TouchTrack Privacy Policy

The goal of this project is to measure and study the uniqueness of touch-based behavioral biometric of a mobile device user. We are committed to protect the privacy of users of TouchTrack. All of the data for the project will be collected in an anonymized form which ensures that it is not Personally Identifiable Information, nor otherwise likely to lead to the exploitation of user identities.

We have established this TouchTrack Privacy Policy to explain what information we collect through the mobile app and how it is used. In this policy, “we” refers to the TouchTrack Team, i.e. Principal Investigator, Co-Investigator, Researchers, Interns, Developers, all of whom are bound by law or contract to keep information they receive as confidential.

Information Gathered by TouchTrack Mobile App

In general, TouchTrack collects anonymous raw data against four types of touch gestures i.e. swipes (left, right, up, down), tap, keystrokes, and handwriting. We use the term “raw data” for the touch data that is collected directly through Android API. This raw data, corresponding to each gestures, is collected when you play games provided in an app. The games (2048, Lexica, Logo Maniac) are very widely known and universally popular.

When you interact with a mobile device while playing games, our app collects raw data and sends it to a server, located in the networks group of data61-CSIRO (over HTTPS), for estimating a user uniqueness. When a user taps on “Results” button, the server processes the raw data to calculate uniqueness value and sends results back to the app for display.

The specific list of raw features we collect includes:

Screen Coordinates (i.e. X & Y positions)
User Finger Pressure on a Screen
User Finger Size on a Screen
Screen Orientation (portrait or landscape)
Finger Movement Type (up, down, move)
Values from Sensors (Accelerometer, Gyroscope)
Device Orientation (phone position in terms of angle)

Although these raw data may form a `fingerprint’ that could in principle be combined with information about mobile device or browser fingerprinting in order to track individuals, We will never do so.

In addition, we collect `housekeeping’ information to assist us in analyzing the fingerprint data. The housekeeping information is:

Event Timestamp
User ID
Android ID
Mobile Model Name

Our practices and purposes for collecting these housekeeping records are discussed below:

Event Timestamp

TouchTrack collects a timestamp each time a user performs any gesture. This will be used to measure time-series features, such as stroke time, key hold time, duration of performing a swipe etc.

User ID

TouchTrack requests its users to register with a unique username so that their touch information is saved and retrieved afterwards. For security purposes, we are storing one-way cryptographic hash (SHA1) of usernames in our database. The main purpose of keeping username is to keep track of game progress such that a user can resume again. Moreover, we also want to determine how often user touch behavior change, when a user returns over time. Another temporary purpose is to establish a ground truth for our research and to know how reliable our uniqueness framework is. TouchTrack links the username with his/her touch gestures such that a user can see previous results, whenever a user logs in.

Android ID

TouchTrack does not log Android ID, but we do compute cryptographic hash of each Android ID, using SHA1 and storing that hash in a database. This hashed Android ID will allow us to collect an anonymous dataset about a user interacting on multiple devices e.g. tablet and a mobile phone. We actually want to study how user behavior changes when they interact on multiple devices. Additionally, we may need to retain this information for situations such as app testing, diagnosis of technical problems, and handling a spike in traffic or other abnormal, short-term circumstances.

Mobile Model Name

We are collecting mobile model name to validate the study described in the above section. Additionally, we want to check what touch features are offered by different mobiles. This information is very necessary since we need common features that could be collected for every type of mobile device. For-example, few mobile phones have only accelerometer sensor while others have both accelerometer and gyroscope. This information is necessary to collect in order to show consistency among features.

Sharing of TouchTrack data

We will not share the data collected through TouchTrack with any external entities. It will remain within the boundaries of CSIRO research environment.

Security

Although we make good faith efforts to store information collected by TouchTrack in a secure operating environment, we cannot guarantee complete security. Information collected will be maintained for a length of time appropriate to our needs.

To learn more about TouchTrack Privacy Policy, please visit this link.

Should you have any questions about this privacy policy or any use of the data collected, please contact us here.