Corporations are resurrecting a blast from the past in order to identify online users. And unlike earlier attempts to trace users, this method is behavioral. Get ready to go back to finger-pecking.
Online anonymity rests on two distinct barriers to identification: (1) the difficulty linking online activity to an IP address (often aided by a webmaster’s refusal to turn over such data); and (2) the difficulty establishing which user actually used that address. On this latter point, for example, a trace might lead to a city block, or to a household with unprotected WiFi. The problem has been that, even if the government or the plaintiff could follow the breadcrumbs, they could only be certain of the access point of the offending computer or at best, the location of the offending computer itself. The user always had the last ditch defense “That wasn’t me at the computer.” But that may all be coming to an end.
Until recently, the powers that be have overlooked a way to identify individual users by analyzing the rhythm of their keystrokes. This oversight is all the more surprising when you consider that governments used this very method of identification to great success in World War II. But, according to Ars Technica, corporations are beginning to use this technique to create a sort of hyper-accurate cookie to ensure the visitors on a website are unique users.
As I type this blog, I engage in all sorts of typist idiosyncrasies: I strike the keys in a certain rhythm, pausing after specific letter combinations (especially odd is my use of Capslock instead of Shift for capitalization). You doubtlessly have idiosyncrasies of your own, especially for repetitive typing tasks, like entering a password. These typing patterns/habits can be used as a digital fingerprint, provided that there are enough samples to establish your keyboardist tendencies.
This is not at all farfetched. In fact the Allies used this exact method to track Axis radio operators during the Second World War. Even if a message could not be decoded, listeners could create a record of an operator’s “fist,” his particular style of Morse code e.g. distinct and repetitive pauses between dits and dahs. By following an operator’s fist, the Allies could determine the location of entire units: “Franz is now sending from the Eastern Front.” The creative crowd has not overlooked the sheer brilliance of this maneuver. Neal Stephenson used the concept of a telegraphic “fist” as a plot point in his novel Cryptonomicon; Malcolm Gladwell also wrote about fists in Blink. Similarly, commentators have wondered if a coding style could serve as a fist for purposes of identification.
I think it is fairly obvious that the development of a robust method of typewriting analysis would greatly threaten online anonymity, precisely because there is not an obvious countermeasure. IP tracing can be thwarted in numerous ways (onion routing comes to mind). But you are unlikely to suddenly change the way you type. German radio operators did not want to have a special identifying style, neither do Internet users, but these patterns are just part of our behavior. I doubt that any large number of users could become so paranoid as to engage in manual “Crazy Ivans” or rapid unpredictable changes in typing habits.
Granted, these habits are not unique. But they don’t have to be. If 1 in 20,000 people share the same pattern, a user’s fist would still be a very useful filter when combined with information like an IP address.
None of this should sound crazy. I wrote a few days ago about the FBI’s desire for a URL log for every user. Surely, a record of typing habits would be of even greater use for law enforcement. It would not matter if the target user switched computers or exploited an open WiFi signal, he would carry his digital signature with him. Fingerprints are coming to the Internet ("Enigma has been cracked!") and the security of online identities may never be the same.
I gave a fun little interview on this topic for NPR's On The Media. You can hear it at http://www.onthemedia.org/transcripts/2010/02/26/03
(Andrew Moshirnia is a second-year law student at Harvard Law School and a CMLP blogger. Just to be on the safe side, he typed this message with a dialing wand. )