New Update Keyboard Privacy for Chrome/Firefox - Prevents behavioral profiling based on your typing

Status
Not open for further replies.

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
For Chrome version

Most Internet users know that they are tracked when they are online. Common forms include scripts that run on sites, social buttons, or analytic software.

Users interested in tracking, for instance to protect themselves better, know of other tracking methods such as fingerprinting.

While those tracking methods are still widely used, research has been underway for a long time to find other means of tracking users, and research in behavioral profiling brought forth numerous new tracking methods that no one thought of several years ago.

One method analyses a users typing patterns. Instead of just profiling what you are typing, for instance by looking at recurring errors or the use of certain words, this type of profiling analyzes how you type as well.

The method uses many different metrics for that, for instance how long it takes to press certain keys, the delay between key presses, how long it takes you to type common words, or which common errors you make repeatedly, and how long it takes you to correct them.

Protection

So how do you protect yourself from this form of behavioral targeting? You could break the pattern if you concentrate on that by typing differently for instance or mixing things up by using online keyboards or different types of keyboard that force you to use them in a different way.

The experimental Google Chrome extension Keyboard Privacy offers an automated solution. Good news is that it works right after you have installed it in the browser without you doing anything else besides that.

The extension adds an icon to Chrome's main toolbar that reveals preferences and an option to disable the feature on the site you are on.

It supports the two core metrics Dwell Time and Gap Time currently which, according to the extension's author Paul Moore, is sufficient to block the behavioral profiling.

Dwell time is the time each key is pressed and gap time the time between key presses.

You should not notice any issues or noticeable delays while using the software. If you do, you may adjust the time settings or disable the extension's functionality on the site you are on.

You may notice that Chrome's CPU use is going up while you are typing but it will go down once you are finished doing so.

Closing Words

Keyboard Privacy is a handy Chrome extension that improves your privacy online. While the scope of behavioral profiling is unknown right now, it is certain that it will play a bigger role in the coming years as traditional tracking methods are not nearly as effective anymore as they have been years ago.

Read here

Keyboard Privacy for Chrome prevents behavioral profiling based on your typing - gHacks Tech News

Read and watch the demo here

Behavioral Profiling: The password you can't change.

Get it here

Keyboard Privacy
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Will pass. Better they track me with the way i type which in my opinion is nearly impossible without combining it with other methods than allow this extension from a random company to access everything.

j5hUChc.png
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Will pass. Better they track me with the way i type which in my opinion is nearly impossible without combining it with other methods than allow this extension from a random company to access everything.

j5hUChc.png
The description is incorrect. It should read

Quote from the below link
Meet KeyboardPrivacy, a proof-of-concept Google Chrome extension which interferes with the periodicity of everything you enter into a website.

Once installed, you can continue to use the web exactly as you do now. When you enter anything on your keyboard, KeyboardPrivacy will artificially alter the rate at which your entry reaches the document object model (DOM).

Behavioral Profiling: The password you can't change.
 

Paul Moore

Level 1
Nov 25, 2017
3
Will pass. Better they track me with the way i type which in my opinion is nearly impossible without combining it with other methods than allow this extension from a random company to access everything.

j5hUChc.png
Hi SHvFl

The KeyboardPrivacy plugin needs access to every site you visit in order to alter the rate at which characters reach the DOM. We cannot access, nor see anything you do online.

Sites can (and do) track people using this technique; banks typically. If you value privacy over security, it's worth considering.

Thanks HarborFront for posting this.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Hi SHvFl

The KeyboardPrivacy plugin needs access to every site you visit in order to alter the rate at which characters reach the DOM. We cannot access, nor see anything you do online.

Sites can (and do) track people using this technique; banks typically. If you value privacy over security, it's worth considering.

Thanks HarborFront for posting this.
Welcome to MT forums. :)
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Hi SHvFl

The KeyboardPrivacy plugin needs access to every site you visit in order to alter the rate at which characters reach the DOM. We cannot access, nor see anything you do online.

Sites can (and do) track people using this technique; banks typically. If you value privacy over security, it's worth considering.

Thanks HarborFront for posting this.
I don't really value my privacy over security because limiting security just means i am improving my privacy for one aspect and lowering it for the other. In this case i stop sites POSSIBLY tracking me and i allow this addon to PROBABLY track me if they decide to go malicious or get hacked. In my personal opinion the latter has more chance than me being tracked ONLY by my typing pattern.

Thanks for your comment regardless and good luck.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I don't really value my privacy over security because limiting security just means i am improving my privacy for one aspect and lowering it for the other. In this case i stop sites POSSIBLY tracking me and i allow this addon to PROBABLY track me if they decide to go malicious or get hacked. In my personal opinion the latter has more chance than me being tracked ONLY by my typing pattern.

Thanks for your comment regardless and good luck.
In doing so my brother SHvFl you are also lowering your profile (attack surface), not using it may be smart, can't tell till I take a peek
and tinker with this. I hardly see a way it would be coded in a manner that would not affect above mentioned.
What say you before I tinker Mr @Paul Moore ?
 

Paul Moore

Level 1
Nov 25, 2017
3
By all means, tinker away :)

Just keep in mind, this was a proof-of-concept and may need alteration to keep up with current implementations of behavioral profiling. I am not involved with the Firefox version of the plugin, so I'm unable to comment on it.

@SHvFl
That's a very good point! With every additional plugin you install, you're putting yourself at greater risk; how much so depends on the plugin and developer behind it. I won't insult your intelligence with a cookie-cutter "we take security seriously" line, however you're welcome to carry out some OSINT on myself, the company and the premise behind the plugin before deciding if you should use it.

