Are You Ready to Lock? Understanding User Motivations for Smartphone Locking Behaviors Serge Egelman 1,2 , Sakshi Jain 1 , Rebecca S. Portnoff 1 , Kerwell Liao 3 , Sunny Consolvo 3 , and David Wagner 1 1 University of California, Berkeley Berkeley, CA {egelman,sakshi.jain,rpotteng,daw}@eecs.berkeley.edu 2 International Computer Science Institute Berkeley, CA egelman@icsi.berkeley.edu 3 Google, Inc. Mountain View, CA {kerwell,sconsolvo}@google.com ABSTRACT In addition to storing a plethora of sensitive personal and work information, smartphones also store sensor data about users and their daily activities. In order to understand users’ behaviors and attitudes towards the security of their smartphone data, we con- ducted 28 qualitative interviews. We examined why users choose (or choose not) to employ locking mechanisms (e.g., PINs) and their perceptions and awareness about the sensitivity of the data stored on their devices. We performed two additional online exper- iments to quantify our interview results and the extent to which sen- sitive data could be found in a user’s smartphone-accessible email archive. We observed a strong correlation between use of secu- rity features and risk perceptions, which indicates rational behav- ior. However, we also observed that most users likely underesti- mate the extent to which data stored on their smartphones pervades their identities, online and offline. Keywords Smartphone security; risk perceptions; human behavior Categories and Subject Descriptors D.4.6. [Operating Systems]: Security and Protection—Access Controls, Authentication; K.6.5. [Management of Computing and Information Systems]: Security and protection—Authentica- tion 1. INTRODUCTION As of 2013, over 90% of Americans claimed to own mobile phones, the majority of whom use their devices to access the Inter- net, check email, or use third party applications [15]. This means that they trust their devices to store and access large amounts of sensitive data, ranging from contacts to financial details (indeed 35% use their devices for online banking [17]). At the same time, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA. Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-2957-6/14/11 ...$15.00. http://dx.doi.org/10.1145/2660267.2660273. these devices are prone to loss: a 2012 report by the Pew Internet Project estimated that nearly a third of cell phone users have had a device lost or stolen [8]. Lookout estimates that this comes at a cost of $30 billion per year [26]. The cost of losing a smartphone is more than simply the replace- ment cost of the hardware, as the data that can be found on the device is likely to be sensitive. Symantec performed an experiment by intentionally “losing” 50 smartphones in five major cities and observed that while 96% of the devices had their data examined by those who found them, only 50% of the finders attempted to return the devices [39]. Yet, despite these risks, previous research suggests that 35% of smartphone users do not lock their devices to prevent unauthorized persons from using them [36]. We performed qualitative interviews to understand users’ moti- vations for choosing whether or not to lock their devices. Of our 28 participants, we observed that 29% (8 of 28) did not lock their devices. Their top reasons included concerns about emergency per- sonnel not being able to identify them, not having their devices returned if lost, and not believing they had any data worth protect- ing. An online survey of 2,518 smartphone users corroborated our findings. We suggest that many concerns that prevent users from locking their phones can be alleviated by simple design changes. Finally, we performed an online experiment to evaluate whether participants’ beliefs about the lack of sensitive data on their devices were well-founded. We noted that all of our interview participants used their devices to access their email accounts, without requir- ing additional authentication. In our online experiment, we found that of our 995 participants, many reported finding their social se- curity numbers (20%), credit/debit card numbers (16 and 17%, re- spectively), bank account numbers (26%), birth dates (46%), email passwords (30%), and/or home addresses (76%) stored in their email accounts. Yet, the presence of this data correlated with locking be- haviors, suggests that some users may be making rational decisions to not lock their devices. We contribute the following: • We qualitatively show why users choose or choose not to lock their smartphones and quantify the prevalence of these rationales among the smartphone-owning U.S. population. • We discuss how these findings can be used to improve mobile security and the user experience. • Our studies suggest that access to email is a seriously un- derestimated threat to personal information. We attempt to quantify the likelihood of finding different types of sensitive information in an email account. 750