Mobile Usage Patterns
and Privacy Implications
Michael Mitchell
March 27, 2015
Ratnesh Patidar, Manik Saini, Parteek
Singh, An-I Wang
Florida State University
Peter Reiher
University of California, Los
Angeles
1
Introduction
• Privacy is a major concern for pervasive &
mobile computing
• Current understanding incomplete
– Subjective nature of privacy
– Automatic detection limited
• Important to understand what privacy actually
means to people
– Make the right tools to fix the right problems
2
Overview
• Empirical data on user privacy behavior limited
• Conducted a survey-based study of ~600 users
• Major findings include:
– (1) People exercise little caution preserving mobile
privacy
– (2) Privacy is not equal to trust
– (3) Users underestimate mobile app privacy threats
– (4) Users’ understanding of privacy is different from
that of the security community
3
Research Questions
• Primary survey goal: examine how mobile users feel
about privacy
– What does it mean to be private?
– Do users alter computing behavior in certain environments?
Around certain people?
• Secondary goal: understand user behavior and general
mobility patterns
– Where, when, and how mobile devices are used
– Does gender, ethnicity, age, income, choices of technology,
or technical sophistication influence behavior?
4
Background & Early Challenges
•
•
•
•
Privacy subjective, requires human interaction
Human Subject (IRB) Approval
Participant recruitment
Participant motivation and compensation
5
Mobile Usage Questionnaire
• ~100 questions in total via mobile app & web
• Questions cover:
– Background, demographics, hardware ownership
– Computing tasks performed by location in public
and private
– Where/when/why behavior changes
– Usage of privacy/security tools
• $1000 was allocated for prizes
– Chance to win one of 66 $15 Starbucks gift cards
6
Participant Demographics
• FSU Survey
– 292 total participants
– Median age of 22; 6 years computing experience
• Craigslist Survey
– 303 total participants
– Median age of 27; 6 years computing experience
• Few differences observed between surveys
– Unless otherwise noted all results reflective of
combined 595 responses
7
Participant Demographics
0%
% of participants
25%
50%
75%
100%
Gender
FSU participants
FSU demographics
Craigslist participants
Overall participants
US Census
FSU participants
Ethnicity
Male
Female
FSU demographics
Native American
Asian/Pacific Islander
Hispanic/Latino
African American
Caucasian
Craigslist participants
Overall participants
US Census
8
Device Market Share
• Phones & tablets of survey participants reflect
U.S. market share
– Within 7% of target demographics
– Slightly more Apple, slightly fewer Android
• Not quite as reflective of laptops
– Fewer Windows users (by 28%)
– More Apple (by 21%) and Linux users (by 7%)
9
Device Ownership
• Does hardware preference play a role in
mobility or privacy?
– Relationship between brands and behaviors?
• Men, tech-savvy users, and minorities
– Own Android devices (up to 20%)
– Own Windows laptops (up to 19%)
10
Brand Homogeneity
• Participant brand loyalty
– iPhone owners more frequently own an Apple
laptop or tablet (by up to 28%)
– Android owners more frequently own an Android
tablet (by 15%)
• More pronounced in FSU data set
– iPhone owners more frequently own Apple laptops
and tablets (by up to 40%)
11
Computing Locations
Home
Class
Library
Waiting In Line
Restaurant
Bus/Train/Airplane
Air/Bus/Train Station
Office
Park
Exercising
Washroom
0%
10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
12
% of participants
Most Common Public & Private Tasks
Text Message
Email
Browse Web
Social Networking
Listen To Music
Private
Public
Weather
Calendar
Top 5 tasks significantly more frequent
Most have little difference in public/private
Take Photos
Play Games
Voice Chat
0
50
100
150
200
250
# of accesses per person, per month
300
13
Categorical Public & Private Tasks
Entertainment
Communication
Productivity
Top 2 categories significantly more frequent
Tools
Private
Public
Financial
Most have little difference in public/private
Administration
Personal
0
200
400
600
800
# of accesses per person, per month
1000
14
Public & Private Tasks by Risk Level
Low Risk
More often in private
Medium Risk
Private
Public
Little difference in public/private?
