Companies are using software that analyzes our typing patterns and helps them figure out if we are who we say we are online. But is it a privacy violation? Should we be very afraid? Scout Analytics' Matt Shanahan discusses the uses and potential abuses of the technology, while Citizen Media Law Project blogger Andrew Moshirnia says it’s an ominous new twist on handwriting analysis.
BROOKE GLADSTONE: This is On the Media. I'm Brooke Gladstone.
BOB GARFIELD: And I'm Bob Garfield. Next time you’re at your computer keyboard, stop for a moment and notice the way you type, not the words, but the pattern. Are you a -?
[SOUND OF FAST TYPING] Or a -?
[SOUND OF SLOWER TYPING] We all have idiosyncrasies in the way we type, for example, how long we pause between keystrokes. Companies are now using new software that can record and analyze those typing patterns to see if we are who we say we are online. We first read about the software on the Ars Technica blog, which we'll link to. Apparently, the software is useful for companies that sell limited access to their expensive databases. Pattern recognition can weed out poachers who log in with somebody else’s password. Harvard law student and blogger at the Citizen Media Law Project, Andrew Moshirnia, says it’s just a new twist on handwriting analysis, but an ominous one. Andrew, welcome to the show.
ANDREW MOSHIRNIA: Oh, thanks for having me.
BOB GARFIELD: So, in a way, this is reminiscent of handwriting analysis but maybe more particularly, going back to World War II, the tracking by the Allies of Axis radio operators to determine their signature fists, they were called, their patterns of keystrokes in Morse Code.
ANDREW MOSHIRNIA: Right. A large number of British interceptors, which were primarily British women, were listening to the Morse Code being picked up by the Allies from the Axis, and after a while, they were able to discern patterns and be able to identify, you know, this particular person, you know, Hans Grunberg, is typing out this message. I don't know what this message says, but I know that Hans Grunberg is linked to this U-boat. So this is a way that we can discern, you know, movement patterns of different units. And they did this with, you know, great success.
BOB GARFIELD: Okay, so if Hans, the radio operator, has a signature fist, maybe some terrorist also has a signature fist, and maybe Courtney, the 17-year-old high school student pirating music, also has a fist. If we can recognize that fist, we can track her anywhere.
ANDREW MOSHIRNIA: That’s sort of the hope militarily, and that’s the fear domestically.
BOB GARFIELD: It doesn't take a whole lot of imagination to imagine many other uses for this kind of pattern recognition software. I'm thinking of intelligence agencies and law enforcement agencies using it without a warrant to identify people who may not even realize they're being tracked.
ANDREW MOSHIRNIA: Well, I think to understand that, you'd have to look at the difference between positive and negative identification. So the idea of positive identification would be you can track a user by this fingerprint. So looking at this site and this site and this site, we see the same cadence, so this must be the same user. I don't think we're there yet. I do think that we're approaching the idea of having a pretty robust system of negative identification. That is, we can be relatively certain that this was not the target user. And why that’s really important for law enforcement is that, in the end, this sort of is always the last-ditch excuse for, okay, we've tracked your IP address, we have linked you to this illegal activity and what do you have to say? And the response is always, well, that wasn't me. It was a virus, it was someone that broke into my wi-fi network. And so, this would be just one more piece of data to help explain whether or not it was or was not you.
BOB GARFIELD: Let's just assume for a moment that the algorithm gets a bit more sophisticated. Is it possible to crawl the Web looking for matches of someone’s known typing fingerprint to know what exactly they are typing somewhere on the Net, right now?
ANDREW MOSHIRNIA: If you have a state that devotes significant resources to this and is able to limit the number of users, certainly. Iran, for example, they just got rid of Gmail, and now everything is going through their own proprietary email system. That’s incredibly terrifying.
BOB GARFIELD: We've talked about a couple of ways that the software could be abused. What haven't we mentioned?
