- The Washington Times - Thursday, July 30, 2015

You can learn a lot about a person by the websites they visit, but what can be inferred by the speed of their keystrokes? Two privacy-minded security experts have released a tool that they say obscures the digital footprints left not by metadata, but behavioral biometrics.

Passwords aren’t passé just yet, but an argument raised increasingly over the last few years involves replacing more antiquated authentication methods with behavioral biometrics — uniquely individualized patterns discovered by passively keeping track of a person’s online activity, like mouse clicks and other nuanced movements.

With big-name Internet breaches becoming nearly routine, it’s no surprise that companies working closely with behavioral biometrics are searching for a solution to the Web’s security woes. Sweden’s based BehavioSec, for example, entered into a contract with the Pentagon in 2012 and was being fueled by $8 million from an array of investors as of last December.

Accompanying that boom in behavioral biometrics, however, is a backlash from experts who say computer users risk unwittingly identifying themselves online by falling prey to code that captures traits like the time between keystrokes and other sorts of cyber snowflakes.

On Tuesday, information security consultant Paul Moore unveiled his latest project, KeyboardPrivacy: a proof-of-concept Google Chrome extension that obfuscates the digital trail that’s left by behavioral biometrics and makes it harder for a website to learn the unique habits of its visitors.

“As opposed to traditional authentication, which is only interested in what you type, behavioral biometric systems collect [and] profile how you type, too. By actively monitoring how you type, the system is able to build a profile on you,” Mr. Moore said.

By coding websites to run certain scripts in silence, Mr. Moore said that it’s possible that hundreds of different metrics ranging from the speed of a person’s keystroke to the time in between are being logged and analyzed.

“With enough supporting data, it’s entirely possible to identify you based purely on how you type,” he said.

Indeed, information security specialist Per Thorsheim worked with Mr. Moore on the browser extension and said that he saw firsthand how behavioral biometrics can keep track of users over time.

“I created and trained a biometric profile of my keystroke dynamics using the Tor browser at a demo site,” he said. “I then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified me when logging in and completed a demo financial transaction.”

“As soon as somebody manages to build a biometric profile of your keystrokes at a network/website where you are otherwise completely anonymous, that same profile can be used to identify you at other sites you’re using, where identifiable information is available about you,” he warned.

Runa Sandvik, a hacker and former developer for the privacy-centric Tor Project, told Ars Technica that the risk may appear miniscule when it’s only one website logging that type of information, but added that the real concerns begin when behavior profiling in done by several websites owned by the same organization.

“The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page. Suddenly, the IP address I am using to connect to these two sites matters much less,” she said.

The team’s extension for the Chrome Web browser has been installed more than 580 times as of Thursday.

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide