Your mouse knows when you are lying

The mouse attached to your computer and your hand may be telling us more about your identity than you suspected. This could be both a good thing, as researchers in Italy recently noted, or troublesome as those in the Tor community noted a bit over a year ago.

The good.

Italian researchers (Monaro, Gamberini and Sartori) recently published a study, “The detection of faked identity using unexpected questions and mouse dynamics”, which declared a 95% accuracy in determining if a user was lying, based on the results of a machine learning algorithm which they created.

The study used a very small sample size, 40 persons for their first test and 20 for their second, but their conclusions have merit.

Their premise:

For a truthful responder, unexpected questions are supposed to elicit the correct response automatically. By contrast, an identity liar has to reconstruct the non-rehearsed unexpected information and verify it.

Example: “What is your date of birth?” is an expected question. An unexpected question may be, “How old are you?” or “What is your sign?” Both unexpected questions may require calculation by someone who is using a fake identity and has either memorized the answers or has them written down for reference as they engage a website.

In brief, the researchers used a combination of authentication questions (expected and unexpected) and then measured mouse movements, as well as, time lapse by the user in answering the question. The user may have answered the question correctly, but “unexpected questions will increase a liar’s cognitive load” the researchers declared.

The troublesome.

We are well on our way toward evolving individual identities based on the way we peruse sites and interact with our browsers using the mouse. In 2013, Facebook was reported to be tracking our mouse tracks to see which advertisements we liked the best.

In early 2016, Jose Carlos Norte, a Barcelona based security researcher, revealed a means to accomplish “Advanced Tor browser fingerprinting” using the information derived from one’s mouse movements. Norte notes, how these movements, combined with “other little things reveal bits of entropy about who we are.” His proof of concept app at the time calculated CPU speed and computing power and used these as identifying tidbits.

The mouse is an extension of ourselves

Rebecca Herold, aka Privacy Professor, was asked for her thoughts and she noted how the mouse is an extension of ourselves. Herold said:

It certainly makes sense that the movement of a computer device mouse could be linked to the specific individual who is the one who is the primary user of that device. Our computing device mouse is a digital extension of ourselves. I know how I use mine, and how I move it and click the left and right buttons and use the vertical wheel, is unique to me. And how you would use your mouse would be unique to you.

All would have different types of mouse movements associated with them. And, of course this data could be linked to the locations, times, etc. for when the mouse was being used. Big data analytics could be applied to provide a lot of interesting insights.

Both research and monetization of the means to measure a user’s mouse movements have been around for many years. Who doesn’t remember ClickClickClick the browser extension which showed you just how much a website captures when you visit?

In 2011, Christopher Mims published, in MIT Technology Review, his thoughts on heat-mapping one’s activity, “The Next Big Thing In Analytics: Tracking Your Cursor’s Every Move”. He postulated, then, how the mouse could provide a fingerprint of sorts to identify individual users.

Somebody at DARPA (the Defence Advanced Research Projects Agency) was obviously listening. The agency is developing ‘a next generation biometric capability’ based on how users use a mouse and keyboard.

Herold offers this observation/prediction:

Data truly is going to define each individual soon, in ways that are equal to, or even more substantial, than physical evidence. It makes sense that they are now analyzing the data associated with mouse movements to see how that could be used when doing surveillance, profiling, and other types of activities for a specific individual. All that data about each and every one of us can, and will be, used by others, often unknown and unlimited others, to make what could be critical decisions about us; it could certainly have significant impacts and unintended consequences.

Authentication questions coupled with mouse identity may be our friend.

We remember the admonishment of nine years ago by Dr. Ariel Rabkin, “Personal knowledge questions for fallback authentication: Security questions in the age of Facebook,” to avoid using easily discoverable answers to authentication questions. Coupling Rabkin’s guidance with the Italian researcher’s algorithm and infusion of unexpected questions, may provide us a viable step toward identity authentication. The methodology has merit as a viable means to require an entity to escalate the validation of the user to the next level of user interaction, when the algorithm signals a warning.