Hey, Brief introduction on myself: I am a cyberpunk that has been around quite a while and has always had an interest in privacy, security, and anonymity but I dabble in a little bit of everything. I have been a Tails user since about 2014.
I would like to propose that Tails include an anti-keystroke biometrics tool such as Kloak (see https://github.com/vmonaco/kloak). I have reviewed the previous proposal (located here: https://lists.autistici.org/message/20190328.132622.54c1ee7e.en.html) and have decided to re-propose the inclusion of this tool with a more hardened and detailed reasoning. To explain what keystroke biometrics is would be very similar to explain how normal (physical) fingerprinting works. Your fingerprint is something that is very unique to you and is very difficult to alter or modify on an ongoing basis. You leave your fingerprint all around you every day without consciously doing so - and attempting to always wear gloves to obfuscate your fingerprint is not feasible. Similarly, each typist has a unique keystroke biometric that is very unlikely to be shared by any other person in the world and is very difficult for a typist to consciously alter on an ongoing basis. More on keystroke biometrics can be read on Wikipedia (https://en.wikipedia.org/wiki/Keystroke_dynamics) and I will assume that you have taken a cursory look at that article. The reason that this type of obfuscation should be included in Tails is very simple. One of the design goals of Tails is to make all Tails/Tor Browser users look the same and share fairly similar fingerprints. We likely have about 20,000 or so regular Tails users and 2-3 million Tor users. This is a small fraction of the estimated ~5 billion Internet users today. Therefore, this small subset (2-3 million users) must look generally the same to different types of analysis to achieve these goals. However, each users' own keystroke biometrics distinguishes them from everyone else and travels across all of their contextual identities. Assuming that global intelligence organizations have the Upstream/PRISM collection apparatus that they most certainly do, it would not be difficult for a nation-state adversary to know a specific person was utilizing Tor, even without an ISP's assistance. As discussed, each of our own keystroke biometrics are intrinsically unique to us as individuals. If a service was utilizing a keylogger or logging our keystrokes, they would be able to capture and analyze our keystroke biometrics data. Let's frame a situation: Claire is a Tails user and is not utilizing an anti-keystroke biometric tool. Claire signs up for an email account on a very widely-used email service ("The Service") while using Tails and while taking the usual precautions. Of course, at some point, she sends an email using The Service. For any reason, Claire is the target of a surveillance operation - perhaps she is a journalist in an oppressive country or she is a whistleblower and is publishing anonymously. It turns out that The Service has been logging keystroke biometrics data from its users for a period of time - similar to how some US phone companies (ahem, Verizon) collected all phone call metadata/content for NSA over an extended period of time. At some point during that period, Claire had previously used an account on The Service linked with her real identity. If The Service was required by a government to do so or even wanted to do so themselves - they could compare all collected user keystroke biometric data to see that this anonymous account's biometric data is extremely similar to a previous user they had, and they can assume that this previous user and this anonymous user are one-in-the-same with a high degree of certainty. This is because it is very unlikely for two separate individuals to have the same keystroke biometrics, and even if a few people did, this would very greatly narrow the suspect pool. Even worse, if Claire had multiple anonymous identities on The Service, they could all at least be linked to one another, if not also her real identity. There is nothing stopping a company from collecting this data without a warrant or order because users willingly turn this data over by using that company's website or service. If Claire had been using Tails with some type of anti-keystroke biometric tool, her biometrics would have been randomized on her anonymous identity and could not have been linked back to her real identity. I understand that there may be some skepticism about this type of analysis. While there is not clear evidence of a company logging this type of data for this kind of purpose, it is not something out of the scope of realism now or in the near future. Additionally, there are instances today where we can observe companies logging some keystroke data - such as online payment processors not allowing credit card numbers to be pasted in number fields because not typing numbers in the field is a sign of credit card fraud. Also, we have no way to know if the global surveillance apparatus is logging keystroke data on its own and/or is forcing or requesting companies to do so in a similar manner to what the PRISM program accomplishes with NSA accessing Internet companies' stored data. If that was the case, the global surveillance apparatus forcing or requesting even just a few major companies to log and turn over keystroke biometrics data would encompass a very large amount of the Internet's usership. I would like you to think about if you have ever used a website or service at two different points in time on a non-anonymized identity and an anonymized identity whether that service required you to sign up for an account or not. Obviously, it need not be that you are using an account on a website for them to be able to store this type of data, but it would make it much easier for them to track such data across sessions. I feel that we must take a proactive approach on protecting user anonymity rather than a reactive one - especially when we are servicing operating systems and software to users that require a high-level of anonymity in very difficult situations. Including this type of obfuscation in Tails has benefits that greatly outweigh the negatives. This is something that very seriously needs to be considered by the dev team to be included in the near future. Lastly, I want to thank the dev team for their contributions. _______________________________________________ Tails-dev mailing list [email protected] https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
