Proceedings on Privacy Enhancing Technologies ; 2020 (3):384–403
Camille Cobb*, Lucy Simko, Tadayoshi Kohno, and Alexis Hiniker A Privacy-Focused Systematic Analysis of Online Status Indicators
Abstract: Online status indicators (or OSIs, i.e., inter- face elements that communicate whether a user is on- line) can leak potentially sensitive information about users. In this work, we analyze 184 mobile applications to systematically characterize the existing design space of OSIs. We identified 40 apps with OSIs across a vari- ety of genres and conducted a design review of the OSIs in each, examining both Android and iOS versions of these apps. We found that OSI design decisions clus- tered into four major categories, namely: appearance, audience, settings, and fidelity to actual user behavior. Less than half of these apps allow users change the de- Fig. 1. OSIs can contain one or more abstract components: an fault settings for OSIs. Informed by our findings, we icon, text, and other contextual cues. Each component can as- sume a specific color, relative location, and/or location within the discuss: 1) how these design choices support adversar- app. ial behavior, 2) design guidelines for creating consistent, privacy-conscious OSIs, and 3) a set of novel design con- cepts for building future tools to augment users’ ability 1 Introduction to control and understand the presence information they broadcast. By connecting the common design patterns Online Status Indicators (OSIs) are user interface we document to prior work on privacy in social tech- (UI) elements that automatically broadcast information nologies, we contribute an empirical understanding of about when a user comes online or goes offline. When an the systematic ways in which OSIs can make users more OSI shows that a user is actively engaging with an app, or less vulnerable to unwanted information disclosure. it signals to others that the user is potentially available Keywords: Online Status Indicators, Usability, Mobile for conversation, multi-player gaming, and other social Ecosystem, Design, Information Leakage, Privacy interactions. When an OSI shows that a user is offline, it indicates that the user may be unlikely to respond DOI 10.2478/popets-2020-0057 quickly or unavailable to connect. Although these uses Received 2019-11-30; revised 2020-03-15; accepted 2020-03-16. of OSIs can improve a user’s experience, prior work has found that OSIs can leak sensitive information [10] such as sleep-wake routines, workplace distraction, conver- sational partners, and deviations from daily schedules. These privacy concerns may be especially pronounced for people in vulnerable circumstances, such as those ex- periencing intimate partner violence, a devastating and widespread problem [29]. Despite the fact that OSIs are known to have prob- *Corresponding Author: Camille Cobb: Carnegie Mellon lematic consequences for users, we currently lack a ro- University, E-mail: [email protected]. Part of this work was done while the author was at the University of Washing- bust understanding of how and when OSIs project sen- ton. sitive information. To what extent are OSIs present in Lucy Simko: University of Washington, E-mail: popular apps and across app genres? How might their [email protected] design and implementation affect the inferences that an Tadayoshi Kohno: University of Washington, E-mail: observer can draw about a user’s activities? In what [email protected] Alexis Hiniker: University of Washington, E-mail: alex- ways and to what extent can users anticipate and con- [email protected] trol the information their OSIs broadcast? A Privacy-Focused Systematic Analysis of Online Status Indicators 385
Scoped investigations of specific OSIs hint that the OSIs. In 2000, Nardi et al. studied 20 people’s use of answers to these questions, in certain contexts, may be Instant Messenger (IM) at work [28]. They identified quite troubling in terms of under-explored risks to users. “awareness information about the presence of others” OSIs in WhatsApp can reveal how late a person stays as a key IM feature (i.e., an early implementation of at a party or who is talking to whom [10], and perpe- OSIs that indicated when someone was logged into a trators of intimate partner violence have used OSIs to service like AOL Instant Messenger (AIM)). In their track their victims [19]. To date, prior work has inves- investigation of the benefits that IM can provide in the tigated these questions in one-off contexts but has not workplace, the authors found that presence informa- documented the extent to which these trends are per- tion made it easier for users to “negotiate availability” vasive. than did email or face-to-face conversations. That is, To understand how these risks manifest systemat- presence information let users assess whether it was ically and at scale, we examine OSIs across the mobile a good time to contact someone and also allowed the app ecosystem. Building on prior work that surfaces recipients to choose a good time to respond. The au- problems of broad social significance by holistically an- thors recommended that presence indicators provide alyzing the mobile app marketplace [11, 27, 31], we seek less “awareness information” to give message recipients to: 1) characterize the common ways in which OSIs are plausible deniability as to whether they were actually designed, and 2) draw on these design themes to assess online, which participants cited as a useful characteristic the common