back to article Boffins: We can identify you by your typing, and we're gonna sell the tech to biz, govt – yay!

Concerned that browser cookies fall short when it comes to tracking mobile devices and their owners on the internet, computer-science boffins believe they can recognize phone-toters using only their keystrokes and accelerometer data. In a paper presented this week through ArXiv, "Sequential Keystroke Behavioral Biometrics for …

  1. ma1010
    Mushroom

    A few comments...

    First of all, to the buggers coming up with this lovely technology and making it available to pernicious outfits like ad networks and governments, a heartfelt plea: FUCK OFF AND DIE! May you die screaming, and may it happen soon. (No, I won't do anything to you, but if someone else does and I were on their jury, I'd suggest a vote of thanks.) Just because you CAN do something doesn't mean it's a good idea.

    Secondly, who's up for writing an app that captures all your keystrokes and randomly anonymizes them before sending them to a target app?

    1. Anonymous Coward
      Anonymous Coward

      Re: A few comments...

      This is the sort of thing where a philanthropist could set up a non-profit that purchases patents for or asks for the donation of patents for this sort of anti-consumer technology to prevent their use, and sues anyone who violates those patents. When the patent expires in 20 years I think it would probably be as irrelevant to the world of 2037 as the T9 predictive text patent from 1998 is to the world of 2017.

      1. Updraft102

        Re: A few comments...

        The abstract mentioned that it could be done with a special keyboard app or a special browser app. Without knowing the details of how this exploit works, it would seem that the data available to javascript would not be adequate for this purpose.

        The easy answer would be not to install any special keyboard apps or browsers. If an attack is going to involve getting the user to install a modified browser or keyboard, there's a lot more valuable data that can be stolen directly than there is by observing the cadence of the simulated keypresses. Either way, it could be classed as a data-stealing trojan, and we already know those existed.

        1. Cuddles

          Re: A few comments...

          "Without knowing the details of how this exploit works, it would seem that the data available to javascript would not be adequate for this purpose."

          From the article:

          "typing data can be captured just as easily using JavaScript"

        2. davidp231

          Re: A few comments...

          "The easy answer would be not to install any special keyboard apps or browsers."

          Until said keyboards/apps/browsers become part of the firmware ROM in the future. Yes you would still have the option to install others, but a) how do you know they won't do the same; and b) would the baked-in ones still slurp despite not being used.

        3. Version 1.0 Silver badge

          Re: A few comments...

          So now write an app that takes the keyboard input and "standardizes" the key stream to remove the identifying characteristics - add an option to add typos at random. Every app that collects data, creates an opportunity to create an app that obscures the data.

        4. southen bastard

          Re: A few comments...

          new version of crome comes with free key board app and auto installs,

          compulsory security update!

          there 80% of the internet is on board in a few minutes.

          Trendy new keyboard app, has flowers and full emollient support, especially ported for apple and free form app"le" store.

          that's 99% of the world, the rest don't matter "yet"

      2. veti Silver badge

        Re: A few comments...

        "The T9 predictive text system of 1998" was better than my brand new Android... (Windows Phone was even better. But never mind.)

        Time to give Swype a try, I think.

        I don't begrudge anyone developing this technology, nor yet selling it to anyone who's curious enough to buy it. Just so long as they don't try to stop others from taking their own countermeasures, as proposed in the first post...

        To most people it doesn't matter - it's really not that big a deal if $COMPANY can identify who's using their app. But there are those who do care, and those people shouldn't have their options shut off.

    2. Anonymous Coward
      Anonymous Coward

      Re: A few comments...

      University of Illinois at Chicago, University of Nebraska–Lincoln, and Hong Kong Polytechnic University: so that's three universities we know for sure don't require their researchers to take ethics modules, then. Hopefully at least their medical students still have some vague recollection about doing no harm.

      1. John Smith 19 Gold badge
        FAIL

        "that's three universities we know their researchers to take ethics modules"

        Indeed.

        The words "Moral blindness" come readily to mind.

        Literally the complete lack of any sense of the consequences of their work.

    3. Uffish

      Re: A few comments...

      There will be an app for that.

      There was a pattern recognition program featured recently that was bamboozled into recognizing a turtle as a gun. Shouldn't take too much work to adapt it to typing analysis, and there's a rumble motor built into most mobiles as well.

      1. Muscleguy

        Re: A few comments...

        I wish I could get the rumble motor on my Android to work with Angband. There is no feedback on when my character gets hit. I con't get the sound to work either.

    4. Anonymous Coward
      Anonymous Coward

      Re: A few comments...

      This is analogous to a disclosure of an unpatched bug.

    5. Compression Artifact
      Devil

      Re: A few comments...

      Back in the early '90s, in the age of Internet Bubble 1.0, we at least had some useful concepts in mind, like computer-aided design and The Golden Age of Engineering. But with computer science degenerating into an arms race between the hi-tech industry and the public, I'm now glad I've retired from the industry.

