Different Strokes

Friday, February 26, 2010


Companies are using software that analyzes our typing patterns and helps them figure out if we are who we say we are online. But is it a privacy violation? Should we be very afraid? Scout Analytics' Matt Shanahan discusses the uses and potential abuses of the technology, while Citizen Media Law Project blogger Andrew Moshirnia says it’s an ominous new twist on handwriting analysis.

Comments [12]

Qino from www.on5laught.com

great site, I like the way delivery.

Jan. 09 2011 09:21 AM
Nike Dunk High Premium from China

Very enjoy your content, my good fortune to visit your blog.

Jun. 13 2010 09:10 PM
dudette from Bethesda, MD

interesting thought piece...

as for all the comments on here about alarmism - if you actually listen to the first guy, he explicitly says that he's not that worried about the technology right now and that monitoring would be easy to block with a software interrupt if you knew you were being monitored.

i wished they'd talked about using this technology for authentication purposes, which is where i think it has the most value.

Mar. 30 2010 12:40 AM
Eric Mesa from Baltimore, MD

I think a couple others commented in the same way as I'm about to, so I hope it's addressed in a future OTM episode if it hasn't been already (I'm behind on my podcasts).

At any rate, the whole part about monitoring people over the Internet is complete bunk and nothing to worry about - at least as presented in the piece. Yeah, they could track your IM and other real-time data. But anything you put in a forum does not track the metadata needed to know your typing cadence. It just stores the ascii or utf-8 characters. No one stores the data on your typing. So it would be impossible to use that technique unless the government could compel all US-based forums to install such metadata-tracking software.

Mar. 10 2010 08:33 PM
Chris Gray from New Haven, CT

Oh, give us a break!

Mar. 04 2010 04:18 PM
Paul from New York, NY

Quoting from a VentureBeat blog about the middle of Feb: "More important, Scout’s software can also tell that the same person hit a website from five different computers over the course of a month, ..." I assumed that meant that the software would certainly be able to tell it *wasn't* a particular person. That may be a wrong assumption.

But if not, what if FB offers (opt-in) the ability to attach a kbp to your password to detect it *isn't* you trying to log in to your account? Then there's a kbp / password / *profile* combo attached to a particular person. At that point it all would hang on how many people take FB up on the offer.

So if the logic follows through I think the implications might be worth looking at. Thanks!

Mar. 04 2010 07:12 AM
Eben from Internal Exile

I have little to add to Grant's comments which im(ans)ho are far more accurate than anything in the segment, except to urge you to salvage what credibility you can by running a followup piece discussing the reality vs the claims of those you have portrayed as experts. The last thing that the progressive media needs is to give Fox et.al. another reason to question our concerns about real problems like the global climate crisis because we don't have the good sense to leave canards like this to Steven Colbert or LeShow.

Mar. 03 2010 01:22 PM
Grant BlahaErath from Seattle, Washington

I can't believe I'm feeling compelled to make another comment, but this piece bothers me. It bothers me because OTM has just done the kind of thing they criticize the other media sources of doing. They played to peoples fears of technology that few people understand, and then tried legitimizing the fear by bringing in two opposing pundits that have vested interests in distorting the truth. By doing so, OTM distorted the real information around the story.

There was no reporting on the possibility the fear had no basis in reality. No skepticism that humans can be identified by their typing at all. They bought the underlying premise like the BBC bought Pishtacos in Peru.

I don't really blame OTM all that much, media often gets things wrong because the individuals reporting the news lack the expertise on a particular topic. I would expect OTM to be just a tad more aware of their weakness around technology reporting, and in cases like this, just avoid it.

Mar. 02 2010 05:48 PM
Peter from Ithaca, NY

It would be easy for a tech savvy person to write (and share with the world) a computer program that would make it impossible to identify typists through their typing patterns.

The computer program that I would write if I were worried about this would buffer my keystrokes and send them out at a uniform pace, masking any idiosyncrasies. For example, if I typed "Q-U-I-C-K-B-R-O-W-N" with spacings between letters in milliseconds of
183, 194, 188, 194, 198, 180, 182, 190, 199
then the program might send the same letters out but with spacings of
200, 200, 200, 200, 200, 200, 200, 200, 200.
While somebody might recognize me from the first sequence, all they can tell from the second sequence is that I type approximately 1 letter per 200 milliseconds. Lots of other people share that typing speed, so it doesn't say very much about me.

Mar. 01 2010 08:34 PM
Paul from New York, NY

What if Facebook offered an opt-in option to its users to attach a keyboard biometric pattern to their user profile? In order to make sure that messages (not status updates or Wall postings) were by the person who wrote them. To cut down on scams or for any other reason.

Since Facebook requires a user's true name and information under the TOS that means that at that point a keyboard biometric pattern would be attached to someone's true identity.

I don't know if this is technically possible, but if so the implications might be worth thinking about.

Mar. 01 2010 06:19 PM
Roland Dumas from San Mateo, CA

The vast majority of web forms are simple html forms. They collect the user's input and send it to the web server in a burst. The receiving end doesn't know if you take a millisecond or an hour between strokes.

For keystroke monitoring to work, a lot of websites would have to implement some sort of java or javascript method to collect the data. As soon as it got out that site A was doing that, their business would be toast.

Net net: implausible scenario.

Feb. 28 2010 08:10 PM
Grant BlahaErath from Seattle, Washington

As a software architect with expertise in keyboard stroke monitoring, I can say that this was very alarmist and quite misleading I'm a software architect who in the past has developed a version of Mavis Beacon Teaches Typing and is currently developing a new kind of web browser. So I know quite a bit about the underlying technologies.

Mavis did monitor stoke timing to detect weak keys and present typing lessons and so I know how accurate it is. It's pretty good for finding keys that users hesitate on, but not accurate enough to compute a "signature" of the user. The OS introduces random delays, interferes with the accuracy of clock timing, etc. In a browser, its even less accurate because javascript introduces delays in key processing that are also unpredictable. Then there is the lack of physiological evidence to support the notion of detectable typing patterns.

Because of this, I think Scout's claim of 1 in 20K accuracy (which isn't really all that accurate) is unlikely. I would very least suggest some real testing on that. Scout's product may still be useful as a measure of free riding, but if I were a client I would hesitate to cut off customers, or charge customers more, because of that information.

The whole law enforcement angle is just fantasy. The whole issues around accuracy, gathering a baseline of samples before the crime and during, just sounds impossible. Like that is ever going to make it through a jury.

Finally, an application that randomizes a persons "fist" is as easy to write as an application that detects it. The potential for automatic forging is also equivalent. This fact alone makes it unlikely that anyone would ever use this practice for anything other than alarming the media and parlor tricks.

Feb. 28 2010 07:38 PM

Leave a Comment

Email addresses are required but never displayed.