How a solution for electronic identification used keystroke recognition to profile 3.2 million Norwegians
by Marie Baleo
Tell me how you type, and I’ll tell you who you are… BankID, an electronic identification solution used by all Norwegian banks, has been using behavioral biometrics to store profiles on its 3.2 million Norwegian users since fall 2014.
More specifically, according to Norwegian media, BankID has been relying on keystroke dynamics, a method for identifying an individual based on the way they type on their computer’s physical keyboard or mobile phone screen. Over time, as the user logs in again and again, a profile is formed, that allows for the identification of said user with a 99% accuracy rate. Thanks to keystroke dynamics, BankID now appears to be in possession of the biometric profiles of around 75% of Norway’s adult population.
Granted, BankID uses keystroke dynamics to conduct fraud detection, denying access and potentially alerting the concerned bank when an individual with unrecognized typing characteristics attempts to log into a user’s account. Additionally, the system does not record what users type, but merely the way they type it. But a substantial problem remains: BankID seemingly failed to alert its users it was collecting their typing patterns to build profiles on them.
According to Datatilsynet, the Norwegian data protection authority, such methods may only be lawfully implemented when the user has signified their informed and express consent, as reported by Norwegian daily Dagens Naeringsliv. BankID should have publicly disclosed its use of keystroke profiling before building up its collection of individual profiles, but it would appear that it didn’t.
What is keystroke dynamics?
You may have noticed, watching your fellow classmates or coworkers type, that everyone types differently. But what you may not know is that the way in which you and your neighbor type on your respective keyboards is so distinctive that, just like other biometric characteristics such as your fingerprints and retina, it is an almost foolproof way to recognize you.
The method relies on analyzing the characteristics of your keystrokes: the lapse of time between striking one key and the next (called “gap time”), and the time between pressure and release of a key (called “dwell time”), among other variables.
The primary purpose of this tool is to increase security, adding one more method for user authentication, and thus one more layer of protection of a user’s account and private information. German newcomer KeyTrac and Swedish startup BehavioSec are examples of the many companies now selling security solutions based entirely on keystroke profiling.
But of course, as with any intelligent, innovative tool, it may also be used for less honorable purposes, namely breaching users’ privacy by profiling them, storing their profiles, and gaining more information on them for surveillance or advertising purposes. All over the Internet, websites are picking up and transmitting our keystrokes to their servers. This is, for example, how Google is able to offer its infamous search suggestions. But who knows whether “how” you type, in addition to “what” you type, may not also be analyzed and collected?
What exactly is BankID?
The Norwegian BankID was launched in March 2009 as a service for online authentication and signature. Provided by retail banks, this electronic service for secure online identification also allows the legally binding signature of electronic messages, contracts, and other documents. The service targets businesses looking to offer their customers easy and safe online identification.
BankID is, in other words, “an industry cloud owned by Norwegian banks”, and a way for Norwegians to prove their identity online and to conduct online transactions.
The Norwegian banking industry began developing BankID as a common infrastructure in 2000. The first customers started using BankID in 2004. Today, 307 Norwegian businesses, banks, and public entities provide their clients with the BankID solution. A grand total of 3 286 952 persons now have BankID licenses in Norway. Every second, ten new transactions are conducted.
BankID is currently providing two solutions: bank-stored BankID and mobile BankID. Bank-stored BankID is an electronic certificate stored at Nets, the Norwegian Banks Payment and Clearing Center, and can be accessed by using a personal ID number, a chosen password, and a one-time code generated by a small physical token. The scheme relies on a two-factor authentication process: factors linked to what you know (your ID and password), and factors linked to what you are using (your OTP, or “one time password” provided by the token).
As late as 2012, BankID relied on a Java platform which raised significant security questions. These have been remedied, as BankID rolled out its 2.0 version in late 2014, now based on HTML5.
BankID has also created a popular mobile solution, Mobile BankID, which started out as a collaborative endeavor led by Den Norske Bank (DNB) and telecom giant Telenor. Faced with Telenor’s overwhelming success, additional service providers decided they wanted in. Tele2 joined the scheme in June 2013, while 23 banks followed in DNB’s footsteps. Today, all Norwegian service providers and banks are part of the scheme.
With this mobile solution, your BankID is stored on your cell phone’s SIM card. You can login to websites featuring BankID by using your phone number, your birthday, and a PIN code. Mobile BankID thus uses a technology called Public Key Infrastructure (PKI). Your BankID may inter alia be used for online shopping, registering your new address with the postal service, placing a bid for a house you would like to buy, or logging into municipal websites.
Why may BankID’s use of keystroke dynamics be cause for concern?
Dagens Naeringsliv quotes BankID’s Hege Steinland, who confirmed that since 2014, BankID has been working to build “good enough” profiles on all system users.
In a section entitled “9.2. Treatment of personal data” of its user policy, BankID announces:
“Personal information required to issue, use, or bar a BankID may, in accordance with Electronic Signature Act § 7, only be obtained from the certificate holder themselves or with their express consent. The information may only be used for purposes that are consistent with this policy including statistical purposes, unless the certificate holder has given their express consent to that information being used for other purposes. The bank shall, in agreement with the customer, inform the certificate holder about the purpose of the use of the collected personal information and inform them that the information in connection with the use of BankID will be disclosed to other certificate holders.”
The Electronic Signature Act which BankID refers to provides the following:
“A certificate issuer may only collect personal data directly from the data subject, or with his express consent, and only to the extent necessary to issue or maintain a certificate. This information should not be collected or processed for other purposes, as long as not the subject has given his explicit consent.
Inspectorate shall supervise that this provision observed. To the extent not otherwise provided by this Act, comes the Personal Data Act §§ 42-47 with regulations applicable at Data’s supervision after the first sentence.”
There is no reasonable way to put a positive spin on BankID’s choices if indeed thr company has used keystroke dynamics to secretly build and store profiles for its 3.2 million users. Even though the pursued goal, fraud detection, is commendable, implementing this method seemingly without users’ consent appears to be simply illegal. This case is yet another reminder that user privacy is subject to constant and growing threats.
In the future, how may a user avoid being profiled?
If you anonymously visit a website, your keystrokes are enough to differentiate you and, from there, to track your visits to other websites where you may be a registered user and may have provided your name and contact information.
Anyone may set up a site where your keystroke pattern will be collected, and thus identify you across browsers and computers. The collection of such metadata opens up a new eldorado for advertisers, always looking for new ways to uncover your tastes and preferences in order to serve a tailored selection of ads.
There is no reliable indication as to the number of sites currently using keystroke dynamics for behavioral profiling purposes, or of the number of sites who fail to inform their users of this.
It is worth noting that neither VPN or Tor, tools of choice for those seeking to protect their privacy online, are effective against keystroke profiling.
You may not be able to magically change your typing style. But a program can do that for you. KeyboardPrivacy is a Chrome extension created by security experts Paul Moore and Per Thorsheim, who have long alerted about the rise of keystroke dynamics and set out to find a practical way to defeat the scheme. The extension cleverly circumvents behavioral profiling by randomizing the rate at which characters reach the document object model, or “DOM”, preventing identification based on dwell time or gap time.
As much as biometric profiling is by now fairly well regulated in many countries, that is not the case for the relatively little-known keystroke dynamics. Legislators will most likely (and hopefully) intervene, as the use of keystroke dynamics spreads in the near future.
 The rise of keystroke dynamics is inseparable from the growing popularity of behavioral biometrics as a whole. A Juniper Research report quoted by CSO Online states that by 2019, over 700 million biometric authentication apps will be downloaded each year.
 Freely translated by us. Emphasis added.