High Risk
0
200
400
600
800
1000
1200
# of accesses per person, per month
1400
15
Public & Private Activity Overall
• Behavioral differences in public and private
among groups not statistically significant
– Genders, technical backgrounds, and ethnicities
• A few exceptions:
– Women use social networking more frequently
than men in public and private (up to 40%)
– Tech-savvy users more likely to email in public
and private (up to 24%),
16
Who Makes Users Change Behavior?
Parents
Boss
Friends
Significant Other
Children
More familiar
Siblings
Local Strangers
Someone Tech Savvy
Roommates
> 10% Never change behavior
Less familiar
Foreign Strangers
Subordinates
None
0%
10%
20%
30%
40%
50%
% of users who alter their behavior
60%
17
Usage of Privacy Enhancing Tools
0%
Encryption
Overall
Male, tech
Female, tech
Male, non-tech
Password
Vault/Keychain
Female, non-tech
20%
% of participants
40%
60%
80%
100%
Technical
background
more likely to
encrypt
Has used
Never used
Unsure
Overall
Male, tech
Female, tech
Differences less
pronounced for
password vaults
Male, non-tech
Female, non-tech
18
OS & App Permission Compliance
Comply with OS
0%
20%
% of participants
40%
60%
80%
100%
Overall
Tech
Non-tech
Comply with apps
More likely to comply with apps than OS?
Always agree
Always disagree
Find out more
Overall
Tech
Non-tech
19
Implications of Apple Ownership?
• Compared to Android owners, Apple users:
– Use devices more in public locations (up to 16%)
– Use their devices more for most social mobile
computing tasks
• Texting, e-mailing, and social networking (up to 63%)
– Have less regard for security
• WiFi - 86% of iPhone owners use open, public networks
without security, (6% above average)
• Less likely to use encryption (by 7%)
20
Survey Lessons
• Survey speaks to user attitudes towards
privacy, not necessarily actual behavior
• User attitudes critical in determining success
of a privacy or security measure
– As important to a privacy mechanism’s success as
the technical details of how it works?
• Important for developers of mobile and
pervasive privacy preserving mechanisms
21
Privacy Implications on Systems
• Users are far more concerned about protecting
their privacy from familiar people
– Parents twice the privacy threat as strangers?
• Perhaps privacy preserving mechanisms
designed to protect against family and friends?
• Researchers must ensure that their goals align
with users’ real privacy desires
22
Privacy, Trust, Anonymity
• Results suggest that trust and privacy are
largely orthogonal
– Those most trusted are also the most feared
• Perhaps perception of anonymity towards
strangers?
– False sense of security could face serious
consequences
23
On-going/Future Work
• Reported behavior = actual behavior?
• On-going long term usage study
– 35 selected users over three months
• Developed “Big Brother” Android firmware
– Tracks location, usage, histories, etc.
• Compare actual usage with user reported
changes
– Determine if users actually behave how they claim
24
Conclusion
• Users not concerned about preserving mobile
privacy?
– Even tech-savvy users do not alter their behavior based
on their surroundings
• Obvious critical question:
– Users unaware of the risks? Or
– Aware and simply do not care?
• If users don’t care about privacy, only the least
intrusive mechanisms will succeed
• Philosophically, is it even our business to care?
25
Thank you
Mobile Usage Patterns
and Privacy Implications
Michael Mitchell
mitchell@cs.fsu.edu
• All interaction with human subjects was approved by the Florida State
University IRB Human Subjects Committee, approval number 2013.10175.
• This work is sponsored by NSF CNS-1065127.
• Opinions, findings, and conclusions or recommendations expressed in this
document do not necessarily reflect the views of the NSF, FSU, UCLA, or
26
the U.S. government.