Your 'Clickprint' Gives Away Your Identity Online

Krishna Dagli writes to mention an article at the Guardian site about an increasing interest in the possibility of identifying users by their 'clickprint', or online access habits. The article discusses a new paper on online identification written by two American professors. The piece posits that not only is nailing down individual users by their habits useful for advertisers looking to sell products, it may be possible to use this information to flag stolen identities. From the article: "'Our main finding is that even trivial features in an internet session can distinguish users,' Padmanabhan told the Wharton Review. 'People do seem to have individual browsing behaviors.' The duo found that anywhere from three to 16 sessions are needed to identify an individual's clickprint ... In one example, they found that from just seven aggregated sessions they could distinguish between two different surfers with a confidence of 86.7%. Given 51 sessions, the confidence level rose to 99.4%."

AdBlock + NoScript + no cookies = reduced tracking

Install AdBlock + NoScript and do not allow cookies unless you need them and you will reduce the chances of someone on the web identifying you significantly.

Similar to ssh exploit a few weeks back

[Yahma]

This is similar to the SSH exploit reported here on Slashdot a few weeks back where data could be determined via statistical/timing analysis done on the packets sent during an SSH session.

It sounds like if these types of timing and statistical analysis attacks become common, a simple solution would be a firefox extension that would randomize the timing of the input from the mouse and the keyboard. I suspect that randomly delaying a keystroke or a mouse click anywhere between (0-100ms) would be enough to defeat this type of analysis as well as short enough as to not adversely affect the browsing experience.

Of course browsing browsing the web through a good anonymous web proxy will probably do alot more to hide your identity than any type of randomizing of your input strokes.. but then, utilizing both methods as well as encryption would make things all the harder for any attacker.

Yahma

Answer to Your Question

[eldavojohn]

If they're talking about using this for identifying fraudulent users...how much would changing news/services on the internet affect that? I can think of several news items and new services that instantaneously and permanently caused me to alter my browsing and internet using habits. Wouldn't those sorts of behavior altering agents increase false positives?

To the best of my knowledge, the idea is that you wouldn't change drastically. And if you did, it might falsely accuse you of being a fraudulent user and then you mearly need to straighten things out.

The odds are low and this is a variable to be tweaked. But the assumption is that you will still visit your old sites and exhibit your behaviors on them. If you found say one new site a week, it would actually slowly be incorporated into your routine (if they used regression properly and allowed the model to train on your data -- old and new). But if you suddenly stopped going to your old sites and started visiting new ones, you would probably be flagged. And that's the trade off of trying to repress fraud.

I should point out that there's a lot of play with the variables here and that actual implementation of this theoretical paper could be either well done or badly done.

Excellent point, though. Sometimes these new technologies turn out to be more cumbersome than helpful and we need to watch out for that!

Re:Am I the only one

[gladed]

I agree. If you are concerned about this, TinyURL allows you to enable "previews" now. When enabled, clicking on a tinyurl link will direct you to a page that shows you the link, where you can decide to click or not. See http://tinyurl.com/preview.php.