Security researchers have created a practical privacy attack out of a well-known theory around user behaviour. The attack appears to defeat privacy measures such as Tor.
The researchers, according to Ars Technica, have successfully created a site that can profile users based on their keystroke patterns. The website reported: “After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions.”
The ‘keystroke biometrics’ betray your identity because of the tiny pauses and hesitations unique to each individual that come in between each keystroke. According to GodPraksis, the technique has been around since World War II, when British intelligence operators listening to German morse code operators made profiles of the various people signalling the morse code. The speed of code, typing errors et al were used to differentiate between operators.
However, the use of technology to create ‘keystroke biometrics’ is an ominous step for anyone concerned about privacy, according to researchers.
"The risk may seem small when you consider one single website collecting this type of information," Runa Sandvik, an independent security researcher and former Tor developer, told Ars Technica. "The real concern with behavioral profiling is when it is being done by multiple big websites owned by the same company or organization. The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page. Suddenly, the IP address I am using to connect to these two sites matters much less."
Two researchers, Per Thorsheim and Paul Moore, were so concerned that they created a Chrome browser plugin to partially defeat the threat. The plugin caches input keystrokes and relays them at a pseudo-random rate designed to confound any attempt to profile them.