However, I will give you a brief insight into how the account which pushes updates for KeyboardPrivacy is managed.
1) It's a G Suite account.
2) The password for it was generated by 1Password; is 12 characters long, truly random and for the foreseeable future, unbreakable.
3) The account is also protected with 2SV via a Yubikey.
4) I am the only key holder. The account has no secondary fail-over methods (SMS, email etc), limiting the attack surface yet further.
5) Logins are audited on a weekly basis and limited by IP & geo-fenced.

Where this plugin is concerned, you're more likely to be tracked than affected by a breach... but that's not to say every other developer takes the precautions I do, so your risk assessment is spot on.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
By all means, tinker away :)

Just keep in mind, this was a proof-of-concept and may need alteration to keep up with current implementations of behavioral profiling. I am not involved with the Firefox version of the plugin, so I'm unable to comment on it.

@SHvFl
That's a very good point! With every additional plugin you install, you're putting yourself at greater risk; how much so depends on the plugin and developer behind it. I won't insult your intelligence with a cookie-cutter "we take security seriously" line, however you're welcome to carry out some OSINT on myself, the company and the premise behind the plugin before deciding if you should use it.

However, I will give you a brief insight into how the account which pushes updates for KeyboardPrivacy is managed.
1) It's a G Suite account.
2) The password for it was generated by 1Password; is 12 characters long, truly random and for the foreseeable future, unbreakable.
3) The account is also protected with 2SV via a Yubikey.
4) I am the only key holder. The account has no secondary fail-over methods (SMS, email etc), limiting the attack surface yet further.
5) Logins are audited on a weekly basis and limited by IP & geo-fenced.

Where this plugin is concerned, you're more likely to be tracked than affected by a breach... but that's not to say every other developer takes the precautions I do, so your risk assessment is spot on.
Thank you, what I was looking for, your clarification and input has indeed shined a even brighter light as I expected.
Now I feel free to move about the cabin .....
And welcome to our forum :)
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
First thing I notice is the update schedule for the FF addon, so I have to ask a question that may seem obvious
but is for the benefit of the community: Is this still in active development ? or being updated, I understand it's function so once
completed and stable it will require little upkeep. Also has there been any keyboards, such as Logitech. IBM ect, that take issue with this software or (addon) and which AV software have you found in your in-house testing that react adversely to the Addon ?

More information
Add-on Links
Version
2.5
Last updated
a year ago (Sep 22, 2016)
 
  • Like
Reactions: upnorth

Paul Moore

Level 1
Nov 25, 2017
3
KeyboardPrivacy is actively being developed, however not as a plugin... but rather an external USB pass-thru dongle.

The insurmountable issue with this (as as plugin) is the need to artificially create lag between keystrokes; by locking a thread for a few milliseconds (or hundreds of, depending on config). That's fine for most sites & most PCs, but some devices do not play nice with such a requirement. Older versions of Chrome used to hang/crash entirely. I'm acutely aware the code needs polishing before it's anywhere near production-ready, however as a PoC, it was sufficient for our presentation at Cambridge University in 2015 (PasswordsCon). Trouble is, refining the code such that there's minimal delay either renders the plugin less effective, or completely ineffective. A hardware dongle resolves this, as it intercepts & alters the keystrokes before they reach the machine.

To put it into context, 24hrs after the plugin was released, banks & financial institutions around the world (2 from the UK) were frantically trying to reach BehavioSec (the company who's product we defeated) to ask if it was still safe to use.

To date, I'm not aware of any software which flags KeyboardPrivacy as not trusted, dangerous or malicious. The source code, as with any Chrome plugin, is available to view and is purposefully not obfuscated to allow anyone suitably-inclined to review it. As you'll see, there's really very little to it. That said, I'm not aware of any software vendors who advocate its use either; it certainly angered the financial industry, the majority of whom would rather you didn't know the technology existed. It has been discussed for the next version of Tor however, as we were able to identify users who tried to remain anonymous too. That should give some indication of how effective this method of profiling really is.

Thanks for the warm welcome.
 

boredog

Level 9
Verified
Jul 5, 2016
416
First thing I notice is the update schedule for the FF addon, so I have to ask a question that may seem obvious
but is for the benefit of the community:
I think he said he is not involved with the FF plugin buddy.

"The experimental Google Chrome extension Keyboard Privacy offers an automated solution. Good news is that it works right after you have installed it in the browser without you doing anything else besides that."
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I am going to go take a peek at the rest now, but I am steering clear of the FF plugin (for now)
I think it would be a smart & healthy move to keep watching this as interest is spiked more will
be commenting and discovering new facts and functions.
I warn you as MT family to go slow with this one for now. PeAcE
...and stay frosty ;)
 
  • Like
Reactions: upnorth

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
Hi @Paul Moore
I'm user of SpyShelter so I have two questions
- if you are user of keyboard encryption how are you able to recognise real signal and by this way real words...it means "how"...or rather "if"...anti-profiling could encrease my protection?
- How do you tested your add-on efficency and how to test anti-profiling feature in others security apps?
 
  • Like
Reactions: HarborFront

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Will pass. Better they track me with the way i type which in my opinion is nearly impossible without combining it with other methods than allow this extension from a random company to access everything.

j5hUChc.png


Actually, ScriptSafe for Chrome also has this message
Info on Permissions Requested by ScriptSafe
  • “Read and change all your data on the websites you visit” – this sounds scary, but ScriptSafe needs access to pages in order to block things (e.g. scripts, spoof headers, killing webbugs).
ScriptSafe - andryou

and

Fix URL Links Redirect (for Chrome) if you click the 'Details' in its extension.

I believe many extensions would have such message as well.
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top