Defence against unwanted audio tracking by acoustic cookies

Mobile phones and tablets through so-called audio tracking, can be used by means of ultrasound to unnoticeably track the behaviour of their users: for example, viewing certain videos or staying in specific rooms and places. In the project SoniControl, St. Pölten University of Applied Sciences has developed a method for how this undetected (and usually unwanted) spying can be exposed and blocked

Project logos, credit St. Pölten UAS

The permanent networking of mobile devices can endanger the privacy of users and lead to new forms of monitoring. New technologies such as Google Nearby and Silverpush use ultrasonic sounds to exchange information between devices via loudspeakers and microphones (also called “data over audio”).

More and more of our devices communicate via this inaudible communication channel. Ultrasonic communication allows devices to be paired and information to be exchanged. It also makes it possible to track users and their behaviour over a number of devices, much like cookies on the Web. Almost every device with a microphone and a loudspeaker can send and receive ultrasonic sounds. Users are usually unaware of this inaudible and hidden data transmission.

The SoniControl project of St. Pölten University of Applied Sciences has developed a mobile application that detects acoustic cookies, brings them to the attention of users and if desired, blocks the tracking. The app is thus, in a sense, the first available ultrasound-firewall for smartphones and tablets. “The most challenging part of developing the app was to devise a method that can detect different existing ultrasound-transmission techniques reliably and in real time”, said Matthias Zeppelzauer, Head of the project and Senior Researcher in the Media Computing research group of the Institute of Creative\Media/Technologies at St. Pölten UAS.

Determining interests and location

St. Pölten University of Applied Sciences, credit Katharina Balgavy

Such ultrasonic signals can be used for so-called “cross-device tracking”. This makes it possible to track the user’s behaviour across multiple devices, and relevant user profiles can be merged with one other. In this way, more accurate user profiles can be created for targeted advertising and filtering of internet content.

Unlike their electronic counterparts when visiting web pages, up to now it has not been possible to block acoustic cookies. “In order to accept voice commands, the mobile phone microphone is often permanently active. Every mobile application that has access to the microphone as well as the operating system itself can at any time without notice: activate the microphone of a mobile device, listen to it, detect acoustic cookies and synchronise it over the Internet”, said Zeppelzauer. Users are often not informed of this information transmission during ongoing operation. Only a permanent deactivation of the microphone would help, whereby the device as a telephone would become unusable.

Masking of ultrasound cookies

In the project SoniControl, Zeppelzauer and his colleagues, Peter Kopciak, Kevin Pirner, Alexis Ringot und Florian Taurer have developed a procedure to expose the cookies and inform device users. For masking and blocking the ultrasonic data transfer, interference signals are transmitted via the loudspeaker of the mobile device. Thus, acoustic cookies can be neutralized before operating systems or mobile applications can access them. Users can selectively block cookies without affecting the functionality of the smartphone.

The masking of the cookies occurs by means of ultrasound, which is inaudible to humans. “There is currently no technology on the market that can detect and block acoustic cookies. The application developed in this project represents the first approach that gives people control over this type of tracking”, said Zeppelzauer.

All project results and the application have been made publicly available. The system is therefore directly usable and expandable for everyone. All project results have been released under Creative-Commons license.

Data exchange via ultrasound in the Internet-of-Things
The technology is now being further developed in a follow-up project, SoniTalk. Through Internet-of-Things (IoT) technologies an increasing number of devices are communicating with one another. Ultrasonic communication is increasingly used for data exchange between mobile phones and devices. Thus, ultrasonic communication is an alternative technology for ad-hoc data exchange, near-field communication (NFC) and as a channel for two-factor authentication that proves the identity of users by combining two different and independent components.

The new project SoniTalk wants to give users full control over what is allowed to be sent by which app and should effectively help to protect user privacy. The goal of SoniTalk is an open source, transparent and fully private-sphere oriented protocol for ultrasonic communication. SoniTalk seeks to lay the groundwork for a new free standard in the field of ultrasonic communication that enables secure communication and protects user privacy.

Project SoniControl

The project was funded by the netidee initiative (www.netidee.at). The support campaign was organised and financed by the non-profit Internet Foundation Austria (IPA).

Project website: http://sonicontrol.fhstp.ac.at

Project results: https://www.netidee.at/sonicontrol

SoniControl App in the Google Play Store: https://play.google.com/store/apps/details?id=at.ac.fhstp.sonicontrol

Source Code: https://git.nwt.fhstp.ac.at/m.zeppelzauer/SoniControl

Project SoniTalk

The project is funded by the netidee initiative (www.netidee.at). The support campaign is organised and financed by the non-profit Internet Foundation Austria (IPA).

Project website: http://sonitalk.fhstp.ac.at/