Naked Security

Websites can track us by the way we type – here’s how to stop it

Meet KeyboardPrivacy: a proof-of-concept Google Chrome extension that masks how long your fingers linger on each key you depress as you type and how much of a time lag there is between each of your key presses.

And just why would you need to disguise these typing traits – also known as periodicity – which are as unique to individuals as fingerprints?

Because there’s technology out there that can measure our typing characteristics, on the scale of millisecond-long delays and key presses, and use the data to profile us with such a high degree of accuracy that – Tor or no Tor – you won’t stay anonymous when browsing online.

Examples include profiling technology from a Swedish company called BehavioSec that can identify site visitors, based on their typing habits, with a session score of 99% and a confidence rate of 80%.

That type of success comes after the technology has been trained on a mere 44 input characters.

The extension, designed to obfuscate our typing patterns, comes from security researchers Per Thorsheim and Paul Moore.

On Tuesday, Moore said on his blog that UK banks are rumored to be actively trialing such technology to try to detect and minimize the risk of fraud.

That rumor is backed up by news reports mentioning that, as of March 2013, BehavioSec counted Sweden’s top ten national banks – along with Samsung – among its clients.

Why would the researchers want to fight off banks’ efforts to detect fraudulent activity on our accounts?

And why would bank customers want to reduce security by throwing a monkey wrench – or, really, in this case, it’s more like introducing the technical equivalent of a highly accurate cat walking across our keyboards – into banks’ efforts?

Because as it is, we’re trading privacy for security, Moore said.

In essence, we’re unwittingly leaking identifying information to every site that tracks our typing fingerprints, or what’s also known as our behavioral biometrics: the measurement of something that somebody does, be it walking, speaking or typing.

Behavioral biometrics – i.e., measuring what we do – differs, of course, from our biometrics, which is a measure of what we are, be it fingerprints or iris scans.

As Thorsheim explained, behavioral profiling is far from new.

As far back as World War II, British intelligence operators listening to German morse code operators made anonymous profiles of the various people signaling the morse code, including how fast they coded and their typing errors – all data used to differentiate between operators.

The researchers said that for all we know, anybody could be profiling us based on behavioral biometrics: not just banks looking out for the safety of our accounts, but also, theoretically, repressive governments snooping into our online activities, Moore said:

How many other sites use it [besides BehavioSec's customers]? Would they tell you if they were?

In a separate post, Thorsheim presented a scenario of how such profiling can be used in surveillance:

Your favorite government agency - pick your country - could set up spoofed and fake pages on the dark web as well as in the real world, in order to identify people across them. For oppressive regimes, this is most certainly of high interest.

It doesn’t matter if we’re using Tor, a VPN or a proxy site to anonymize our online activity: the keystroke logging isn’t done remotely so it’s not affected. The logging actually happens locally, inside the web pages that we’re rendering and executing in our web browsers, after it’s been downloaded.

The tracking code is written in Javascript, an incredibly important and widely used programming language that runs in our browsers and makes an awful lot of the interesting things websites do possible.

Among its many useful features, Javascript has the ability to capture user input such as the mouse movements and keystrokes we use when we’re interacting with web pages.

Runa Sandvik, an independent security researcher and former Tor developer, told Ars Technica that the risk may seem small when considering one single website using this information to profile us, but the risks to privacy and anonymity increase when one company or organization profiles us across multiple sites:

The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page. Suddenly, the IP address I am using to connect to these two sites matters much less.

Sandvik tried out the profiling technology herself, visiting BehavioSec’s profiling demo site with a fully updated Tor browser.

She said that the site was able to construct a profile of her unique typing habits, despite Tor – a daunting prospect for those who don’t want to be tracked on the public internet or as they journey to dark web destinations.

Ars Technica’s Dan Goodin notes that as well as trying to cover our tracks the Tor browser also features other privacy-enhancing features including limits on how much JavaScript sites can run.

Unfortunately those features don’t offer much protection either, given that in Sandvik’s experiment, the demo site had enough JavaScript to successfully profile her.

Would blocking JavaScript altogether help? Yes, Goodin says, blocking JavaScript can be useful, but that won’t help if profiling apps resort to other ways to profile.

Think of our unique, unchangeable typing patterns as another version of password reuse, Moore suggests:

The single biggest problem with passwords is not length or strength, but re-use. Your behavioral biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site.

Keyboard Privacy works by disrupting that predictable, easily profiled pattern, flattening the rate at which our keyboard entries reaches a site.

Once installed, you can continue to use the web exactly as you do now, typing along as usual.

KeyboardPrivacy will artificially alter the rate at which your entry reaches the Document Object Model (DOM), which is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML, and XML documents.

Instead of the highly distinctive, predictable way that we type, Keyboard Privacy imposes a 50 millisecond dwell and gap time – i.e., the duration of key presses and lag between them.

A demo shows that the Chrome plugin managed to knock the previously very high success rate of profiling down to, essentially, nothing: a .01% session accuracy on BehavioSec, while another profiler, KeyTrac, was throttled down to matching with only 3% accuracy.

Expect a Firefox version of the Keyboard Privacy extension soon, the researchers promised.

Image of keyboard courtesy of Shutterstock.