Pocket Security Project – Privacy Policy

The current version of this privacy policy was finalized January 27, 2017.

The Pocket Security project is committed to promoting online privacy and security. This project is funded by the National Science Foundation. Our research focuses on understanding how people use their smartphones in daily life, and how to protection people from criminals who would exploit smartphones.

The following discloses our information gathering and dissemination practices for:

Surveys and Questionnaires

The information collected in our surveys is considered private information and is used solely for purposes of research and education. Our online surveys for information about participant demographics, computing platform(s), smartphone usage habits, educational experience, and security values/concerns. This information is collected, stored and used solely for the purpose of research and education. The data collected will similarly be reported in an anonymous manner to help policy makers, practitioners and researchers help further the protection of consumer security and improve security practices.

Personally Identifiable Information

The surveys and questionnaires will contain Personally Identifiable Information (PII), such as name, address, email address, birth date, and more. This PII information will be combined with questions on mobile device usage, perspectives on security, and MADCAP application information to study patterns in smartphone usage and security-related behaviors.

We only use your PII for our scientific research and to contact you with regard to your voluntary participation in the Pocket Security study. Your PII will not be used for any other purpose. Your PII will never be viewed or transmitted outside the Pocket Security research team. Your PII will never be sold or used for advertising or solicitation.

Cloud storage of survey and questionnaire data

The Pocket Security team uses SurveyMonkey, Inc. to collect some survey and questionnaire data. Data collected via SurveyMonkey is subject to the SurveyMonkey Privacy Policy.

Members of the Pocket Security Research Team download survey and questionnaire data from the SurveyMonkey website over the encrypted HTTPS protocol.

Local storage of survey and questionnaire data

Paper surveys and questionnaires are stored in locked cabinets at the University of Maryland and Fraunhofer USA and are only accessible by Pocket Security team members. Paper copies of surveys and questionnaires may be converted to electronic format by the Pocket Security team.

Pocket Security project team members will analyze electronic survey and questionnaire data on University of Maryland or Fraunhofer USA computers. When at rest, the data is stored on encrypted disks and is only accessible by Pocket Security project team members.

MADCAP Android Application

The MADCAP Android Application collects data about the user’s location, telecommunications usage, and app usage from Android smartphones. The application is available on the Google Play Store for users in the United States. The MADCAP application is intended for use only by participants in the Pocket Security project who have signed the Consent to Participate form and the Terms & Conditions.

Data collected by the MADCAP application

The MADCAP application collects the following data:

  • The user account id of the person currently signed into the phone. Android user ids are linked to your GMail email address.
  • Time and date information.
  • Device make and model (e.g., Samsung Galaxy S7) and the Android OS version (e.g., API 22 – Nougat).
  • When you make and receive calls, but not who you call or what you say.
  • When you make or receives text or MMS messages, but not who you were texting with or the contents of those texts.
  • Which applications are running on your phone, but not anything about what you are typing or viewing in those applications. For example, we collect that your phone’s Web Browser is running, but we do not collect which pages you visit or what you type.
  • The name of the WiFi network you are connected to, if any.
  • The identifiers of a Bluetooth device, such as an earpiece or speaker, that your phone connects to, if any.
  • Your geographic location as reported by your phone, e.g., via GPS.
  • If your phone’s speaker or headphones are in use, such as when you are playing music or listening to a phone call. We do not record anything about what is playing – only that there is noise coming through the speaker.
  • Some physical activities your phone can sense: if you are moving on foot, on a bike, or in a vehicle. Also, when your phone is still or being tilted around.
  • The amount of charge on your battery and whether your phone is plugged into a power source or not.
  • When your phone is shutting down, in airplane mode, in a screensaver, or when a headset is plugged in or removed.

The user must grant permission for MADCAP to access this information on their Android device before any data is collected.

The user may disable all data collection at any time through the MADCAP application’s main screen.

Personally Identifiable Information

The MADCAP Application does not ask for, collect or store personally-identifying information (PII) about you (e.g. name and address) when you install or use the application. Note that geolocation (e.g., the GPS information collected by MADCAP) combined with other anonymous usage information has been considered as PII in some court cases.

Data storage on your phone

The MADCAP data collected and stored on your phone is protected by the Android system so that it is only accessible by the MADCAP application. Third party applications cannot access your data while on your phone. The data collected by MADCAP cannot be viewed from your phone, however, a count of the total amount of data collected and uploaded is visible. This data is temporarily stored on the phone prior to being automatically uploaded to preserve battery life on the phone.

