* Add user-facing explainer Added a user-facing explainer at the top of the doc as we link to this file from the UI. Moved all content that was already in the doc to below the divider with the heading 'How it works' * Update _docs/app-metrics.md Co-authored-by: Samuel Hawksby-Robinson <samuel@samyoul.com> * Update _docs/app-metrics.md Co-authored-by: Samuel Hawksby-Robinson <samuel@samyoul.com> * Update _docs/app-metrics.md Co-authored-by: Samuel Hawksby-Robinson <samuel@samyoul.com> * More text edits based on comments Session key > Batch ID Regular Chat key > Chat key * Remove spaces * Update app-metrics.md - Remove 'anonymous' claim - Correct that we believe the data cannot be linked back to you * Add criteria to include data in validator rules * Update app-metrics.md * Replace anonymous from intro Removing anonymous reference as discussed on Discord. 'Anonymous' is a claim we logically can't make in spite of best effort and current insights; we are not delivering proof. In addition there is the threat model of a phone ending in the wrong hands with the collected data, albeit temporarily stored locally, falling in the wrong hands. We do want to communicate that the approach is "as privacy preserving as we could possibly make it without it being useless" anonymous > privacy-preserving over Waku > over Status' peer-to-peer network (Waku) * Update app-metrics.md - Add warning at top - Update text at the bottom of 'what will never be shared' - Remove 'Time since last data message sent' - Changed 'Time since last session' to 'Time since last batch sent' @shivekkhurana can you confirm this is accurate? * Update app-metrics.md Replace instance of 'anonymous' in `How it works` with 'end-to-end encrypted' * Update app-metrics.md Added: "Status will never use these data for profit." * Edit to Transmission and deletion Added that data is deleted locally if not transmitted after 7 days @Samyoul can you take a look to see if there are more details to add to this section? * Update app-metrics.md Remove privacy-preserving as claim in intro and end-to-end encryption to reduce perception of privacy * Added info banner Added info note to explicitly state that usage data service is not included in release or nightly builds * Added links to related PRs These PRs include a lot of additional information that will be useful for a future dev, also probably me too. Co-authored-by: Samuel Hawksby-Robinson <samuel@samyoul.com>
6.7 KiB
Status usage data
ℹ️: The release and develop (nightly) version of Status DO NOT collect in-app usage data. A service to do so has been developed and might be used in experimental builds of the app, for testing purposes and with double opt-in only. Any information in this document about data (not) collected and how the service works, only applies if you've deliberately installed an experimental build.
⚠️ We cannot guarantee that there are no ways to de-anonymous usage data you share. If you find yourself at risk if your identity were to be uncovered: don't enable sharing data!
Data is only ever shared if you opt in to doing so, you can review all data before it is sent and it is shared over Status' peer-to-peer network (Waku), just like a 1:1 message.
Sharing data is strictly opt-in, and can be changed at any times in Settings in the app.
What is shared (Opt-in)
Status is an open-source platform. To verify that the app only collects and shares the events and metadata listed below, you can view the rules set to store metrics data in the source code.
- Your interactions with the app like clicks and screenviews
- Background activity and internal processes
- Settings and preferences
In detail this means the app can collect and share:
- Navigation events
- Screens that are navigated to
- Action events (for example button clicks, list swipes, switch toggles, etc)
- The time events are created
- Operating System
- App version
- Batch ID
- Time since last batch sent
For any data to be collected and shared, it needs to meet the rules set in the validator script. By policy of Status' Core Contributors, rules set in the validator script need to be assessed as posing a non-existent to low threat by being in:
- local storage over time
- aggregated storage from Status over time
What will never be shared
No data will be shared unless you opt-in. Furthermore, Status commits to never collect identifiable data in its broadest sense. This means that we will never collect anything that we believe can be linked back to you. Including but not limited to:
- IP addresses
- Random name
- Chat key
- Public Ethereum addresses
- Account balance(s)
- Account history
- ENS name
- Input field entries (browser address bar, chat key/ENS entry)
- Any content you generate (images, messages, profile picture)
- Contacts or other (favorite) lists (wallet and browser favorites)
- Chat, group, community memberships
The above data can technically be logged, stored and shared. In order to verify that this does not happen, view the rules defined to store metrics data in the source code.
Moreover, while we made a best effort to make data collection as privacy-preserving as possible, we cannot guarantee that there are no ways to de-anonymous collected data. If you find yourself at risk if your identity were to be uncovered: don't enable sharing data.
Purpose of the data
Aggregated data is used to inform product development. Given our principles, the type of data that is collected and its rudimentary nature, there is no incentive for Status or other parties to use the data for any other purpose. Status will never use these data for profit.
Viewing the data
As of writing, we plan to make a Dashboard that shows the aggregated data public; Similar to metrics.status.im. As soon as this Dashboard is available we will provide a link here. The data that is stored on your device and shared can be viewed through the interface of the app.
How it works
appmetrics
is a way to capture and transfer app usage data, end-to-end encrypted over Waku to a Status managed key.
History
To learn more about the history, background and debates around this feature, refer to this detailed note: https://notes.status.im/anonymous-metrics
Implementation
On the Go side, the metrics system is just a table, which can store predefined events and the their values, along with metadata like create time, app version and operating system. The collected data will never contain any personally identifiable information like three letter public name or the public wallet address. There is a validation layer that ensures (to some extent) that developers don't capture sensitive data by mistake.
Opt-in system
These data points are saved in the local sqlite database, and are not transferred to our servers until the user opts-in to share metrics. If the user opts-out, we stop capturing data.
Validation and audit
The interesting bit is the validation process, which serves two purposes:
- validates the metric before saving it to local db: ensures that we don't capture any sensitive information
- acts as an audit layer: anyone who wishes to check the kind of data being captured, can do so by auditing just one file: https://github.com/status-im/status-go/blob/develop/appmetrics/validators.go
Transmission and deletion
Transmission happens over Waku, and as of now, all data is deleted locally after transmission, however (in the future) we might want to keep a copy of the data locally. If a batch is not transmitted within 7 days, data is deleted locally.
Events
Event | Value | Description |
---|---|---|
navigate-to | {:view_id: "", :params {:screen ""}} | The user navigated to one of the screens. If the view_id has a _stack suffix, it could signify a top level tab. |
screens/on-will-focus | {:view_id: "", :params {:screen ""}} | The user navigated to a top level tab. |
Related PRs
status-go
- #2170 - 🎭 📊 Anonymous Metrics V0
- #2195 - Added Anonymous Metrics Send Opt-In Setting
- #2198 - Anon Metrics Broadcast