privacy risks that OSIs pose to users. To of OSIs in AIM. these ends, we conducted a systematic analysis of 184 A broad body of follow-on work explored the pos- mobile apps, chosen to include popular apps from a var- sibilities of using “awareness” to improve online con- ied genres, and a structured design review of a subset versation and collaboration. For example, by making of 40 apps that use OSIs. We found that OSI design availability information and new messages only periph- decisions clustered into subcategories within each of erally noticeable, IM conversations may become less four different dimensions: appearance, audience, set- distracting when users are busy [3, 12]. Other work tings, and connection to ground-truth user behaviors. proposed to help users navigate online conversations by We evaluated the OSIs of all 40 apps against this taxon- incorporating data sources such as their online calendar omy and differentiated these common design decisions and physical sensors to show and/or predict availability according to their likelihood of affecting users’ privacy. (or lack thereof) rather than mere presence [5, 21, 22]. OSIs are pervasive and valuable components of mo- Protocols such as XMPP [34] were developed to create bile apps, and quick-glance awareness of others’ online a unified instant messaging experience (including OSIs) status has become a standard feature that users have across multiple services. Although such protocols may come to expect and rely on. Thus, discarding or avoiding be utilized for server-side implementation of OSIs, our OSIs due to potential privacy risks is not only imprac- work presents a client-side understanding. tical but at odds with the known value these features We use this prior work to inform our understanding offer to users [28]. Instead, we seek to define with pre- of the aspects that OSI designers and researchers have cision the risks that OSIs pose and identify the design previously emphasized based on enhancing the poten- mechanisms that act as vehicles for these risks. In doing tially beneficial uses of OSIs. This allows us to take a so, we characterize the landscape of current OSI design, more nuanced view of OSIs in order to draw attention to and we contribute design guidance for evolving OSIs the tradeoffs between privacy and these other benefits to optimize for both protecting users’ privacy and si- rather than only identifying how OSIs could compro- multaneously preserving the value that users reap from mise privacy. sharing presence information with others.
2.2 Privacy Risks of OSIs 2 Related Work Many studies have found that tracking OSI information (e.g., collecting data about what apps someone uses, 2.1 Understanding OSIs for how long, and patterns of usage) can be used to infer substantially more about a user’s real-world and A substantial amount of research, going back many online activity [6, 8, 10, 13]. For example, Buchenscheit years, has explored features that we would refer to as et al. collected online status information for groups A Privacy-Focused Systematic Analysis of Online Status Indicators 386 of friends using WhatsApp. They found that online 2.3 Systematic Analyses of Technical status can reveal the time people awaken or go to bed, Design Spaces their typical schedules, whether they deviate from those schedules, if they are using apps while at work, and, in In generating a taxonomy of OSI design implementa- some cases, which people within a group are convers- tions, we drew inspiration from previous Systematiza- ing privately [10]. The authors report that participants tion of Knowledge papers, for example, those related discussed using OSIs to actively monitor or make in- to home IOT security, secure messaging tools, and pro- ferences about their friends’ behaviors, e.g. registering posed alternatives to passwords [1, 9, 33]. In these stud- surprise about how late a friend stayed at a party. Fur- ies, the authors simplified a complex design space by ther, the authors discuss potential contexts in which identifying a small set of axes or categories along which a information leaked via OSIs could be highly sensitive, topic could be evaluated. For example, to evaluate pass- for example, when used for surveillance in relation- word alternatives, Bonneau et al. identified 25 specific ships with power imbalances (e.g., abusive romantic benefits that passwords offer, such as a negligible cost to relationships) or by employers to monitor and predict users, and categorized them into usability, deployability, employees’ work performance. and security benefits [9]. These studies demonstrate how Do et al. found that the app(s) someone is us- a systematized analysis can identify patterns, find gaps ing are predictive of a person’s physical location, and in literature or design exploration, and scaffold analysis vice versa [13], indicating that the presence information of emerging ideas or implementations in their respective conveyed by an OSI has the potential to reveal other domains. sensitive details about an individual. Böhmer and col- Other work has systematically reviewed mobile app leagues, among others, further studied these and other ecosystems to better characterize the holistic state of patterns of app use and proposed leveraging them to these collective offerings. For example, Ross et al. eval- create tools that offer just-in-time app suggestions to uated the accessibility of mobile apps by conducting a users [8]. Wide-scale deployment of such tools