Digital fingerprints: tiny behavioral differences can reveal your identity online

Science News, Jan 13, 2007 by Julie Rehmeyer

Early during World War II, British intelligence officers eavesdropped on German radio transmissions, but because the messages were in an encrypted version of Morse code, the British couldn't understand the content. The dots and dashes came in distinctive rhythms, and the Allied spies quickly learned to recognize each Morse code operator's particular style, which the listeners called the operator's "fist."

Having identified the individual code senders, the intelligence officers triangulated signals and traced the operators' movements across the continent--thus tracking the movement of their military units.

Morse code transmissions have, for the most part, been supplanted by more-elaborate forms of electronic communication, the latest being the Internet. And differences remain in the way that people tap out their electronic secrets. Internet users have characteristic patterns of how they time their keystrokes, browse Web sites, and write messages for posting on online bulletin boards. Scientists are learning to use these typeprints, clickprints, and writeprints, respectively, as digital forms of fingerprints.

While the aims of this research are to strengthen password security, reduce online fraud, identify online pornographers, and catch terrorists, the technology is raising some troubling possibilities. "It's a bit scary," says Jaideep Srivastava, a Web researcher at the University of Minnesota in Minneapolis. "The privacy implications are huge. "This technology might make it impossible for a person to use the Web anonymously.

TYPEPRINTS In 1980, researchers at the Rand Corporation in Santa Monica, Calif., were looking for ways to increase the security of passwords used for logging into computers. They hit on an idea inspired by the World War II fists. Typists, like Morse code operators, might be identifiable by their rhythms.

The scientists kept track of the time between strokes as seven trained typists each entered three passages of about 300 words. Four months later, the volunteers repeated the task. The researchers found that even without any sophisticated analysis, a person could look at the grids of data showing average pauses between pairs of letters and, without fail, match each pair of samples from each of the typists.

Several companies already sell software packages that take advantage of this phenomenon to strengthen password security. Steven Bender, chief operating officer of iMagic Software in Solvang, Calif., says that because people type passwords so frequently, "we start to move it from the conscious mind to the unconscious, just like a dance step or golf swing." As a result, password typing has a nearly identical rhythm every time a person does it.

The typical typeprint-security package asks a user initially to type in his or her password several times. The program then derives statistics, such as the average time between the strokes. The next time the user logs in, the program permits access only if the keystroke timing is sufficiently similar to its initial data.

A major advantage of this kind of identity verification, unlike retinal scanning and other forms of biometrics, is that it doesn't require any sophisticated equipment at the user's end, Bender says.

Researchers are now developing the technique for application beyond password verification. Daniele Gunetti and Claudia Picardi of the University of Torino in Italy are creating a system that examines typing rhythms--sometimes called keystroke dynamics--while a person uses a computer, not just at log-in. "We are particularly interested in applying the system to track illegal activities around the Internet," Picardi says.

The researchers' system scans a person's normal typing to learn all his or her various typing rhythms, not just the ones that occur in a password. It then continually monitors these rhythms.

If a hacker manages to get into someone's computer account, the typeprint system will notice the different pattern and raise an alarm, perhaps by notifying the system administrator. The researchers reported in 2005 that the system produced about one false alarm in every 200 typing sessions.

This approach could also be used for identifying users of a Web site that requires a significant amount of typing. Online e-mail services such as Gmail or Yahoo are candidates for such protection, Picardi says.

Picardi also points to online bulletin boards. The program could identify posters performing illegal activities, such as soliciting sex from children, says Picardi.

Typeprint analysis raises a number of Orwellian possibilities. Conceivably, police could compile a log of many individuals' typing patterns and then identify users of public computers, such as those in libraries, Picardi says.

Even without a database of individuals' typeprints, authorities might glean information about someone on a public computer or online bulletin board just from that person's keystroke rhythms. For example, they might learn a person's native language because the common keystroke combinations that are typed most quickly vary depending upon the person's native language.