      1. LaeMing
        Devil

        Re: A few comments...

        Bonus points if your keypress-timing randomiser doesn't actually randomise but jimmies the timing so the results of analysis are always a string of bits that translate to "GO DIE IN A GUTTER!"

  2. Anonymous Coward
    Anonymous Coward

    Looks like iOS and Android need new options

    One to add random delays on keystrokes being sent as they're made to apps (versus using a text box where they are all sent at once, which wouldn't allow such personal identification) and the other to prevent apps from accessing accelerometer data - or fake the readings so all it can tell is "portrait versus landscape".

    1. Anonymous Coward
      Anonymous Coward

      Re: Looks like iOS and Android need new options

      "add random delays on keystrokes being sent"

      Latest Mozilla code already does that. Its called JavaScript and its increasingly locking up my penguin to the point of reboot needed.

    2. Anonymous Coward
      Anonymous Coward

      Re: Looks like iOS and Android need new options

      One to add random delays on keystrokes being sent as they're made to apps (versus using a text box where they are all sent at once, which wouldn't allow such personal identification) and the other to prevent apps from accessing accelerometer data - or fake the readings so all it can tell is "portrait versus landscape".

      I wouldn't worry too much just yet. To pick up individual keystrokes you'd have to re-code web entry forms so they pick up every single keystroke for timing. This makes it easy to detect that something is actively watching keystrokes rather than waiting for a POST with the completed string, so you can filter for that. As for apps that do this, that too would require different access to entry routines so I suspect that especially Apple will soon pick that up.

      What is sad is that these researchers seem to have zero interest in the many way that their idea can be abused.

      1. Baldrickk

        Re: Looks like iOS and Android need new options

        I wouldn't worry too much just yet. To pick up individual keystrokes you'd have to re-code web entry forms so they pick up every single keystroke for timing. This makes it easy to detect that something is actively watching keystrokes rather than waiting for a POST with the completed string

        or they capture the data client side with javascript and send it with the form data

  3. Anonymous Coward
    Anonymous Coward

    GDPR

    Wouldn't this make all inputs on apps personally identifiable information, under the GDPR?

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR

      Wouldn't this make all inputs on apps personally identifiable information, under the GDPR?

      Yes, but the current flawed blatantly broken approach of especially US companies to user privacy has been recently blessed by the EU by means of an extension of the Privacy Shield agreement, so I am not entirely surprised they are giving GDPR requirements a stiff ignoring.

      They'll be doing that for as long as they can get away with it, which is either until people like Max Schrems once again start asking questions with a most annoying (for the recipients) persistence, or until we get Yet Another Massive Leak that prompts CEOs to spout the usual platitudes (and lies) about "caring about the customer" and "being sorry" and "taking steps to make sure it never happens again" (.. this week) etc etc.

  4. Anonymous Coward
    Anonymous Coward

    Who cares?

    So long as it can't distinguish between when I'm typing with both hands or only one...

    1. joed

      Re: Who cares?

      Or one can just use copy&paste for untrusted apps. Noscript would likely come in handy as well. For every action there's reaction.

    2. 's water music
      Paris Hilton

      Re: Who cares?

      So long as it can't distinguish between when I'm typing with both hands or only one...

      I suspect that many website owners can already make a shrewd guess

      1. Anonymous Coward
        Anonymous Coward

        Re: Who cares?

        So long as it can't distinguish between when I'm typing with both hands or only one...

        I suspect that many website owners can already make a shrewd guess

        Let me guess: that depends on the site's contents?

        :)

    3. Spanners Silver badge
      Coffee/keyboard

      Re: Who cares?

      I know some (young) people who use both thumbs, but both hands?

      What kind of phone do you have?

    4. Mr Sceptical
      Gimp

      Re: Who cares?

      They won't care about the typed input, just the rythmic data from the accelerometer and the GPS indicating you're stationary at home / public toilets / local park...

  5. Magani
    FAIL

    Tools make tool

    The boffins say they intend to implement DeepService as a tool to help companies or governments "to identify their customers more accurately in the real life."

    So, not a chance in hell of a misidentification here. What could possibly go wrong?

    1. LaeMing
      Facepalm

      Re: Tools make tool

      There is a really easy way to identify customers more accurately in real life. It is called a login.

      (Icon for the 'boffins', not Magani.)

  6. frank ly

    Accelerometer data

    You can tell by the way I use my walk?

    1. Oengus

      Re: Accelerometer data

      It's a good thing that I never carry the damn thing with me. My boss is always telling me off for leaving the mobile on my desk and walking away or leaving it on the passengers seat of the car (if I bother to take it when I go out).

    2. Michael Habel

      Re: Accelerometer data

      ~You can tell by the way I use my walk?~

      You're despicable!

