Keyboard privacy is essential, and not many people realize that the way they type can be used to track them. Most people have a distinctive typing style, and although it may only be slightly different to the way another person types it is still identifiable.
Even highly trained people that know how to type using traditional Qwerty finger positions inevitably hit keys microseconds faster than each other. Other people hold certain keys down for longer periods of time than others. That data is highly personal and can easily be used to identify you.
Until now, most people thought it was only cookies, super cookies, and other tracking technologies that they had to watch out for. Behavioral keyboard analytics, however, allow firms to monitor and track users even if they manage the cookies on their system really effectively. For people that don’t wish to be tracked, this is a problem.
Add to that the possibility that a typing behavior profile could fall into the wrong hands and you start to realize that behavioral profiling could be seriously harmful.
How does it work and is it effective?
To build up a profile of people’s behaviors, nefarious software is designed to monitor how long users hold keys – known as the ‘dwell time.’ Next, the software analyzes how long it is between each key a user presses – referred to as the ‘gap time.’
At other times, the software looks for how long it takes users to complete a known string of characters (taken from a database of common words). Analysis of this and hundreds of other metrics can allow a personal profile to be developed, which can then be attached to a user’s IP address – or even name.
Of course, how well a website can build up a behavioral profile on you depends on how much you type on that particular site. If it is a site where you tend to only use the mouse a little to navigate, then you are unlikely to be giving much away.
Other sites such as Facebook – where you spend vast amounts of time chatting with contacts – could theoretically be building up a detailed database of your typing style. The consequences could be far-reaching, too. If the websites that track your behaviors are given permission to sell that data to third parties – then other firms or websites could also know who you are from your typing style -a huge invasion of privacy.
In reality, it is possible to tell a lot from the way that a person types. A study from 2011 by Christophe Rosenberger at Ensicaen, for example, revealed that a person’s gender could be identified after very few keystrokes. If that is possible, imagine just how much data you are giving away as you type away for greater lengths of time.
It is not just keyboards, either. The way in which we interact with tablets and smartphones can also be analyzed. Where there is input there is behavior – and if there is behavior – a personal profile that is just as good as a password (if not better) for identifying individual users can be built up.
Enter a piece of software called Keyboard Privacy (for Chrome) or Behavioral Keyboard Privacy (for Mozilla Firefox). Those are add-ons designed to stop websites figuring out who you are from your typing.
The Chrome version has been around since last year when it was released as a Chrome extension by Urity Group. It was designed following the work of Paul Moore and Per Thorsheim and is a proof of concept design that obfuscates user gap and dwell times by delaying them from getting to the websites being used. The result is that websites can’t build up an actual profile of the user (or check who they are against a database they already have).
The new Firefox version of the add-on appears to be a port of the earlier version that was released for Chrome. The process and functionality, however, is the same on both of the add-ons, which work by setting both the gap and dwell time to a constant of 200ms.
For anybody interested in securing their typing online, the Behavioral Keyboard Privacy add-on is well worth checking out. Do be aware, however, that some bank password interfaces (and other identification systems) do analyze how you type your password for security reasons (as well as the password itself). For this reason, there may be times that you need to disable the software to identify yourself.
Other than that, the add-on is a nifty and straightforward application that adds a useful layer of protection when you are using websites and online services.