All MADCAP data is deleted from your phone when you uninstall the MADCAP application.

Transmission of data

The transmission of all data collected by the MADCAP application is encrypted via HTTPS or SSL. The encryption prevents your data from being read as it transmits between your phone and the Cloud Data Storage.

Cloud storage of MADCAP data

Data collected by the MADCAP application is transmitted to the Google App Engine and stored in the Google Cloud Data Store. The Google Cloud provides a reliable, robust infrastructure for communicating with your phone. An overview of Goolge Cloud security measures is available through this website. The data is subsequently read from the Google Cloud Data Store by Pocket Security project team members. Only Pocket Security project team members have access to MADCAP application data in the cloud.

Local storage of MADCAP data

Pocket Security project team members occassionally download and analyze MADCAP application data on University of Maryland or Fraunhofer USA computers. When at rest, the data is stored on encrypted disks and is only accessible by Pocket Security project team members.

Analysis and reporting of MADCAP data

MADCAP application data will be analyzed by members of the Pocket Security project team to study research questions related to smartphone usage and mobile device security. Only aggregated or anonymized results will be published in journals and conferences.

Anonymized MADCAP application data may be disseminated to the research community. Anonymized data will not contain personal identifiers or geolocation data.

We honor valid law enforcement warrants or subpoenas for data.

pocket-security.org website

Personally Identifiable Information

We do not ask for, collect or store personally-identifying information (PII) about you (e.g. name and address) when you visit our website. Should we begin to do any collection or storage of PII in the future, we will inform you of exactly what information we will collect and what we will do with it. For example, although comments are disabled for our blog, if we were to allow them in the future, this privacy policy would be updated to reflect that practice.

IP addresses

We collect and store only the following information about you when you visit our website: the date and time you access our site, and your IP address. We use your IP address to help diagnose problems with our server, and to administer the Web site.

Email addresses

We currently do not collect email addresses through our website, unless you send us email, in which case your email address will be used for our reply. Should we begin to collect email addresses on this site in the future, we will inform you and treat them confidentially. They will not be sold or distributed to other parties nor will they be used for unsolicited mass-mail advertising.

Links to other Sites

This site contains links to other sites. We are not responsible for the privacy practices or the content of such web sites.

Cookies

This website is run using the WordPress blog and content management system. WordPress uses cookies to manage logged-in users and commenters. Our website does not currently allow anyone to register or comment, so the cookies collected by our site only affect Pocket Security project members who have been specifically granted accounts.

Browser information

We use Apache’s combined log configuration to record visits to our server. This includes information on the visitor’s browser and operating system. In addition to the standard log information, we collect referrer information (the web page, if any, the visitor clicked through to arrive at the requested page). More information about this format is available on the Apache documentation site. This information is retained indefinitely for server maintenance purposes.

Web site traffic

Web site traffic is logged, for statistical purposes, only in standard log format. Logged information includes IP addresses and/or domain names, browser and operating system information, and information on the action performed on the web server.

A typical log entry looks like this:

74.6.19.215 – – [24/Jul/2007:10:00:20 -0400] “GET /Workshops/spring2005/spr05_eisenhauer.pdf HTTP/1.0” 404 329 “-” “Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)”

Further, we use Google Analytics to analyze traffic to our website for statistical purposes. Data collected via Google Analytics is subject to the Google Privacy Policy. More information on safeguards to Google Analytics data may be found at this website.

We honor valid law enforcement warrants or subpoenas for logs.

Suspicious activity

Logs of suspicious activity and access information may be kept indefinitely for site security purposes. Evidence of attacks or other malicious activity may be shared with law enforcement agencies as necessary to apprehend and prosecute individuals who abuse our resources.

Contacting the web site

If you have any questions about this privacy policy, the practices of this site, or the MADCAP Android Application, please contact:

Madeline Diep
5825 University Research Ct., Suite 1300, College Park, MD 20740
Email: mdiep@cese.fraunhofer.org, Tel: 240-487-2937

David Maimon
2220F LeFrak Hall, 7251 Preinkert Dr. College Park, MD 20742
Email: dmaimon@umd.edu, Tel: 301-405-4699

Policy revision history

  • Original version – January 27, 2017