Digital fingerprints: tiny behavioral differences can reveal your identity online

Science News, Jan 13, 2007 by Julie Rehmeyer

People who write and sell software that directly records the content of what's being typed have been prosecuted for violating wiretap laws. Because keystroke-dynamics programs don't record contents, they aren't expected to be subject to such laws, and no legal difficulties have arisen so far. But in some circumstances, keystroke-timing data might be used to reconstruct a password or even the content of a message.

Gunetti and Picardi's program, for example, records the average time elapsed between keystrokes for each pair of letters but doesn't keep track of the order of the keystroke pairs. In a short typing session, however, that might be enough for someone to guess how to put together the keystrokes into the full message.

Typeprint analysis could also be troublesome in hackers' hands. In 2001, researchers pointed out that typeprints could be used by hackers to listen in when people are working on a computer from a remote location. Secure communication protocols send each keystroke across the Internet encoded in a separate data packet. A hacker can't read the encoded packets directly, but by analyzing the rhythm of the packets, he or she might narrow the possibilities for what has been typed. This vulnerability would be difficult to remove but, so far, it has also proved difficult to exploit.

Challenges remain even for using keystroke analysis to strengthen passwords or to identify the user of a Web site. Keystroke-dynamics software may be fooled if people type differently when they're using an unfamiliar keyboard or when they're tired or drunk or distracted. On the other hand, those variations may be valuable to detect fatigue in situations where alertness is essential.

CLICKPRINTS The keyboard isn't the only method of computer input. With the rise of the Internet and its click-through format, input devices such as the computer mouse are playing an increasingly important role.

Picardi and Gunetti are testing ways to detect intruders on a computer system by their mouse movements. The researchers suspect that people have identifiable patterns in the shapes and speeds of their usual mouse motions.

Mouse movements can be used to produce signatures, says Peter McOwan of Queen Mary, University of London. He recorded his test subjects as they drew signatures using the mouse--either an imitation of their normal, pen-and-paper signatures or a drawing of their choosing. He used these digital signatures as additions to password entry to strengthen authentication of computer users' identities.

To challenge the strength of his program, he gave test participants the password of a person whose keystroke pattern and tracing signature had been previously recorded. The combined digital signature and keystroke-dynamic analyses rejected more than 95 percent of participants who were acting as intruders, while accepting the legitimate users more than 99 percent of the time, McOwan reported in 2003.

Other researchers are working to identify patterns in the ways in which people click and scroll through Web sites. Balaji Padmanabhan of the Wharton School in Philadelphia and Yinghui Yang of the University of California, Davis are looking for ways to employ what they call clickstream data--what a user clicks on and when--to verify Web site visitors' claimed identities and to prevent fraud online.