Hacker News new | past | comments | ask | show | jobs | submit login

Fine, there's the worry you typed in something sensitive in the document. But it's far from being the major worry here, if I understood everything correctly...

Basically, if you have all keystrokes with timing info, you've got all the keystroke dynamics required to establish an individual's biometric keystroke fingerprint. And that seems freaking scary to me, for a few reasons.

1) Impersonation

Anyone can grab that fingerprint from any shared file on Google Docs and then feed it to a program so that you can impersonate the author for various purposes... Be it typing a blog comment (harmless), or something more insidious like logging into a secure system using that type of auth system.

Another trivial example could be impersonating someone on a Coursera course, where they use such fingerprints for identification on paid / "signature track" courses, which allow you to get a verified certificate from a known university. They use a photo, but that can also be fed by a tweaked webcam driver. So there you have it, you can hire someone to take lessons and pass exams for you. Or fail you.

2) Anonymity

Anyone with access to a shared google doc can now get your fingerprint, and if they implement a similar record on another website, they can identify who you are. Maybe such fingerprints are not 100% unique, but they surely can be accurate enough to pick you from a crowd of anonymous commenters on a website, for instance.

You could also imagine that a software you already have installed could identify you using a similar approach.

In that case, surfing using a Tails/Tor VM and in the incognito mode of your browser won't help you that much.

I'm sure in a perfect world this could sound awesome: no logins required anywhere, just type in stuff and get automatically ID-ed and credited for what you type and say. In our world, that could be bad for some people.

Plus I can only imagine how bad that would be if companies started to include in their web and desktop apps EULA that you agree to share keystroke dynamics with them and that you auhtorize them to redistribute it to partners. BAM, a global commercial database of uniquely identified users, no matter what account or throwaway email they use. Forget cookies and stuff, that won't need that anymore.

Bit far-fetched of course, as that would require some effort. But it's not that much effort that it wouldn't be interesting enough for someone to do it...

Well, you know what, I actually realized that there's no timing info in the recorded data. So, no problem. I jumped the gun quite a bit.

Still, a bit worrysome, because it could easily be modified to track it. And for all we know, some sites could be doing that. Facebook was (at least at some point) listening to what you were typing in timeline posts even if you didn't actually decide to send them, so it wouldn't be surprising if some sites did that sort of stuff.

Interesting project idea...

The article says there is timing data, with microsecond resolution. That's how the author's tool is able to provide "real-time" playback.

Hmm, true, it's mentioned in first paragraph, but I couldn't find it in the rest of the article's body when I came back to it. Well, this is rather bad then...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact