Boffins: We can identify you by your typing, and we're gonna sell the tech to biz, govt – yay! Concerned that browser cookies fall short when it comes to tracking mobile devices and their owners on the internet, computer-science boffins believe they can recognize phone-toters using only their keystrokes and accelerometer data. In a paper presented this week through ArXiv, "Sequential Keystroke Behavioral Biometrics for …
First of all, to the buggers coming up with this lovely technology and making it available to pernicious outfits like ad networks and governments, a heartfelt plea: FUCK OFF AND DIE! May you die screaming, and may it happen soon. (No, I won't do anything to you, but if someone else does and I were on their jury, I'd suggest a vote of thanks.) Just because you CAN do something doesn't mean it's a good idea.
Secondly, who's up for writing an app that captures all your keystrokes and randomly anonymizes them before sending them to a target app?
This is the sort of thing where a philanthropist could set up a non-profit that purchases patents for or asks for the donation of patents for this sort of anti-consumer technology to prevent their use, and sues anyone who violates those patents. When the patent expires in 20 years I think it would probably be as irrelevant to the world of 2037 as the T9 predictive text patent from 1998 is to the world of 2017.
The abstract mentioned that it could be done with a special keyboard app or a special browser app. Without knowing the details of how this exploit works, it would seem that the data available to javascript would not be adequate for this purpose.
The easy answer would be not to install any special keyboard apps or browsers. If an attack is going to involve getting the user to install a modified browser or keyboard, there's a lot more valuable data that can be stolen directly than there is by observing the cadence of the simulated keypresses. Either way, it could be classed as a data-stealing trojan, and we already know those existed.
"The easy answer would be not to install any special keyboard apps or browsers."
Until said keyboards/apps/browsers become part of the firmware ROM in the future. Yes you would still have the option to install others, but a) how do you know they won't do the same; and b) would the baked-in ones still slurp despite not being used.
new version of crome comes with free key board app and auto installs,
compulsory security update!
there 80% of the internet is on board in a few minutes.
Trendy new keyboard app, has flowers and full emollient support, especially ported for apple and free form app"le" store.
that's 99% of the world, the rest don't matter "yet"
"The T9 predictive text system of 1998" was better than my brand new Android... (Windows Phone was even better. But never mind.)
Time to give Swype a try, I think.
I don't begrudge anyone developing this technology, nor yet selling it to anyone who's curious enough to buy it. Just so long as they don't try to stop others from taking their own countermeasures, as proposed in the first post...
To most people it doesn't matter - it's really not that big a deal if $COMPANY can identify who's using their app. But there are those who do care, and those people shouldn't have their options shut off.
University of Illinois at Chicago, University of Nebraska–Lincoln, and Hong Kong Polytechnic University: so that's three universities we know for sure don't require their researchers to take ethics modules, then. Hopefully at least their medical students still have some vague recollection about doing no harm.
Back in the early '90s, in the age of Internet Bubble 1.0, we at least had some useful concepts in mind, like computer-aided design and The Golden Age of Engineering. But with computer science degenerating into an arms race between the hi-tech industry and the public, I'm now glad I've retired from the industry.
One to add random delays on keystrokes being sent as they're made to apps (versus using a text box where they are all sent at once, which wouldn't allow such personal identification) and the other to prevent apps from accessing accelerometer data - or fake the readings so all it can tell is "portrait versus landscape".
One to add random delays on keystrokes being sent as they're made to apps (versus using a text box where they are all sent at once, which wouldn't allow such personal identification) and the other to prevent apps from accessing accelerometer data - or fake the readings so all it can tell is "portrait versus landscape".
I wouldn't worry too much just yet. To pick up individual keystrokes you'd have to re-code web entry forms so they pick up every single keystroke for timing. This makes it easy to detect that something is actively watching keystrokes rather than waiting for a POST with the completed string, so you can filter for that. As for apps that do this, that too would require different access to entry routines so I suspect that especially Apple will soon pick that up.
What is sad is that these researchers seem to have zero interest in the many way that their idea can be abused.
I wouldn't worry too much just yet. To pick up individual keystrokes you'd have to re-code web entry forms so they pick up every single keystroke for timing. This makes it easy to detect that something is actively watching keystrokes rather than waiting for a POST with the completed string
or they capture the data client side with javascript and send it with the form data
Wouldn't this make all inputs on apps personally identifiable information, under the GDPR?
Yes, but the current flawed blatantly broken approach of especially US companies to user privacy has been recently blessed by the EU by means of an extension of the Privacy Shield agreement, so I am not entirely surprised they are giving GDPR requirements a stiff ignoring.
They'll be doing that for as long as they can get away with it, which is either until people like Max Schrems once again start asking questions with a most annoying (for the recipients) persistence, or until we get Yet Another Massive Leak that prompts CEOs to spout the usual platitudes (and lies) about "caring about the customer" and "being sorry" and "taking steps to make sure it never happens again" (.. this week) etc etc.
Several thoughts are streaming through my mind like rivulets
of cascading insights leading to a plethora of splendiferous
perceptions. . .
1) I always could tell whether it was Mozart, Bach, Beethoven, or Wagner who
were hitting the keys just so, same with KISS and Norah Jones, the Sex Beatles,
no, wait, the Beatles and the Sex Thistles, no Pistols, .... so I guess we'll all be famous.
Which is as useful as everyone winning the lottery at the same time.
2) W h a t i f I t y p e d r e a l l y s l o w l y
aaaa nnnnnn ddd m aa d e ma n n y m ee s t a k e ss
w o u l d "they" s t i l l f i g u u rr e o u t i t ' s m e?
What if I were rich and used a different secretary from the typist pool
each time? Oh wait, that was in the 50's. Forget it. End of story.
I got a "non-smart phone", I use "speed-dialing", and I don't text. Does that help?
3) I read somewhere that credit card companies can often determine who
is using a credit card by analyzing a mere three purchases. Pattern recognition, baby!
One particular credit card company needed only one (1) purchase to figure out my card info had been
snatched, because the hapless thief made a purchase at a "sports equipment store".
(Since "sport" costs money, is exhausting, can hurt you, can even kill you, such a
purchase was "so totally obviously not me", that this ID thief was busted on the first try. Ha!)
4) Isn't anything you do online already tied to some sort of global user id, in addition
to all sorts of IP address stuff? And aren't we already identified by the same old and tired
web-sites we visit each time? Plus, if I go online and check my e-mail, then MI6, the
NSA, Putin, Jong-Il, along with Google-Face-Apple-MSFT will know that it's me.
If they are interested in me. Which I bet they are not, because I know nothing, and
I got nothing.
5) I don't understand how VPN works, because if something is not encrypted from beginning to
end with a password that ONLY I and the FINAL RECIPIENT know, how can it be possibly safe?
Can anyone explain that to me?
I've been doing that for years. I guess now I have a reason to continue.
Funny thing ... If you spot a typo in one of my posts here on ElReg, invariably I typoed it directly into the browser. When I use vi, for some reason the ability to proofread my own work is vastly improved. I suspect it's the font, but I can't be arsed to make the necessary change to find out.
From the abstract of the aforementioned publication:
"With the rapid growth in smartphone usage, more organizations begin to focus on providing better services for mobile users."
Oh, they begin to focus on that, do they? Perhaps a more accurate statement would be that they focus on providing the appearance of better services to lure people into the range of their ads and other monetization strategies. I doubt if "providing better services" is really anything more than a catch-phrase, but even if it's not, they only do it to the extent necessary to lure people into their trap. Why use more bait than you need? Once the victim is lured into the trap, you've got him.
" User identification can help these organizations to identify their customers and then cater services that have been customized for them."
Whether they want to have those services catered to them or not, right? Oh, and it's spelled "advertisements," not "services."
"Currently, the use of cookies is the most common form to identify users. However, cookies are not easily transportable (e.g., when a user uses a different login account, cookies do not follow the user). This limitation motivates the need to use behavior biometric for user identification."
Sure, that's it! It's because cookies don't follow people from device to device, not because some of us are wise to their game and don't let them play it with us. It would allow them to ever so more efficiently cater their services to us if they could track us on multiple devices, even though that in people who move from one mobile device to the other, this would probably be a personal device (where the services are of a personal nature) and a work device (where the services are of a professional nature). How again would mixing the two allow them to provide better services? If the person does work-related stuff on his personal phone, the data they want about those work activities is already part of the dossier they would collect from data sent from his personal phone. If he keeps them completely separate, it's because he wants or needs them to be completely separate, and there is no value in trying to mix things that are not meant to be mixed.
Unless, of course, that's not really the reason at all. I'm sure the LSO "super cookie" trackers and the browser fingerprinting trackers were all for the benefit of the user too, according to the perpetrators of each. It's just great how hard they're working to serve us all better, isn't it? They want to serve us better so badly that they're trying their hardest to defeat every defense we have against invasion of our privacy. For our own good, of course. Of course, that's by their definition of what's good for us, and that means having us besieged with ads for valuable and excellent products that their paid partners are willing to sell to us.
Ditto. I've got a feature phone: it has a removeable battery, an SD card slot, & a headphone jack but not much else. I bought it expressly because it lacks the pseudo-"smart" functions so bullshite maneuvers such as the techniques mentioned in TFA can't work on me. Good luck reading a sensors data that doesn't exist on a device that doesn't have a browser. BT is off, there's no wifi, & unless you're tracking my position via the cell tower signals, there's not even a GPS chip with which to try to find me.
Dear Corporations, I do not want you to monetize me & I'll do everything in my power to make bloody well sure you keep your fekking hands off my data. STFU, FOAD, DIAF, & HAND!
As despicable as it is, there may be some useful outcomes from this. Maybe.
Whereas, some fine UK university*. has been training sheep** to nod at "celebrities" to gain food.
* i can't be arsed to look up and post the recent news story
** As if Beiber, Beyonce (or Bey if your more familiar) et al don't have enough followers.
Create a app that randomly changes the pattern of vibration when any key stroke is made. I enjoy tactile feedback so I always have the vibrate when key is press feature enabled. I would think that creating a few patterns or creating an algorithm that would randomly generate a different pattern for each key press would mess that system up .
I have gotten into the habit of leaving a window in a text editor (Notepad, for example, in Windows, or TextWrangler in OS X) and typing in that. And then copying and pasting. Go ahead, analyze that, laddie.
This way, I have an offline copy, just in case Firefox goes TITSUP without warning (that's happened as recently as earlier this week) or just to keep things straight, or the site might do Strange Things and I can't be arsed with typing all that all over again.
And, yeah, they can't analyze a damn thing.
They may well be able to detect keystrokes from other apps as long as it is itself running (which it could be without you knowing it). As for false data, it could try to gain priority (maybe even become a built-in system app) so it can detect faking attempts and work around them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