ANDREW MOSHIRNIA: The big thing is that if I know what your cadence is, and I'm practiced at your cadence, I could impersonate you. So if I want to discredit someone, I could go onto a very bad site and I could engage in sort of fake digital fingerprinting.
BOB GARFIELD: Yikes!
ANDREW MOSHIRNIA: It’s scary. It’s really, really scary stuff. But, I mean, that’s, that’s like four or five levels, levels beyond where we're at right now.
BOB GARFIELD: You know, on a scale of zero to ten, where ten is abject terror, how spooked should we be about this latest opportunity to figure out who we are, when we perhaps would like to remain anonymous?
ANDREW MOSHIRNIA: Right now I'm not very scared. I'd put myself at about a two, because unless I'm using one of those proprietary systems that has this software already in place, I'm not that worried. What should scare us, and I'd put this more around like a seven or an eight, because if we don't know we're being observed, it would be very, very difficult to enact a countermeasure. You would have to use either a software interrupt or a different typing style to get around the problem.
BOB GARFIELD: Well, Andrew, thank you very much.
ANDREW MOSHIRNIA: Thanks so much, Bob.
BOB GARFIELD: Andrew Moshirnia is a law student at Harvard University and a blogger for Harvard’s Citizen Media Law Project. Matt Shanahan is the Vice-President of Strategy at Scout Analytics, which does this typing pattern analysis for its 40 clients. He says there is nothing sinister about collecting this data.
MATT SHANAHAN: First of all, there’s actually no way to tie it back to the individual themselves, at least through our data sets that we have. Secondly, those patterns aren't universally unique. It turns out that there’s probably 20,000 individualized patterns, so it’s not like a fingerprint or an iris, in that sense. It’s statistically meaningful, and when combined with the IP location that somebody came from, etc, it can help build a, a profile. But, you know, I think sometimes people say, wow, you know, this is suddenly an eye behind me tracking everything I do, and that’s really not the case.
BOB GARFIELD: All right, Matt, let me just give you what I think is the nightmare scenario and you tell me if, you know, you can disabuse me of this fear, all right? The government decides they want to surveil somebody – let's just say me – and they learn my patterns of typing, using software like yours, and then they crawl the Internet looking for someone with a signature exactly like mine to see what I'm writing online, anytime, anywhere? Is that a paranoid concern?
MATT SHANAHAN: Yeah. If they want to track you, there’s a lot [LAUGHING] better ways to do it. The better way for them to track you is to track your device and IP locations. And even though you may try and mask that, it’s a lot easier to get a beat on you that way than any other way.
BOB GARFIELD: Have you heard from the FBI, from the National Security Agency, CIA, Defense Intelligence Agency, anywhere else in law enforcement or intelligence apparatus asking to learn more?
MATT SHANAHAN: We've worked with agencies in the past, government agencies that wanted more secure networks. Again, the reality is, typing pattern is one factor. That factor on its own is insufficient. That being said, also the limits of why it’s not going to be able to get finer is the actual timing resolution only gets down to one millisecond, and to take it deeper than that, you would have to redo all the operating systems, all the keyboards, everything across the network.
BOB GARFIELD: Ah, so what you’re saying is even if the software advances that the limitation, the physical infrastructure of the world of computing makes it structurally impossible to refine this technology to the point that it becomes frightening.
MATT SHANAHAN: Right, we just don't see that infrastructure changing that quickly.
BOB GARFIELD: So, if I understand you correctly, you’re saying it’s not that I shouldn't worry about privacy and technology, but I have much scarier things to worry about than this.
MATT SHANAHAN: I certainly think that measurement on the Web is advancing way beyond the ability to look at a set of keystroke patterns. When you take into account what the new mobile devices can do about taking pictures, fixing location down to exact spots, even at least a cell phone tower, a lot more is learned through the newer technologies than the old keyboard.
BOB GARFIELD: Okay, Matt, thank you so much.
MATT SHANAHAN: Well, thank you.
BOB GARFIELD: Matt Shanahan is the vice-president of strategy at Scout Analytics.