Tips for Interpreting Activity Records
This article focuses on understanding questionable activity in alerts, but these tips can also be helpful for interpreting any type of activity records! ✅
Accountable2You is designed to create alerts whenever questionable activity is detected on a device that is being monitored. (Learn more about our alerts here.)
Whenever you receive an alert (which comes in the form of an email or text message), that alert represents a single record in the Detailed Activity Report that was marked by our system as either questionable (yellow alert) or highly questionable (red alert).
False alerts
Software is not perfect, and it is possible that a "false alert" will appear on your Accountable2You reports from time to time.
There are a few things that could cause a false alert, and it's typically because our monitoring app sees background activity from a website that was being viewed, or from another app that was running in the background. (It's helpful to note that iOS devices are more prone to this because of the technology we use to monitor those devices. Click here to learn more about common false alerts on iOS.)
Accessing the Detailed Activity Report
The first step in determining if an alert was correctly triggered is by looking at the context surrounding the alert in the Detailed Activity Report. Simply follow the steps in this article to access the Detailed Activity Report.
To view the Detailed Activity Report, you'll need to be a partner for a device user and set up to receive Email Summary Reports or you'll need to be an account owner. Account owners can always view their own reports. (Learn more about setting up partners.)
Understanding the Detailed Activity Report
The Detailed Activity Report shows device activity as individual line items called "activity records."
Each activity record typically represents a distinct action taken or an object on the screen (buttons, webpage titles, etc.), and can be marked by our system as "non-objectionable" (green), "questionable" (yellow), or "highly questionable" (red), depending on the content of that record.
Here's an example of some activity records in a Detailed Activity Report:
When trying to determine what caused an alert, it's helpful to look at the alert in context. As you look at the activity records surrounding an alert, there are 3 main factors to consider.
1) Timestamps
When you look at the time shown for each activity record (the timestamp), it's helpful to think about whether you would expect the activity on the report to happen at the rate the timestamps indicate.
For example, in the screenshot above, you can see several activity records with a timestamp showing 11:01:44 pm. When this happens, it typically doesn't indicate that someone was taking separate actions (taps or clicks) on the device in rapid succession. Instead, it likely indicates that the activity records were generated based on background activity that our monitoring app saw happening on the device (advertisements on a website, other apps running in the background, etc.). Even if the background activity contains questionable content, it doesn't necessarily mean that the device user intended to load that content.
2) Content of the activity records
When reviewing activity records that surround an alert, another helpful thing to consider is, "Does the activity before and after the alert appear to be related to the alert itself?"
Oftentimes, when our monitoring app triggers an alert for background activity on the device, you can tell from the surrounding activity records that the device user was performing a task that was unrelated to the alert that appeared.
In the screenshot above, there are a few activity records indicating that someone was searching for a waterfall noise machine. After typing their search, they played a YouTube video with waterfall noises. Next, we see a red alert, followed by some seemingly random activity.
The sudden change of topic from looking for waterfall sounds to random activity (travel websites, an email marketing website, and a cryptocurrency website), would indicate that this may not have been intentional user activity.
3) App name
Just as it's helpful to consider the content of each activity record, it's also helpful to look at the app name listed for each record.
Sometimes, when our monitoring app captures background or other activity that the device user didn't initiate, the app name column will show a different name from what the user was actually using.
In the screenshot above, you can see that the device user was in the Safari app. When the highly questionable activity appeared (and the random background activity afterward), the app name changed from Safari to Mozilla. In this example, the Mozilla app was never actually in use.
Conclusion
Based on these three factors (timestamps, content of the activity records, and the app name), we can see that the alert in the screenshot above was likely not indicating actual questionable material being accessed by the device user.
If real questionable material had been accessed, the timestamps would likely have reflected human browsing speed (one record at a time, not all at once), the records surrounding the alerts would likely have been related contextually, and the app name would have likely stayed the same.
While the activity reports are a helpful tool, they're just a starting point for understanding what happened on a device. We always recommend having a constructive conversation with the device user to get more clarity. We believe accountability is all about the conversation!