Javascript based biometrics

Has there been any discussion concerning javascript based biometric de-anonymization techniques using keyboard and mouse I/O? Are there any plans to attempt to introduce delay in these two sources of user input
as an obfuscation method to this technique?

1 Like

I’m sure this has been discussed plenty of times (I don’t have links though), but it sounds extremely, extremely hard.
The best solution is, as always, disabling JavaScript (i.e. the “Safest” setting in Tor).

Like all fingerprinting, you have to think about the available precision in the observation of the user. In the case of mouse/keyboard input fingerprinting, the precision comes from the timer available to the attacker. The big hammer solution is to just lower the precision of the JS timer API to induce aliasing and reduce the number of bits contributed to an overall fingerprint of the user. However it’s not that simple. There are other ways to create high precision timers other than the explicit timer API; counting loop iterations being the most obvious. The timing problem is very hard to solve but there are other potential solutions.

A similar timing-based attack can be found in network traffic flow analysis. The solution there is to delay and combine packets and transmitting them at a regular cadence to eliminate the opportunity to track a packet as it flows through a network simply based on ingress/egress timing. Maybe there’s a solution where input updates from the keyboard/mouse are delayed slightly and batched up and delivered in the browser at regular time intervals to try to smooth out any observable variation between input events rather than trying to prevent high resolution timers.

This has been discussed for many years, thanks for bringing it up again since it hasn’t been solved.

1 Like

Out of curiosity, who is going to those lengths to perform mouse/keyboard input fingerprinting? It must be happening or it would not be a subject here. I’m assuming state actors and malicious regimes. Or are we talking about the big corporations?

I came across this today: A.I. can identify keystrokes by just the sound of your typing and steal information with 95% accuracy, new research shows
Laptop users are at risk of having sensitive information stolen just by the sound of typing on their keyboard

It’s not really fingerprinting. It might be BS.

(you might have to toggle reader mode to see it) A.I. can listen to you type and steal your information: study | Fortune

1 Like