Digital Fingerprints — Tiny behavioral differences can reveal your identity online

[D]ifferences remain in the way that people tap out their electronic secrets. Internet users have characteristic patterns of how they time their keystrokes, browse Web sites, and write messages for posting on online bulletin boards. Scientists are learning to use these typeprints, clickprints, and writeprints, respectively, as digital forms of fingerprints.

While the aims of this research are to strengthen password security, reduce online fraud, identify online pornographers, and catch terrorists, the technology is raising some troubling possibilities. “It’s a bit scary,” says Jaideep Srivastava, a Web researcher at the University of Minnesota in Minneapolis. “The privacy implications are huge.” This technology might make it impossible for a person to use the Web anonymously.



  1. james says:

    “This technology might make it impossible for a person to use the Web anonymously.”

    Funny I thought IP addresses already did that?

  2. SN says:

    1. “Funny I thought IP addresses already did that?”

    Funny, I always thought that IP addresses could be spoofed. And I never knew that IP addresses were tied to individual people. I always assumed they identified routers, computers and the like.

  3. Peter Rodwell says:

    Timing somebody’s keystrokes over the Internet doesn’t seem a very accurate way of identifying a person – what about latency variations on the net? Wouldn’t that screw up the timings?

  4. rax says:

    Gee ya’d think that if someone could figure out who we are by how fast we type they’d be able to do away with those annoying captcha boxes on most sites.

  5. jbellies says:

    Sounds like the beginning of an Urban Myth. For example, nothing goes to DU until I click “Say It!”. In other cases, I might copy-and-paste text, or have the browser fill in a user name and password. I think that the first approximation of an IP is always going to be more telling.

  6. James says:

    All the information they’re talking about is infact client-side. Which means there is no way for a server to check it. And even if there was, there would be 1000 times as many was to fake it.

  7. Uncle Dave says:

    People, if you read the whole article you’ll see it isn’t just keyboard entry that they are looking at. They look at how you write also. For example, without seeing the name I can tell ECA’s comment at a glance. His ‘style’ is very distinctive. Do some analysis on those who post often and you could probably do the same with many others. Lots of ways to analyze what you post.

  8. OhForTheLoveOf says:

    I’m with #7…

    Unless you can monitor the keyboard in real time, presumably with some sort of spyware, I can’t imagine how you can use typing as a fingerprint.

    Not only that, but many if not most Americans have been fingerprinted… But with what we are talking about here, you need a profile of the “fingerprint” to compare… Where is that database and how will that sampling be done…

    This seems like yet another tin foil hat story… although I see nothing wrong with the notion that it is technically possible, I can’t see how it is practical in a real world application.

  9. BHK says:

    Seems to me this could be fixed by simple bit of software which provides a text box on the local machine to type in the message and then “cleans up” (changes the style a bit) and pushes the message tot the website at a uniform speed. Problem solved.

    The downside is that we will all sound the same and the government will have to outlaw such programs in order to keep track of us.

  10. Smartalix says:

    Some assume those that want to use this technique has to monitor how you type at the user end in order to determine identity. The sites using this technology can track your behavior at their end and don’t even have to ask you for the permission to use it (under current law) because body language isn’t protected expression (yet).

    You’d be surprised how easy it is. This kind of technology has been around in various flavors for quite a while in some circles.

    11,

    Your fix would work, but you shouldn’t worry about the government banning such countermeasures. The government has far more powerful tools. Business wants this for customer tracking. The more information you can gather, the more easily you can create a software agent that can accurately track them for marketing purposes. Kill cookies? They’ll still know where you go (so deleting collegefuckfest.com from your history won’t work) by your “fist”.

    A “fist” is the style signature a morse sender gave code by their handling of the key. This tech is only different in the number of parameters to track.

  11. jbellies says:

    ECA garbles his messages so he can sue anybody who copies and pastes them. He thereby is safe from plagiarism. Who would want to copy a text that doesn’t make sense?

    So… worst case scenario, the gov’t has messages from a known mass murderer (out of political office), they compare these messages with all the blogshite on the web, and discover that YOU are the criminal. My advice: deny everything.

    I remember an episode of Perry Mason where, in the last 5 minutes when somebody has to break down, the murderer was clearly the person who had typed a particular letter. Perry got the woman in the witness box to use the word “momento”. Then he showed the guilty letter where the word “momento” was also used. But momento isn’t the word, it is “memento”. Well, maybe in 1950s suburbia, there was a myth that everybody knew how to spell, and this woman swallowed it. She confessed. If she had continued to deny everything, I’m sure she’d still be here today, getting occasional great granny roles in soap operas (grin).
    Toady, off coarse, thet lodge-ick woodnut gate ennyware. “Oh, ee, whutz tha difff?”


0

Bad Behavior has blocked 5874 access attempts in the last 7 days.