a note by me on anonymity

if you want to see what the experts are saying about Internet anonymity and what might happen by 2020, check out their views in The Future of the Internet IV just issued by PewInternet, which it released  last Friday.

For one thought by me on anonymity, read on.

Coincidentally on Friday I came across an ars technica article, from which I learnt that Scout Analytics recently analyzed 20 million logins for 40 paid content clients for “cadence and rhythm” and was able to identify 175,000 unique patterns “and therefore 175,000 distinct users.” The algorithms required a minimum of five attempts at entering a phrase of at least 12 characters to establish a pattern. Scout Analytics estimates that only 1 in 20,000 people share the same pattern. But the software doesn’t identify people; the unique typing pattern identifies unique individuals but not their identities.  Then I found another recent (02/16/10) article entitled Biometrics firm confirms: User counts for websites are 2-4 times too high at VentureBeat and some background information on Scout Analytics.

But then I found another article, dating back to March 2006, at the btn (bank technology news) website detailing a system called BioPassWord which implemented typing cadence technology to generate secure logins for businesses. Searching for BioPassWord dropped me to a website called biopassword.com which is the website for “admit | one | security” which links to two products “Sentry” and … “Scout Analytics.” Here’s a link to their Sentry product which is offered to businesses to control secure logins using a multiple factor approach: Credentials (User ID/password), Keystroke Dynamics, Device  and Network.

Keystroke Dynamics translates to keyboard biometrics (ZDNet): “An authentication method that uses the rhythm of a person’s typing on the computer.”

So putting these two together; what would happen if keyboard biometrics became part of the sign-up procedure when we first set-up an account at a Cloud-based service that required our true identity? That means our keyboard biometric pattern (kbp) would become part of our user profile. So our user profile would be username/passcode/kbp. What would that mean?

Let’s take an example: Section 4 Facebook Terms of Service:

4. Registration and Account Security

Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account:

  1. You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.

So here’s a scenario – the owners of Facebook get users to add a kbp to their user profile as an identity verification measure (to try to control the nasty web or reduce the possibility of fraud in virtual commerce or scams or for any other reason). So now my Facebook identity attaches to a kbp and under the Terms of Service I have to provide my “real names and information.” So how do I stay anonymous after that? Just as your average user. Particularly since Facebook Connect is used as a “passport” now across multiple websites which would mean my keyboard biometric pattern (kbp) might travel with me and, inevitably, leak. I really don’t know the answer to that. The challenge is that it doesn’t have to be Facebook. It could be any Cloud-based service that requires real names/information and a kbp for use of the service. Once the link is made, the link is made. After that, it seems to me, it’s just details. Isn’t it?

I had a hope that the kbp method was not strong enough to hold up across different keyboards (and therefore Facebook – or anybody else – wouldn’t bother to add it). In other words, if I used my computer at work and then I went home and then I went to an Internet cafe my typing wouldn’t match. Well … (from the VentureBeat article above):

More important, Scout’s software can also tell that the same person hit a website from five different computers over the course of a month, or that three people are sharing a single login and password.

So is this something to worry about? I’ll try to find out.

Note 2/29/10: Matt Shanahan of Scout Analytics and Andrew Moshirnia, Citizen Media Law Project blogger, were interviewed on NPR’s On The Media a couple of days (2/26/10) after this post went up, in a segment called “Different Strokes.” For their take on it, please read the transcript. I’ll follow up a little bit on it.