Meet KeyboardPrivacy: a proof-of-concept Google Chrome extension that masks how long your fingers linger on each key you depress as you type and how much of a time lag there is between each of your key presses.
And just why would you need to disguise these typing traits – also known as periodicity – which are as unique to individuals as fingerprints?
Because there’s technology out there that can measure our typing characteristics, on the scale of millisecond-long delays and key presses, and use the data to profile us with such a high degree of accuracy that – Tor or no Tor – you won’t stay anonymous when browsing online.
Examples include profiling technology from a Swedish company called BehavioSec that can identify site visitors, based on their typing habits, with a session score of 99% and a confidence rate of 80%.
That type of success comes after the technology has been trained on a mere 44 input characters.
The extension, designed to obfuscate our typing patterns, comes from security researchers Per Thorsheim and Paul Moore.
On Tuesday, Moore said on his blog that UK banks are rumored to be actively trialing such technology to try to detect and minimize the risk of fraud.
That rumor is backed up by news reports mentioning that, as of March 2013, BehavioSec counted Sweden’s top ten national banks – along with Samsung – among its clients.
Why would the researchers want to fight off banks’ efforts to detect fraudulent activity on our accounts?
And why would bank customers want to reduce security by throwing a monkey wrench – or, really, in this case, it’s more like introducing the technical equivalent of a highly accurate cat walking across our keyboards – into banks’ efforts?
Because as it is, we’re trading privacy for security, Moore said.
In essence, we’re unwittingly leaking identifying information to every site that tracks our typing fingerprints, or what’s also known as our behavioral biometrics: the measurement of something that somebody does, be it walking, speaking or typing.
Behavioral biometrics – i.e., measuring what we do – differs, of course, from our biometrics, which is a measure of what we are, be it fingerprints or iris scans.
As Thorsheim explained, behavioral profiling is far from new.
As far back as World War II, British intelligence operators listening to German morse code operators made anonymous profiles of the various people signaling the morse code, including how fast they coded and their typing errors – all data used to differentiate between operators.
The researchers said that for all we know, anybody could be profiling us based on behavioral biometrics: not just banks looking out for the safety of our accounts, but also, theoretically, repressive governments snooping into our online activities, Moore said:
How many other sites use it [besides BehavioSec's customers]? Would they tell you if they were?
In a separate post, Thorsheim presented a scenario of how such profiling can be used in surveillance:
Your favorite government agency - pick your country - could set up spoofed and fake pages on the dark web as well as in the real world, in order to identify people across them. For oppressive regimes, this is most certainly of high interest.
It doesn’t matter if we’re using Tor, a VPN or a proxy site to anonymize our online activity: the keystroke logging isn’t done remotely so it’s not affected. The logging actually happens locally, inside the web pages that we’re rendering and executing in our web browsers, after it’s been downloaded.
The tracking code is written in Javascript, an incredibly important and widely used programming language that runs in our browsers and makes an awful lot of the interesting things websites do possible.
Among its many useful features, Javascript has the ability to capture user input such as the mouse movements and keystrokes we use when we’re interacting with web pages.
Runa Sandvik, an independent security researcher and former Tor developer, told Ars Technica that the risk may seem small when considering one single website using this information to profile us, but the risks to privacy and anonymity increase when one company or organization profiles us across multiple sites:
The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page. Suddenly, the IP address I am using to connect to these two sites matters much less.
Sandvik tried out the profiling technology herself, visiting BehavioSec’s profiling demo site with a fully updated Tor browser.
She said that the site was able to construct a profile of her unique typing habits, despite Tor – a daunting prospect for those who don’t want to be tracked on the public internet or as they journey to dark web destinations.
Ars Technica’s Dan Goodin notes that as well as trying to cover our tracks the Tor browser also features other privacy-enhancing features including limits on how much JavaScript sites can run.
Unfortunately those features don’t offer much protection either, given that in Sandvik’s experiment, the demo site had enough JavaScript to successfully profile her.
Would blocking JavaScript altogether help? Yes, Goodin says, blocking JavaScript can be useful, but that won’t help if profiling apps resort to other ways to profile.
Think of our unique, unchangeable typing patterns as another version of password reuse, Moore suggests:
The single biggest problem with passwords is not length or strength, but re-use. Your behavioral biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site.
Keyboard Privacy works by disrupting that predictable, easily profiled pattern, flattening the rate at which our keyboard entries reaches a site.
Once installed, you can continue to use the web exactly as you do now, typing along as usual.
