Hey,
Brief introduction on myself: I am a cyberpunk that has been around
quite a while and has always had an interest in privacy, security, and
anonymity but I dabble in a little bit of everything. I have been a
Tails user since about 2014.
I would like to propose that Tails include an anti-keystroke biometrics
tool such as Kloak (see
https://github.com/vmonaco/kloak). I have
reviewed the previous proposal (located here:
https://lists.autistici.org/message/20190328.132622.54c1ee7e.en.html)
and have decided to re-propose the inclusion of this tool with a more
hardened and detailed reasoning.
To explain what keystroke biometrics is would be very similar to explain
how normal (physical) fingerprinting works. Your fingerprint is
something that is very unique to you and is very difficult to alter or
modify on an ongoing basis. You leave your fingerprint all around you
every day without consciously doing so - and attempting to always wear
gloves to obfuscate your fingerprint is not feasible. Similarly, each
typist has a unique keystroke biometric that is very unlikely to be
shared by any other person in the world and is very difficult for a
typist to consciously alter on an ongoing basis. More on keystroke
biometrics can be read on Wikipedia
(
https://en.wikipedia.org/wiki/Keystroke_dynamics) and I will assume
that you have taken a cursory look at that article.
The reason that this type of obfuscation should be included in Tails is
very simple. One of the design goals of Tails is to make all Tails/Tor
Browser users look the same and share fairly similar fingerprints. We
likely have about 20,000 or so regular Tails users and 2-3 million Tor
users. This is a small fraction of the estimated ~5 billion Internet
users today. Therefore, this small subset (2-3 million users) must look
generally the same to different types of analysis to achieve these
goals. However, each users' own keystroke biometrics distinguishes them
from everyone else and travels across all of their contextual identities.
Assuming that global intelligence organizations have the Upstream/PRISM
collection apparatus that they most certainly do, it would not be
difficult for a nation-state adversary to know a specific person was
utilizing Tor, even without an ISP's assistance. As discussed, each of
our own keystroke biometrics are intrinsically unique to us as
individuals. If a service was utilizing a keylogger or logging our
keystrokes, they would be able to capture and analyze our keystroke
biometrics data. Let's frame a situation: Claire is a Tails user and is
not utilizing an anti-keystroke biometric tool. Claire signs up for an
email account on a very widely-used email service ("The Service") while
using Tails and while taking the usual precautions. Of course, at some
point, she sends an email using The Service. For any reason, Claire is
the target of a surveillance operation - perhaps she is a journalist in
an oppressive country or she is a whistleblower and is publishing
anonymously. It turns out that The Service has been logging keystroke
biometrics data from its users for a period of time - similar to how
some US phone companies (ahem, Verizon) collected all phone call
metadata/content for NSA over an extended period of time. At some point
during that period, Claire had previously used an account on The Service
linked with her real identity. If The Service was required by a
government to do so or even wanted to do so themselves - they could
compare all collected user keystroke biometric data to see that this
anonymous account's biometric data is extremely similar to a previous
user they had, and they can assume that this previous user and this
anonymous user are one-in-the-same with a high degree of certainty. This
is because it is very unlikely for two separate individuals to have the
same keystroke biometrics, and even if a few people did, this would very
greatly narrow the suspect pool. Even worse, if Claire had multiple
anonymous identities on The Service, they could all at least be linked
to one another, if not also her real identity. There is nothing stopping
a company from collecting this data without a warrant or order because
users willingly turn this data over by using that company's website or
service. If Claire had been using Tails with some type of anti-keystroke
biometric tool, her biometrics would have been randomized on her
anonymous identity and could not have been linked back to her real
identity.
I understand that there may be some skepticism about this type of
analysis. While there is not clear evidence of a company logging this
type of data for this kind of purpose, it is not something out of the
scope of realism now or in the near future. Additionally, there are
instances today where we can observe companies logging some keystroke
data - such as online payment processors not allowing credit card
numbers to be pasted in number fields because not typing numbers in the
field is a sign of credit card fraud. Also, we have no way to know if
the global surveillance apparatus is logging keystroke data on its own
and/or is forcing or requesting companies to do so in a similar manner
to what the PRISM program accomplishes with NSA accessing Internet
companies' stored data. If that was the case, the global surveillance
apparatus forcing or requesting even just a few major companies to log
and turn over keystroke biometrics data would encompass a very large
amount of the Internet's usership. I would like you to think about if
you have ever used a website or service at two different points in time
on a non-anonymized identity and an anonymized identity whether that
service required you to sign up for an account or not. Obviously, it
need not be that you are using an account on a website for them to be
able to store this type of data, but it would make it much easier for
them to track such data across sessions.
I feel that we must take a proactive approach on protecting user
anonymity rather than a reactive one - especially when we are servicing
operating systems and software to users that require a high-level of
anonymity in very difficult situations. Including this type of
obfuscation in Tails has benefits that greatly outweigh the negatives.
This is something that very seriously needs to be considered by the dev
team to be included in the near future. Lastly, I want to thank the dev
team for their contributions.
