect gives a user more privacy, but could degrade the functionality of other apps.

8. How does the AWare system help to protect smartphone users?

Possible student response: The user must specifically grant permission before an app is allowed to access each sensor for the first time. The AWare system also records the state of the phone when initial permission is granted and alerts the user if an app is trying to deceive the user into unintentionally granting additional permissions.

9. Summarize two main points of the article. What are two overarching ideas or questions that could be discussed after reading the article?

Possible student response: Scientists and engineers have designed invasive, proof-of-concept apps that perform some functions while also secretly extracting other sensor data. Similar apps could be used to spy on people. Researchers are also studying ways to give users more control over the data that apps extract from smartphones as well as safeguards to alert users of potential privacy breeches.

Should apps be able to extract and save all motion sensor data without a user’s permission? Should apps be able to store and sell any type of user data?

10. What other questions do you still have after reading the article?

Possible student response: How could apps circumvent protective systems such as 6thSense, DEEProtect and AWare? Are there better ways to protect smartphone users? How could third parties use smartphone sensors and apps for beneficial or malicious purposes?