KeyboardPrivacy will artificially alter the rate at which your entry reaches the Document Object Model (DOM), which is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML, and XML documents.
Instead of the highly distinctive, predictable way that we type, Keyboard Privacy imposes a 50 millisecond dwell and gap time – i.e., the duration of key presses and lag between them.
A demo shows that the Chrome plugin managed to knock the previously very high success rate of profiling down to, essentially, nothing: a .01% session accuracy on BehavioSec, while another profiler, KeyTrac, was throttled down to matching with only 3% accuracy.
Expect a Firefox version of the Keyboard Privacy extension soon, the researchers promised.
Image of keyboard courtesy of Shutterstock.
JR
Okay, so let’s say we enable this, then later we use a computer that doesn’t have this installed. Seems like we’d be out of luck.
Anonymous
If I write anything more than a few words it’s done offline and copied and pasted, not for privacy but for my own convenience.
TonyG
Is it any worse than what we already have? Microsoft games show me ads, but it alternated between two for a week. One was for paint at B&Q, after I had bought paint at B&Q but never looked at paint online. The other was for Aptimil follow on milk, after my wife bought some for our grandson’s visit. This latter one is the one that intrigues me, because of the information that was required to link it to me. These ads were persistent, but completely stupid, because they came after the products were bought, and so unlikely to change anything I do.
Baldymark
Another reason why I always use cash.
Spryte
And if you want to be secure at your banking or any other site where fraud may be an issue, any extension can be temporarily disabled then enabled again.
A great idea, in my opinion.
Just waiting for that Firefox extension.
Ray Greene
Would using a password manager such as Lastpass to fill in passwords and forms stymie this?
Malcolm
yes, but usernames and passwords are not all you type online: as an example, you have the post you just wrote :).
Anonymous35
The keystroke logging code is written in javascript. I’d urge everyone to use this addon called “No Script”. I have been using it for both Firefox and Chrome. You get to select which scripts you want to enable.
David Pottage
While I think the chrome extension is a good idea, it will only help for users who type things into chrome web forms. What happens if they surf the web using a different browser, or use other interactive text tools such as IM chat services or ssh? What about local malware on the user’s machine that collects keyboard statistics while they type in their word processor, that can later be correlated with them when they visit a cyber-cafe.
For this reason, I think the mitigation for this attack ought to live in the OS keyboard driver, as that way, all network services & local applications are protected.
Nagy Gergely
It looks like to me that it does not do anything at all. All my scores are 100% no matter what setting I choose.
* I started a fresh session on the Behav demo with the default 50/50 setting
* I’ve done the teaching for 10 times as the site requires
* I turned off the plugin, tested the site: it gave score 100, conf 80+%
* I changed the values in the plugin (after turning back on), but still 100 score with 80+% confidence
I also tried it on coursera.org (my main target, they want to invade my privacy with this keystroke pattern stuff, which I don’t want to allow). It fails there too.
Could you please advise?
rise eater
The problem is that some web pages text field are coded with javascript, as such it could be coded to echo all your key typing.
There is a work around for Firefox user, get the “Work Offline” add-on and place it on a visible place in your browser.
Before you start typing, click on the symbol in order to disconnect the browser from the net, when done then connect again and submit your text, login info etc.
rxxqxv@gmail.com
Always make sure that an SEO agency is open about their methodologies used – any secrecy could mean they are using “black hat” techniques. In order to gain online visibility it is recommended to use a good SEO services provider. Ranking for keywords isn’t an easy task, especially if the word you’re looking for is competitive – for example if you wished to be at the number one slot when a web user was to search “Sports Apparel”.
Ryan
What’s ironic about this is that there are other “fingerprinting” techniques that use all of the freely availably anonymous information about you (IP address, browser vendor/version, timezone, etc) all combined together to generate a unique identifier that can be reconstructed even if some of the information (such as you IP address) changes. Even two people on OSX 10.9 on Chrome are likely using slightly different versions of Chrome or OSX – enough to tell one from the other. One of the freely available datums used to generate these fingerprints is the list of installed browser extensions – which is freely available to any website. Since only a fraction of internet users have this plugin installed, you are actually making other fingerprinting techniques more accurate.
Chris Long
If you have to get Google Chrome to avoid these keyloggers – screw it. I live without anything Google as is…
FreeJulian
Privacy addon for Chrome??? Is this a joke?
Anon
That’s why you should disable JavaScript for truly private browsing.