Your 'Clickprint' Gives Away Your Identity Online

Krishna Dagli writes to mention an article at the Guardian site about an increasing interest in the possibility of identifying users by their 'clickprint', or online access habits. The article discusses a new paper on online identification written by two American professors. The piece posits that not only is nailing down individual users by their habits useful for advertisers looking to sell products, it may be possible to use this information to flag stolen identities. From the article: "'Our main finding is that even trivial features in an internet session can distinguish users,' Padmanabhan told the Wharton Review. 'People do seem to have individual browsing behaviors.' The duo found that anywhere from three to 16 sessions are needed to identify an individual's clickprint ... In one example, they found that from just seven aggregated sessions they could distinguish between two different surfers with a confidence of 86.7%. Given 51 sessions, the confidence level rose to 99.4%."

Shameless Weka Plug

[eldavojohn]

So I can already anticipate people being concerned about their identities being tracked through clicks online.

You don't have to worry about this, however, as it is easy to distinguish two different users but probably difficult to pick you out of a crowd. Furthermore, if they're tracking your clicks, they probably already know your IP address. The number of sessions probably raises to a problematic number if you are trying to identify one user out of one thousand. Therefore, this will only be useful in identifying different behavior between two users -- or specifically identifying when it is highly likely that someone who is logged in is significantly different from the click profile associated with that account (as the article states).

There's a lot of discussion about this in the paper. Mentioning that the priors are set at 50% for 2 users but at 1% for 100 users (obviously). And also that:

In an experiment involving 42 user profiles, Monrose and Rubin (1997) shows that depending on the classifier used, between 80 to 90 percent of users can be automatically recognized using features such as the latency between keystrokes and the length of time different keys are pressed.

They go on to say that the method they suggest for detecting a fradulent user "do not require that users have truly unique profiles."

I read a bit of the paper and I identified Weka's decision tree method being used to classify the users (if you've ever used the ID3 algorithm or its brethren C4.5 in classification, imagine exploring methods of developing different decision trees).

Indeed the paper states:

We chose weka's J4.8 as the classifier since classification trees in general have been shown to be highly accurate classifiers.

I'll take this opportunity to recommend two open source projects. Torpark for those of you concerned about your identity and also Weka -- the easy to use collection of data mining software in Java! Also something to note is that Weka has recently become part of Pentaho, a project of open source business intelligence products. Explore the valuable tools that are out there and enjoy!

Oh No You Didn't

[eldavojohn]

But I'm used to living among dyslexics, illiterates, and dumbasses. Sigh.

Go kcuf yourslef! I am not living among you! I may be dyslexic, I may be illiterates and I may be a dumbass but I am definitely not a sigh.

Re:How about this?

[recordMyRides]

Don't worry, I predict that a porn-related application will need to be invented in order for this to enter widespread use.

Am I the only one

[TubeSteak]

Who doesn't like clicking on Tiny Urls?

Tiny Urls just don't compute as part of my safe surfing habits.
Example:
Tiny Url --> my redirect --> paper
After it hits the front page
Tiny Url --> my redirect --> 0-day exploit

There really is no need for them in Slashdot Submissions.

Here's the direct link to the paper
http://knowledge.wharton.upenn.edu/papers/1323.pdf

an even simpler solution...

[cyberworm]

Follow them to their myspace page.