Can your digital fingerprints be traced just by the way you type? The answer may surprise — and scare — you. Researchers at the GREYC research lab have created a behavioral profiling technique that identifies who you are just by your own keystroke habits.
Also Read: Using Backdoors for Government Surveillance is “A Stupid Idea”
When it comes to typing, we all do it a little differently. This is obvious just by looking at a person’s typing speed or how they position their hands on the keyboard. Less obvious differences are the amount of time a person presses down on a particular key and the gap time — how long it takes to move from one keystroke to the next.
The profiling technique collects this type of seemingly benign data. It uses a profiling app or JavaScript to collect the keystrokes you use when entering data into a website. This could include log-in information such as usernames and passwords.
Behavioral profiling and behavioral biometrics are closely linked. Behavioral profiling as it applies to the online world, involves tracking and analyzing user behavior. Behavioral biometrics is “the process of identifying a user based on the subtle nuances in their voice, typing patterns, facial features and location.”
Tor Users Are Not Bullet-proof
Those who are concerned with their anonymity online may find this profiling technology rather alarming. Even Tor users may not be as safe as they think. Former Tor developer and independent security researcher, Runa Sandvik:
“The risk may seem small when you consider one single website collecting this type of information. The real concern with behavioral profiling is when it is being done by multiple big websites owned by the same company or organization. The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page. Suddenly, the IP address I am using to connect to these two sites matters much less.” (Ars Technica)
Sandvik wanted to find out first hand how people could be affected by behavior profiling. She also wanted to know if it was possible to profile Tor users. To find out, Sandvik performed her own test using a profiling demo site from Swedish company BehavioSec. During the test, she accessed the site using a Tor browser. Was the site able to create a profile on her? Come to find out, yes.
Why is it that Tor was not able to maintain her anonymity during this test? In this case, the answer lies in how much JavaScript a Tor browser allows to run. The demo site did not exceed these limitations.
Just one solution that has been created to combat behavior profiling is KeyboardPrivacy. KeyboardPrivacy is a Chrome browser plugin created by researchers Per Thorsheim and Paul Moore. The plugin prevents behavioral profiling by randomizing the rate characters reach the Document Object Model (DOM).
In his recent blog, Thorsheim stated:
“Your favorite government agency – pick your country – could set up spoofed and fake pages on the dark web as well as in the real world, in order to identify people across them. For oppressive regimes, this is most certainly of high interest.”
Are you concerned about behavioral profiling? Tell us your thoughts in the comments below!
Source: Ars Technica