The goal of this project is to measure and study the uniqueness of touch-based behavioral biometric of a mobile device user. We are committed to protect the privacy of users of TouchTrack. All of the data for the project will be collected in an anonymized form which ensures that it is not Personally Identifiable Information, nor otherwise likely to lead to the exploitation of user identities.
Information Gathered by TouchTrack Mobile App
In general, TouchTrack collects anonymous raw data against four types of touch gestures i.e. swipes (left, right, up, down), tap, keystrokes, and handwriting. We use the term “raw data” for the touch data that is collected directly through Android API. This raw data, corresponding to each gestures, is collected when you play games provided in an app. The games (2048, Lexica, Logo Maniac) are very widely known and universally popular.
When you interact with a mobile device while playing games, our app collects raw data and sends it to a server, located in the networks group of data61-CSIRO (over HTTPS), for estimating a user uniqueness. When a user taps on “Results” button, the server processes the raw data to calculate uniqueness value and sends results back to the app for display.
The specific list of raw features we collect includes:
- Screen Coordinates (i.e. X & Y positions)
- User Finger Pressure on a Screen
- User Finger Size on a Screen
- Screen Orientation (portrait or landscape)
- Finger Movement Type (up, down, move)
- Values from Sensors (Accelerometer, Gyroscope)
- Device Orientation (phone position in terms of angle)
Although these raw data may form a `fingerprint’ that could in principle be combined with information about mobile device or browser fingerprinting in order to track individuals, We will never do so.
In addition, we collect `housekeeping’ information to assist us in analyzing the fingerprint data. The housekeeping information is:
- Event Timestamp
- User ID
- Android ID
- Mobile Model Name
Our practices and purposes for collecting these housekeeping records are discussed below:
TouchTrack collects a timestamp each time a user performs any gesture. This will be used to measure time-series features, such as stroke time, key hold time, duration of performing a swipe etc.
TouchTrack requests its users to register with a unique username so that their touch information is saved and retrieved afterwards. For security purposes, we are storing one-way cryptographic hash (SHA1) of usernames in our database. The main purpose of keeping username is to keep track of game progress such that a user can resume again. Moreover, we also want to determine how often user touch behavior change, when a user returns over time. Another temporary purpose is to establish a ground truth for our research and to know how reliable our uniqueness framework is. TouchTrack links the username with his/her touch gestures such that a user can see previous results, whenever a user logs in.
TouchTrack does not log Android ID, but we do compute cryptographic hash of each Android ID, using SHA1 and storing that hash in a database. This hashed Android ID will allow us to collect an anonymous dataset about a user interacting on multiple devices e.g. tablet and a mobile phone. We actually want to study how user behavior changes when they interact on multiple devices. Additionally, we may need to retain this information for situations such as app testing, diagnosis of technical problems, and handling a spike in traffic or other abnormal, short-term circumstances.
Mobile Model Name
We are collecting mobile model name to validate the study described in the above section. Additionally, we want to check what touch features are offered by different mobiles. This information is very necessary since we need common features that could be collected for every type of mobile device. For-example, few mobile phones have only accelerometer sensor while others have both accelerometer and gyroscope. This information is necessary to collect in order to show consistency among features.
Sharing of TouchTrack data
We will not share the data collected through TouchTrack with any external entities. It will remain within the boundaries of CSIRO research environment.
Although we make good faith efforts to store information collected by TouchTrack in a secure operating environment, we cannot guarantee complete security. Information collected will be maintained for a length of time appropriate to our needs.