    3. Anonymous Coward
      Anonymous Coward

      Re: Accelerometer data

      You can tell by the way I use my walk?

      Stayin' alive, stayin' alive ..

      :)

      1. Fluffy Cactus

        Re: Accelerometer data

        Several thoughts are streaming through my mind like rivulets

        of cascading insights leading to a plethora of splendiferous

        perceptions. . .

        1) I always could tell whether it was Mozart, Bach, Beethoven, or Wagner who

        were hitting the keys just so, same with KISS and Norah Jones, the Sex Beatles,

        no, wait, the Beatles and the Sex Thistles, no Pistols, .... so I guess we'll all be famous.

        Which is as useful as everyone winning the lottery at the same time.

        2) W h a t i f I t y p e d r e a l l y s l o w l y

        aaaa nnnnnn ddd m aa d e ma n n y m ee s t a k e ss

        w o u l d "they" s t i l l f i g u u rr e o u t i t ' s m e?

        What if I were rich and used a different secretary from the typist pool

        each time? Oh wait, that was in the 50's. Forget it. End of story.

        I got a "non-smart phone", I use "speed-dialing", and I don't text. Does that help?

        3) I read somewhere that credit card companies can often determine who

        is using a credit card by analyzing a mere three purchases. Pattern recognition, baby!

        One particular credit card company needed only one (1) purchase to figure out my card info had been

        snatched, because the hapless thief made a purchase at a "sports equipment store".

        (Since "sport" costs money, is exhausting, can hurt you, can even kill you, such a

        purchase was "so totally obviously not me", that this ID thief was busted on the first try. Ha!)

        4) Isn't anything you do online already tied to some sort of global user id, in addition

        to all sorts of IP address stuff? And aren't we already identified by the same old and tired

        web-sites we visit each time? Plus, if I go online and check my e-mail, then MI6, the

        NSA, Putin, Jong-Il, along with Google-Face-Apple-MSFT will know that it's me.

        If they are interested in me. Which I bet they are not, because I know nothing, and

        I got nothing.

        5) I don't understand how VPN works, because if something is not encrypted from beginning to

        end with a password that ONLY I and the FINAL RECIPIENT know, how can it be possibly safe?

        Can anyone explain that to me?

    4. PNGuinn
      Coat

      Re: Accelerometer data

      Why did I misread that last l? Maybe I've been reading elReg for too long ...

  7. James 51

    Would using a physical keyboard make a difference? A stylus? Another good reason to disable java script. BTW no website needs to I'D me unless I am buying something. Then I'll handing over a unique I'D and password and they will know it's me.

  8. Will Godfrey Silver badge
    Happy

    One way out

    If I'm being at all verbose I've got into the habit of typing it out in a text editor, proofing it then just copy/pasting it into the website's input field.

    I wonder what their thingy makes of that!

    1. jake Silver badge

      Re: One way out

      I've been doing that for years. I guess now I have a reason to continue.

      Funny thing ... If you spot a typo in one of my posts here on ElReg, invariably I typoed it directly into the browser. When I use vi, for some reason the ability to proofread my own work is vastly improved. I suspect it's the font, but I can't be arsed to make the necessary change to find out.

  9. Updraft102

    Wow, they love helping us

    From the abstract of the aforementioned publication:

    "With the rapid growth in smartphone usage, more organizations begin to focus on providing better services for mobile users."

    Oh, they begin to focus on that, do they? Perhaps a more accurate statement would be that they focus on providing the appearance of better services to lure people into the range of their ads and other monetization strategies. I doubt if "providing better services" is really anything more than a catch-phrase, but even if it's not, they only do it to the extent necessary to lure people into their trap. Why use more bait than you need? Once the victim is lured into the trap, you've got him.

    " User identification can help these organizations to identify their customers and then cater services that have been customized for them."

    Whether they want to have those services catered to them or not, right? Oh, and it's spelled "advertisements," not "services."

    "Currently, the use of cookies is the most common form to identify users. However, cookies are not easily transportable (e.g., when a user uses a different login account, cookies do not follow the user). This limitation motivates the need to use behavior biometric for user identification."

    Sure, that's it! It's because cookies don't follow people from device to device, not because some of us are wise to their game and don't let them play it with us. It would allow them to ever so more efficiently cater their services to us if they could track us on multiple devices, even though that in people who move from one mobile device to the other, this would probably be a personal device (where the services are of a personal nature) and a work device (where the services are of a professional nature). How again would mixing the two allow them to provide better services? If the person does work-related stuff on his personal phone, the data they want about those work activities is already part of the dossier they would collect from data sent from his personal phone. If he keeps them completely separate, it's because he wants or needs them to be completely separate, and there is no value in trying to mix things that are not meant to be mixed.