in con- review of 100 popular apps, finding that 100% had at junction with existing OSIs could exacerbate a hypo- least one of nine major accessibility flaws [31]. The au- thetical adversary’s ability to infer where someone is thors framed this approach through an epidemiological located based on the app they are using. lens, likening accessibility flaws to “diseases” and us- Additional relevant concerns have also emerged in ing their analysis to evaluate the overall “health” (with work whose focus was on topics or contexts besides on- respect to accessibility) of the app marketplace. line status. For example, Hancock et al. studied lies Similarly, Callaghan and colleagues conducted a re- people tell online, in particular, “butler lies,” which are view of iOS and Android apps that claim to be educa- frequently used to gracefully exit a conversation (e.g., tional for young children [11]. Despite the apps’ mar- “Sorry, I’ve got to go to sleep now.”) [20]. They hypoth- keting claims, the authors found that very few of the esized that since users typically tell butler lies to end apps used evidence-based best practices that were con- a conversation, they might have preferred to avoid the ducive to learning, and most were unlikely to offer the conversation altogether; they recommend that apps let educational benefits promised. users determine whether specific contacts are able to see In other work, Meyer et al. reviewed 135 apps for their online status. Several studies by Freed et al. found children and report on a thematic analysis of the ways that easily accessible information on phones and in apps in which apps embed advertisements [27], such as com- was leveraged by abusive partners [14, 15, 26]. Though mercialized characters, camouflaged game items, banner they did not mention abuse of OSIs specifically, vic- ads, and videos gating new game levels. In these and tims and survivors of domestic abuse might experience other investigations, researchers have broadly captured heightened privacy risks due to their partners’ observa- themes in the technical decisions and design choices tions of their OSIs. In fact, one research study with a that app developers are making across offerings. In do- tangential focus did document an intimate partner vio- ing so, they have distilled implications of broad social lence survivor’s concerns about OSIs [19]. In this work, relevance, such as the accessibility of apps for disabled we document the common themes in the design of cur- users, the educational value of mobile experiences, or rent OSIs to provide an empirical base for evaluating the potential mechanisms by which children could be the privacy risks apps create by adding this feature. exploited by advertisements. Similarly, by holistically characterizing how mobile app developers currently con- A Privacy-Focused Systematic Analysis of Online Status Indicators 387 struct OSIs, we seek to illuminate thematic ways in which these interface elements might pose privacy risks.
3 Methodology
To create a taxonomy of OSIs, we first needed to iden- tify a set of apps to evaluate. We identified 184 apps, 40 of which ended up having OSIs. Then, we applied an iterative analysis process to explore OSI design pat- terns in these 40 apps. This iterative process resulted in a rigorous set of analysis steps for each app, as shown in Figure 2 and described in Section 3.3. Primary analysis occurred between June 4 and September 14, 2018, and focused on Android apps. A secondary analysis, focused on iOS apps, occurred in November 2019. The scope of our observation was limited to smartphone apps. Note that the implementation of OSIs in mobile apps may Fig. 2. Workflow for systematically analyzing OSI design patterns. differ for desktop or browser-based versions of the same app. Additionally, since app companies may at any time of popular apps, rather than to simply reach conclu- be A/B testing their products, exact behaviors or inter- sions about OSIs in popular apps, we used the following faces we observed in an app may not represent what all diverse criteria to identify popular apps, with an inten- users would have seen during the study period. tional bias toward ones that we expected were likely to While we considered automated analysis processes, have OSIs: such as analyzing the client-side app code, we quickly – Top-rated apps in general: We included the top 50 determined that critical aspects of OSIs can be observed free apps from the Google Play Store as of June 4, only via real-time interactions between multiple user 2018, as archived on App Annie [2]. accounts. Such interactivity cannot be completely cap- – Top-rated apps by category: We also included the 5 tured in client-side code. Additionally, automated analy- top-rated free apps in each of 13 categories and the sis is well-suited for observing known patterns; however, top 10 free apps in the “social” category as of June our study goal was to identify previously unknown as- 4, 2018, as archived on App Annie (for the Google pects of OSIs. Thus, we used a manual analysis process, Play Store [17]). which, although cumbersome, allowed us to incorporate – Novice users’ app suggestions: We showed 50 novice several aspects of OSIs into our taxonomy that we would users on Mechanical Turk a screenshot of OSIs from not have considered if we had been automating the app the browser version of Facebook and asked them to analysis process. Future work could automate observa- name 3 apps or services “that you