thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Monday, October 09, 2006

You are what you do? Behavioural data and identification technologies

Authentication or identification techniques are often divided into something you have (a key, a chipcard), something you know (a password, your mother's maiden name), or something you are (your fingerprint, your retina). I already wrote about why I think the term "what you are" should not be used for biometric data, because you have fingers, you don't be them.

Here is a new angle: Increasingly, researchers are working on identifying people by what they do. At the University of Leicester, according to the Telegraph,
"scientists are analysing the way people write mobile phone text messages so police can use them as evidence." (more from the New Scientist)
At the same time, researchers at the University of Pennsylvania are trying to identify users by their browsers' clickstream data:
"We develop formal methods to solve this problem and thereby determine the optimal amount of user data that must be aggregated before unique clickprints can be deemed to exist."
And at the Georgia Institute of Technology, researchers are trying to identify you by the way you walk:
One primary focus of our work is on gait recognition. We propose a technique that recovers static body and stride parameters of subjects as they walk.
They also have most clearly spelled out what this is all about:
This approach is an example of an activity-specific biometric: a method of extracting some identifying properties of an individual or of an individual's behavior that is only applicable when a person is performing that specific action.
As I said, the core of all this is: You are identified by what you do and how you do it.

The problems I can imagine here are manyfold. Michael Zimmer points at clickstream identification and anonymous web browsing:
Would Amazon monitor your clickstream data (when you are logged in) in order to provide better recommendations for you? Would they sell that data to 3rd parties? Could they identify you if you aren’t logged in?
It could get worse when this kind of evidence is used in court. I am not a legal expert, but the way I understand criminal procedures is that you have an individual and an action, and you convict the individual for this action based on witnesses or other evidence. What happens if the identification of the suspect is itself done by measuring some action? Especially if this action is phone text messaging or web surfing, you can easily think of reverse-engineering the identification mechanism and blaming the crime on someone else.

Of course, this "identification by actions" model can be taken even further, like: "This must be him - we know his shopping patterns". Scary, yes. But analytically, I also think that there needs to be some conceptual clarification. While this all resembles graphology, calling it "biometrics" is missing the point. What you do and how you behave is clearly different from what your retina looks like. And the way you type your text messages is not dependent on your body, but on how you communicate on the language - not speech - level.

2 Comments:

Anonymous Anonymous said...

`
Friends,
`
Here's the text of one of my posts relevant to igf2006:
`
{startx}
`
From my "Really, Why Bother" essay:
`
"This raises the question--
`
"REALLY, WHY SHOULD ANY SELF-RESPECTING
STATE BOTHER WITH ABSURDISTAN, DC ?
`
"There's email."
`
Email?
`
That raises the question--
`
WHOSE EMAIL ?
`
`
July 1, 2005
Associated Press [1]
U.S. to Retain Oversight of Web Traffic
By ANICK JESDANUN
`
"The U.S. announcement marked a departure from
previously stated U.S. policy."
`
The Superpower's "previously stated...policy" was a
LIE.
`
"Policy decisions [by The Superpower] could at a
stroke make all Web sites ending in a specific suffix
[like .com] essentially unreachable."
`
"In a worst-case scenario, countries refusing to accept
U.S. control could establish their own separate Domain
Name System and thus fracture the Internet into more
than one network."
`
`
This raises the question--
`
REALLY, WHY SHOULD ANY SELF-RESPECTING
STATE BOTHER WITH ABSURDISTAN, DC's FAKE
INTERNET ?
`
Regional internets are the way to go.
`
Really? Well...
`
`
July 2, 2005
BBC [2]
'Full Text' of China-Russia Joint Statement on 21st
Century World Order
`
After blather about "exceptionally broad access to
open information" (section 4), the statement gets
down to the nitty-gritty (section 10):
`
"Regional integration is an important characteristic of
the development of the current international situation.
`
"The two sides [China-Russia] pointed out that multi-
lateral regional organizations established on the basis
of
`
"regional openness,
`
"cooperation on an equal footing,
`
"and non-targeting of other countries
`
"are playing a positive role in the process of shaping a
new international order."
`
New international order?
`
NOT The Superpower's fake.
`
`
[1]
`
The URL for this undatelined version filed at 9:44 AM
now brings up a datelined version by Matt Moore filed
at 10:26 PM:
`
http://www.washingtonpost.com/wp-dyn/content/article/2005/07/01/AR2005070100603_\
pf.html
`
The original newsstory by Jesdanun, under a different
headline, is at URL:
`
http://www.presstelegram.com/Stories/0,1413,204~21478~2950072,00.html
`
Hurry!
`
[2]
`
http://news.monstersandcritics.com/mediamonitor/printer_1028422.php
`
`
{end}
`
Cordially;
`
Jer
`
`

10/10/06 01:07

 
Anonymous Anonymous said...

Speaking as a guy who will routine raise or fold a poker opponent on the basis of a 250 ms change in their response patterns, I guess I have trouble understanding the issue here.

If anything, I am impressed by coming up with more tools that provide identification on the basis of unconscious patterns -- since there are many legitimate uses for authentication, it would be nice to have more methods to prevent illegitimate access.

Beyond that, in terms of governmental control, I suspect that many of these techniques will have workarounds. If I'm reading the clickstream issue correctly, a Firefox plugin that delayed clicks at random by N ms (or that simulated link clicks and bitbucketed the results) would do nicely.

10/10/06 23:12

 

Post a Comment

<< Home