How Websites Know You’re in the Bathroom: Smartphone Motion Sensor Privacy Risks

By Ava McKinneyOnline Safety

How Do Websites Know You’re in the Bathroom?

Many people don’t realize just how much data can be collected from the accelerometer in your smartphone. You might think this sensor is only used to rotate your screen, but it goes far beyond that. The movement patterns and orientation of your phone can reveal a lot about what you’re doing: whether you’re sitting, lying down, standing, or running. It’s even possible to identify a person by their voice through the phone’s speaker, using the reverberations picked up by the accelerometer. The sensor can also detect who is nearby in a bus or car if their movement patterns match yours.

Some apps constantly collect this data without your explicit permission (on Android and iOS 15, no special permission is required). And it’s not just apps—websites can access this information too.

Tracking with the Accelerometer

The accelerometer and gyroscope are simple microchips, like the Invensense MPU-6500, that detect movement along six axes (three for the gyroscope and three for the accelerometer).

Common uses include:

  • Screen orientation detection
  • Controlling cars in racing games by tilting the device
  • Step counting
  • Detecting if the user has fallen (like Apple Watch does)
  • Determining the user’s position in space

This means any app or website can estimate how many steps you’ve taken and what you’re doing at any given moment. With specific movement patterns and phone positions, it’s even possible to guess if someone is sitting on the toilet.

Researchers are exploring new uses for the accelerometer, such as measuring heart rate and breathing frequency. There are even attempts to record speech from the phone’s speakers using accelerometer data. Since sound is a mechanical vibration, reverberations from speech can travel through the phone’s body and be picked up by motion sensors.

While you can’t make out individual words, it’s possible to determine the speaker’s gender (with over 90% accuracy) and even identify individuals from a small database of voiceprints.

It’s important to note that the accelerometer inside the device doesn’t react to airborne speech reverberations, so it can’t eavesdrop on people nearby—only those whose voices come through the phone’s speaker.

Privacy Concerns: No Permission Needed

Currently, iOS and Android do not require special permissions for apps to access accelerometer data. This means any app can easily collect this private information. For example, Facebook continuously collects this data through its apps, including Instagram, WhatsApp, and others.

Facebook accelerometer data log

Log of accelerometer data sent from a smartphone to Facebook’s servers when the Facebook app is opened.

Access via Browser

Many popular websites include scripts that read accelerometer data. Here’s a sample script:

<script>
(function() {
  var isAndroid = /(android)/i.test(navigator.userAgent);
  if (!isAndroid) {
    document.getElementById('example').innerHTML = '<strong>You\'re not visiting from an Android device</strong>';
    return;
  }
  function round2(num) {
    return +(Math.round(num + "e+2") + "e-2");
  }
  window.addEventListener('devicemotion', function(event) {
    var x = event.acceleration.x;
    var y = event.acceleration.y;
    var z = event.acceleration.z;
    var interval = event.interval;
    if (x !== null && y !== null && z !== null) {
      if (Math.abs(x) > 0.5 || Math.abs(y) > 0.5 || Math.abs(z) > 0.5) {
        var el = document.getElementById('devicemotionOutput');
        el.innerHTML = JSON.stringify({
          event: 'devicemotion',
          accelerationX: round2(x),
          accelerationY: round2(y),
          accelerationZ: round2(z),
          interval: interval,
        }, null, 2);
      }
    }
  })
  window.addEventListener('deviceorientation', function(event) {
    if (Math.abs(self.alpha - event.alpha) < 1
      || Math.abs(self.gamma - event.gamma) < 1
      || Math.abs(self.beta - event.beta) < 1) {
      return;
    }
    this.alpha = event.alpha;
    this.beta = event.beta;
    this.gamma = event.gamma;
    if (event.alpha !== null && event.beta !== null && event.gamma !== null) {
      var el = document.getElementById('deviceorientationOutput');
      el.innerHTML = JSON.stringify({
        event: 'deviceorientation',
        alpha: round2(event.alpha),
        beta: round2(event.beta),
        gamma: round2(event.gamma),
        absolute: event.absolute,
      }, null, 2);
    }
  })
})();
</script>

The situation varies by platform. All browsers on iOS use WebKit, so if a site tries to run such a script, a permission dialog will always appear—regardless of whether you’re using Safari, Firefox, or Chrome. On Android, however, browsers by default allow websites to access deviceorientation and devicemotion events, which include motion sensor data. If you visit a demo page from an Android smartphone, you can see this data in action.

Some of these events can even be simulated in Chrome Dev Tools on desktop (the 3D model rotates along all axes with your mouse).

Attack Vectors

There are various ways this data can be exploited. For example, a website or app could identify groups of users who are physically close to each other—on the same bus, train, or in a car—by matching their synchronized motion sensor data. This could allow tracking of users even if they have disabled geolocation services.

Onion Market — a free peer-to-peer exchange on Telegram. We offer XMR, BTC, USDT, TRX, and TON!

Leave a Reply