know or believe to tions of OSIs using the taxonomy we present, in order to have online status indicators” and 5 apps or services observe a substantially larger set of apps or collect lon- “that you think might have online status indicators.” gitudinal data about changes to OSI designs, but these We included 40 apps suggested by these users that questions were beyond the scope of this work. we could find in the Google Play Store. – App usage patterns: We contacted the authors of a prior work [24], who shared data from 45 partici- 3.1 Identifying Apps for Analysis pants’ phone usage behaviors, including which apps participants had used during a two-week period. Our goal was to comprehensively explore OSI design We included the 48 apps used by at least 10% of patterns for a set of apps representing a broad set of participants. app genres and target users. However, the limitation of – Expert users’ app suggestions: Finally, we included manual analysis required that we choose a manageable 27 additional apps based on recommendations from number of apps for analysis. Because we sought to gen- expert users, including ourselves. For example, erate a rich taxonomy of OSI designs across a variety our expertise was informed by conversations with A Privacy-Focused Systematic Analysis of Online Status Indicators 388
teenagers at a university-sponsored CS outreach 3.3 Final App Analysis event separate from this study, who told us about the app Yubo. Through a discussion guided by both coders’ open notes, In total, we identified 184 apps for analysis, listed in the research team generated specific themes related to Appendix A. the scope, audience, settings, appearance, and how long it takes before users appear to be online/offline after opening/closing an app. A final round of analysis was 3.2 Initial Analysis and Reliability Coding performed on the 40 apps with OSI settings. Coders were unable to directly observe OSIs on Android in Steam Initial questions for first-round coding of all 184 apps, and CoffeeMeetsBagel because doing so required paid conducted by a single researcher, were: (Q1 ) Does this accounts. The primary coder conducted a final round of app have any social features? (Q2 ) Does this app have analysis based on these themes using two factory-reset OSIs? (Q3 ) If the app has OSIs, can they be turned Android phones with new SIM cards and the following off? The researcher took notes of additional observa- systematic analysis protocol: tions. Although all 184 apps were free to download, some 1. Create Facebook accounts on both phones but do required a paid account or special credentials to use. not connect them as friends. Some apps let users To explore OSIs despite this limitation, the researcher access substantial amounts of functionality without based this first round of analysis on information avail- creating accounts. For example, many Waze users able in the Google Play Store or from online searches may not realize that it is even possible to create an for 16 apps. For 13 apps, the researcher used a personal account because their main reasons for app usage account and/or device for analysis. (i.e., getting directions) can be accomplished with- A second coder independently analyzed Q1, Q2, out doing so. Our OSI observations were made as- and Q3 for 32 apps chosen by the primary coder (i.e., suming that users did create accounts, and we did 9 apps with varied implementations of OSIs and 23 not classify the extent to which each app could be apps without OSIs). For those with OSIs, the second used without one. coder additionally recorded the default audience and 2. Observe default settings for all Facebook apps settings for OSIs (if applicable) and took open notes (Facebook, Messenger, Facebook Lite, Messenger about other OSI details. Researchers were in agreement Lite, Messenger Kids). about Q2 except for one app, which only the primary 3. Conduct app analysis for other apps using the coder identified as having OSIs. Excluding this app, canonical workflow for analyzing a single “typical” coders found the same results regarding the ability to app shown in Figure 2, signing in through Facebook change app settings for OSIs (Q3 ). Coder agreement only when needed. provided confidence that OSIs or OSI settings were not 4. Finish app analysis for Facebook apps. overlooked in any apps (i.e., no false negatives). 5. For some apps, we could not connect accounts with- Coders disagreed about whether 4 apps had social out the accounts being Facebook friends. In this features (Q1 ); although this was not the study’s main case, we observed default settings in those apps at focus, disagreement was resolved by refining our work- step (3) and then finished analyzing them as the ing definition of “social features” as being between two final step. user accounts (e.g., excluding Hulu and Netflix, where This protocol was designed to account for ordering ef- multiple users log in with the same credentials), exclud- fects observed in initial app analysis. For example, we ing users with special permissions or privileges (e.g., wanted to observe how (or if) an OSI appears to an un- ABCMouse.com, an educational app, lets parents mon- connected user in each app. Because friends are consis- itor their children’s progress, but we do not consider tent across Facebook apps and some apps automatically this a social feature since parents have special privileges sync friends from Facebook if users sign in to these apps within the app); and excluding