    Unless, of course, that's not really the reason at all. I'm sure the LSO "super cookie" trackers and the browser fingerprinting trackers were all for the benefit of the user too, according to the perpetrators of each. It's just great how hard they're working to serve us all better, isn't it? They want to serve us better so badly that they're trying their hardest to defeat every defense we have against invasion of our privacy. For our own good, of course. Of course, that's by their definition of what's good for us, and that means having us besieged with ads for valuable and excellent products that their paid partners are willing to sell to us.

  10. anonymous boring coward Silver badge

    Creepy! I'm sure Google will be all over this one.

  11. ObeyThePoodle
    Coffee/keyboard

    Gliding away

    I mostly use glide tying on the phone, I wonder if that defeats this technology...

    1. jake Silver badge

      Re: Gliding away

      "glide tying"? A kink I've never heard of? Share!

      1. Adam 1

        Re: Gliding away

        I assume that the canine boss is referring to the option in google keyboard by that name. I think that Swype did it first.

        Sent from my glide typing keyboard.

  12. Anonymous Coward
    Anonymous Coward

    Good luck with that!

    My mobile phone has no accelerometer for starters.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good luck with that!

      Ditto. I've got a feature phone: it has a removeable battery, an SD card slot, & a headphone jack but not much else. I bought it expressly because it lacks the pseudo-"smart" functions so bullshite maneuvers such as the techniques mentioned in TFA can't work on me. Good luck reading a sensors data that doesn't exist on a device that doesn't have a browser. BT is off, there's no wifi, & unless you're tracking my position via the cell tower signals, there's not even a GPS chip with which to try to find me.

      Dear Corporations, I do not want you to monetize me & I'll do everything in my power to make bloody well sure you keep your fekking hands off my data. STFU, FOAD, DIAF, & HAND!

  13. Randy Hudson

    "Having recently got over..." wow

  14. Winkypop Silver badge
    Boffin

    But what

    If you hold it wrong?

  15. T. F. M. Reader

    Did they disclose what "deep service" they really work for?

    "DeepService implements a gated recurrent unit (GRU)" - oh...

    Bootnote 1: "identifying individuals remains an unsolved problem in mobile computing" - that's a relief...

    Bootnote 2: Swype left...

  16. Neil Barnes Silver badge
    Big Brother

    or governments "to identify their customers more accurately

    Governments have customers? I thought I was their employer. That's the way the money flows, so I must be, right?

  17. Anonymous Coward
    Anonymous Coward

    We are born alone

    And we die alone

    In between the only entity that will truly know you will be Google and friends.

    What a depressing thought.

    1. jgarbo

      Re: We are born alone

      Don't know about you, but my mother was quite close by when I was born, or are they lying?

  18. jgarbo

    Can it also pick up the hand written messages from my S-pen?

  19. JimmyPage Silver badge
    Boffin

    Since it's just data ...

    it should be fairly straightforward to write an app to inject any amount of random crap (you could use the Daily Mail website) into the key streams to render this useless.

  20. Anonymous Coward
    Anonymous Coward

    Great, another attack surface for passwords...

  21. The Nazz

    Still, it could be worse

    As despicable as it is, there may be some useful outcomes from this. Maybe.

    Whereas, some fine UK university*. has been training sheep** to nod at "celebrities" to gain food.

    * i can't be arsed to look up and post the recent news story

    ** As if Beiber, Beyonce (or Bey if your more familiar) et al don't have enough followers.

  22. Anonymous Coward
    Anonymous Coward

    A possible solution

    Create a app that randomly changes the pattern of vibration when any key stroke is made. I enjoy tactile feedback so I always have the vibrate when key is press feature enabled. I would think that creating a few patterns or creating an algorithm that would randomly generate a different pattern for each key press would mess that system up .

  23. James O'Shea

    easily defeated

    I have gotten into the habit of leaving a window in a text editor (Notepad, for example, in Windows, or TextWrangler in OS X) and typing in that. And then copying and pasting. Go ahead, analyze that, laddie.

    This way, I have an offline copy, just in case Firefox goes TITSUP without warning (that's happened as recently as earlier this week) or just to keep things straight, or the site might do Strange Things and I can't be arsed with typing all that all over again.

    And, yeah, they can't analyze a damn thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: easily defeated

      They may well be able to detect keystrokes from other apps as long as it is itself running (which it could be without you knowing it). As for false data, it could try to gain priority (maybe even become a built-in system app) so it can detect faking attempts and work around them.

      1. James O'Shea

        Re: easily defeated

        That would make their app just an improved keylogger. Anti-keylogger measures should work.

        1. Charles 9

          Re: easily defeated

          They'd have to be at the hardware level to defeat a system-level keylogger. Even a rooted handset (less friendly thanks to root-aware apps) may itself get a root-level keylogger.

  24. allthecoolshortnamesweretaken

    I thought boffins were meant to make the world better?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like