No matter how many randomized passwords or anonymous browsers you use, there’s a good chance that the right person can figure out exactly who you are just by paying attention to the way that you type on your keyboard. Much in the same way that a person’s heart beats or the way that they speak, there are minute differences in the way that people type on keyboards.
A group of people all typing in the same phrase on their computers, for example, would hit the keys at different frequencies and pause at different places in between words. Every correction, revision, and moment the cursor’s left allowed to blink represents a data point that, when analyzed, creates an specific profile.
Behaviosec, a Swedish company that specializes in analyzing these types of digital, behavioral biometrics, explains just how much personal information we all share just by touching our computers, phones, and tablets.
"The risk may seem small when you consider one single website collecting this type of information," Runa Sandvik, an infosec analyst, explained to Ars Technica. "The real concern with behavioral profiling is when it is being done by multiple big websites owned by the same company or organization.”
According to Sandvik, the real danger with behavioral biometrics is in the idea of generating massive profiles of peoples’ digital habits that can be cross referenced across the web. If a person can be identified by the way that they type, it becomes much easier not only to track their movement around the internet, but also to make smarter guesses about their passwords and other identifying information.
Sandvik used to be a developer for Tor, a web browser commonly used by people to access the dark parts of the internet anonymously by randomizing their IP addresses. She warned that Behaviosec was almost immediately able to get a sense of who she was specifically despite the fact that the used the service using Tor.
"I created and trained a biometric profile of my keystroke dynamics using the Tor browser at a demo site," Per Thorsheim, the driving force behind PasswordsCon, wrote in a blog post yesterday. "I then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified me when logging in and completing a demo financial transaction."
Thorsheim, working together with Paul Moore, another infosec advocate, has developed a Chrome plug-in that can scramble a user's behavioral biometric information, but this is only a small solution for a single browser.
All of this isn't to say that behavioral biometrics are only being used for nefarious purposes. These unique profiles are increasingly being used by websites that require high security like banks and, as they're adopted more widely by different kinds of sites, there's the potential of behavioral biometrics becoming a strong, added layer of user protection.
In the meantime? Type lightly, type weirdly, and try to change it up as much as possible.