features that let users through Facebook, it was important for these apps to send “invite codes” or share updates outside of the app be analyzed before connecting the accounts as friends (e.g., via a link). on Facebook. Using new phones and accounts and this systematic process let us carefully observe default app settings. Additionally, some aspects of OSIs must be ob- served at a specific phase in the connection of users (e.g., if OSIs are visible to either user once a friend request A Privacy-Focused Systematic Analysis of Online Status Indicators 389 or initial message has been sent but before it has been ble, screenshots were edited to replace identifying infor- accepted or reciprocated). mation from real users with generic profile photos and To account for natural variance in measurement of generic user information. time to come online or go offline (Action 10 in Figure 2), Of the 184 apps we analyzed, 116 had social features we measured timing information while phones were on (defined in Section 3 and shown in black, red, or blue in the same wifi network, and we reported timing in coarse- the table in Appendix A). Of these 116, 40 had OSIs. grained buckets. There is substantial nuance in how we Through our systematic technical review, we clustered measured the time for users to appear as online or of- the thematic features of these 40 apps (see Table 1). In fline. Taking an adversarial mindset, we measured the this section, we describe these themes — including ap- approximate granularity with which a focused but not pearance, audience, settings, and connection to ground- technically savvy adversary could track another user’s truth behaviors. In Section 5, we return to these themes, online status. Thus, the “shortest time” measurement considering them from a privacy threat-modelling per- in Figure 2 denotes that if the adversary could reliably spective, but this section seeks only to describe the find- reduce the time it takes to see an updated OSI by re- ings of our analysis. peatedly refreshing the page or closing and reopening the app, we did perform those actions. For most apps, we conducted 5 to 10 timing measurements while vary- 4.1 Terminology ing how the observed user exited the app (e.g., turning off the phone, going back to the home screen, “hard Prior work used a variety of terms—such as “online quitting the app,” or opening a different app); however, status,” “active/activity status,” “presence,” “availabil- we collected fewer and less precise measurements for ity,” or “last seen”—to describe what we refer to as an apps with a time-to-offline that exceeded one hour. We OSI; some apps did not explicitly name the feature at did not collect timing measurements for apps where we all. Here, we condense this breadth, and we define the could not view other research account profiles (i.e., in term Online Status Indicator (OSI) to be any feature dating apps, where users are randomly shown profiles that: (1) is intended to reveal to a user whether another of other users, and on OfferUp) or for MyFitnessPal user is or was recently online (i.e., accessing an app, because it took too long for users to appear as offline. service, or specific space/content within the app), and Design Alignment between Android and iOS. (2) passively updates, without deliberate action by the To determine whether the characterizations we made user, as they come online and go offline. OSIs across were specific to the Android ecosystem or extended to apps reflect users’ behavior with a wide range of accu- other platforms, we analyzed the iOS version of the same racy and precision, but this does not affect whether we 40 apps with OSIs. To conduct this comparative analy- included these OSIs in our analysis. sis, we: For the remainder of this section, we refer to both 1. Confirmed whether the original description of OSI online status and online status indicators (OSIs). We appearance and scope matched the original analysis use these terms in subtly different ways. An OSI refers (the UI need not match in every way). to a visual element that indicates whether someone is 2. Confirmed whether the OSI of another user who was online. Online status is the value that this indicator has not yet a contact or connection could be seen. or the information that the indicator conveys (online or 3. Confirmed whether OSI settings functioned as in offline), which may or may not match the user’s cur- the original analysis. rent behavior. For instance, it may take a considerable As reported below, we encountered only minor differ- amount of time for an app to reflect that someone has ences in the design of OSIs on iOS versus Android. Thus, stopped using it, in which case the OSI might show the in our results we report on the original Android analy- user’s status as online although they are not. In some sis, and we note differences between iOS and Android apps, users can permanently set their online status to in Table 1 and 2 and Section 4.6. offline but continue to use the app. In this case, their online status is offline even when they are actually on- line. When referring to actual behavior, we use longer 4 Results phrases, such as “whether the user is online” or “that the user is active.” We now describe the design space of OSIs and the In apps that include configurable settings for OSIs, prevalence of common design patterns. Where applica- we generally refer to the OSI as being “on” or “off” de- A Privacy-Focused Systematic Analysis of Online Status Indicators 390