Newswise — Protecting your identity online has become a virtual arms race. Each day, criminals find cunning new ways to uncover your personal information while websites and security software race to protect your data from unwelcome eyes. One of the best defenses against hackers, however, is avoiding risky behaviors, such as sharing personal information on social media.

A team of researchers from the University of Bath and Lancaster University in England discovered that you also could reveal your identity just from the amount of time you spend using different smartphone apps. These findings have worrying implications for personal security and privacy as algorithms and data-mining tools become more sophisticated.

To explore the hidden risks of seemingly innocuous smartphone use, the researchers fed 4,680 days of app usage data from 780 study participants into specialized computer models. The researchers then tested whether these models could identify an otherwise anonymous person when provided with only one day of their smartphone activity—the amount of time spent on different apps minus any specifics about how they were used.

“Our models, which were trained on only six days of app usage per person, could identify the correct person from a single day of anonymous data about one third of the time,” said David Ellis, a researcher at the University of Bath and coauthor on the paper published in the journal Psychological Science.

That might not sound like much, but when asked to produce a list of the most- to least-likely candidates from among the participants, the models listed the correct user among the top 10 most likely candidates about 75% of the time.

“In practical terms, a law enforcement investigation seeking to identify a criminal’s new phone from knowledge of their historic phone use could reduce a candidate pool of approximately 1,000 phones to 10 phones, with only a 25% risk of missing them,” said Paul Taylor a researcher with Lancaster University and coauthor on the paper.

Consequently, the researchers warn that access to a smartphone’s standard activity logs could make a reasonable prediction about a user’s identity. An identification is possible with no monitoring of conversations or behaviors within apps themselves.

“We found that people exhibited consistent patterns in their application usage behaviors on a day-to-day basis, such as using Facebook the most and the calculator app the least,” said Heather Shaw, a researcher at Lancaster University and lead author on the paper. “In support of this, we also showed that two days of smartphone data from the same person exhibited greater similarity in app usage patterns than two days of data from different people.”

The researchers caution that app-usage data alone, often collected automatically by smartphones, can potentially reveal a person’s identity. While providing new opportunities for law enforcement, this pathway to identification also poses risks to privacy if the data are misused.