Keystroke and Mouse Deanonymization

From Whonix
(Redirected from Keystroke Deanonymization)
Jump to navigation Jump to search

This page explains how your unique typing and mouse movement patterns - also known as behavioral biometrics - can be used to track or identify you online, even if you're using privacy tools like Tor. It also covers real-world examples of these techniques, how they work, and what you can do to protect your identity.

Mouse Fingerprinting[edit]

This wiki chapter explains how tracking mouse movements can be used to identify people online - even without their knowledge or consent - just by using a regular web browser like Firefox or Chrome.

Mouse fingerprinting is not just a theory. It is already being used on real websites. In fact, as of 2023, up to 36% of the 80,000 most popular websites may already use mouse fingerprinting. [1] This includes well-known, high-traffic sites like search engines. [2]

Several companies offer mouse tracking and behavioral analytics tools designed to monitor user interactions - such as mouse movements, clicks, and scrolls - to enhance marketing strategies, boost sales, and improve user experience. These tools are widely used in e-commerce, advertising, and conversion rate optimization (CRO).​

Trusted by 210,000+ digital experience frontrunners worldwide
Vodafone; Philips; TUI Cruises; Verizon; ScottsmouseflowThe Web Archive LogoArchive.today Logo Homage

Mouse or cursor tracking happens when websites record where your mouse moves and when you click. While this helps website designers improve layout and usability, it also creates a privacy risk. This information can be recorded silently - without your permission - through everyday web browsing. [3]

Modern websites use technologies like CSSarchive.org iconarchive.today icon and JavaScriptarchive.org iconarchive.today icon to make pages look and feel interactive. But these same tools can also be used to track where your mouse moves. Even add-ons in your browser can do this.

  • Tracking software can record things like:
    • where and when you click
    • how long you stay in one part of the page
    • where your mouse is on the screen
    • if you hover your mouse over a link and for how long
    • See the footnote for more examples of mouse tracking. [4]

Imagine someone using the internet both normally (without tools to hide their identity) and through privacy tools like Tor. People have unique ways of moving their mouse. Computers can learn those patterns. So if a person acts anonymously on Tor but has similar mouse behavior as they do on regular websites, their identities can be linked. [3] This technique is already used in real life. For example, if someone’s behavior seems very different from usual, websites may block access to their accounts until their identity is confirmed. This kind of tracking - called behavioral biometrics - is sold by companies as a product to website owners. [5]

For a practical example of deanonymization (the process of revealing someone's true identity online), consider someone who regularly browses the internet using both clearnet (i.e., the regular internet without anonymity tools like Tor) and anonymity networks (such as Tor). Individuals exhibit distinctly unique patterns in how they move and click their mouse. Therefore, when these tracking techniques are used on popular websites, Kicksecure logo Artificial intelligence (AI)Onion Logo systems trained on behavioral data can recognize these patterns and associate them with specific users. Over time, this makes it possible to link "anonymous" activity on Tor to known identities from clearnet usage - with a high degree of probability. [3] [6]

Turning off JavaScript does not protect you from this. The same tracking can be done using CSS. [7]

Tor Browser (a browser that helps you stay anonymous online) bug report: CSS features allow real-time trackingThe Web Archive LogoArchive.today Logo Homage

Whonix, a privacy-focused operating system, has built-in tools (like Kloak and Qubes Event Buffering) that try to confuse tracking by slightly changing the timing of your mouse movements. This can make it harder to match your behavior over time. [8] More improvements are being worked on. See: Better mouse obfuscationarchive.org iconarchive.today icon.

Keystroke Dynamics[edit]

This chapter explains how typing behavior - also known as keystroke dynamics - can be used to identify people online, even when they use privacy tools like Tor.

Keystroke tracking has become advanced enough to create a unique "fingerprint" of each user based on how they type. This is a privacy concern because hiding your IP address (for example, with Tor) is no longer enough to stay anonymous. [9]

Websites can recognize users by how they interact with the keyboard, including: [10]

  • how fast they type
  • how long it takes to find and press each key, how long each key is held down, and how long the pause is before the next key is pressed [11]
  • how long they pause while typing
  • the kinds of typing mistakes they make - and how they correct them
  • what type of keyboard they use
  • whether they are likely right- or left-handed
  • patterns that reveal their likely native language
  • which keyboard layout they use (like QWERTY or Dvorak), which influences speed and errors

A computer program can build a profile based on these typing traits - similar to how a signature or handwriting can be used to identify someone. While typing styles may change depending on a person’s mood, energy, or time of day, the patterns are still often unique enough to recognize individuals. [10]

If users don’t take steps to block this kind of tracking, their typing rhythm can likely be used to deanonymize them. For example, someone using Tor might unknowingly type the same way they do on other websites, allowing trackers or attackers to match both identities. Adversaries may already have samples of how the person types on the regular internet and can use that to link them.

To reduce this risk:

  • Use a common keyboard layout (like **en-US**) to blend in with most users.
  • Avoid typing directly into websites when **JavaScript is enabled** - websites can silently track when you press and release each key.
  • Instead, type your message in a text editor (offline), then copy and paste it into the website when finished.

Other tips:

Threat Model[edit]

This section explains when and how your unique typing or mouse behavior - also known as biometric fingerprinting - could be used to compromise your privacy, even when using tools like Tor.

There are two main threat scenarios:

  • 1. A tracker can observe how you type or move your mouse both when you are using Tor and when you are using the regular internet (clearnet). They try to match your identity across both.
  • 2. A tracker can only see your behavior on Tor, but still wants to tell you apart from other Tor users.

In both cases, the tracker can create a fingerprint based on how you type - using patterns described in the Keystroke Dynamics section - and how you move your mouse. [12]

If the tracker can watch your behavior on both Tor and clearnet, they may be able to tell that the person typing in one environment is the same person typing in the other - effectively removing your anonymity and linking your identity to your Tor activity.

If the tracker can only watch what you do on Tor, they might not know who you are in real life, but they can still tell your behavior apart from everyone else using Tor. This may still be a problem. For example:

  • A website on the Tor network might block you if it recognizes your fingerprint.
  • It might also track everything you specifically do across multiple visits, even without knowing your identity.

This means that even without knowing your name or IP address, a website or attacker could still follow your behavior just by how you type or move the mouse.

Defenses[edit]

Kloak[edit]

Kloak is a privacy tool (input device anonymization tool) that hides your typing and mouse movement patterns, which can be used to identify you online.[13] Kloak is better at hiding keyboard behavior than mouse behavior. See Limitations.

Kloak is pre-installed in Non-Qubes-Whonix Whonix-Workstation.

We recommend installing kloak on your host system as well, to keep it effective even if your Whonix-Workstation VM gets compromised. However, if you're accessing sites that use typing biometrics (like some banking sites), it might be better to only use kloak within Whonix VMs.

Another benefit of kloak is that it helps protect your search queries even if they are being analyzed in encrypted traffic using autocomplete leaks. [15]

kloak is designed to stymie adversary attempts to identify and/or impersonate users' biometric traits. The GitHub site succinctly describes kloak's purpose and the tradeoff between usability and the level of privacy. Notably, shorter time delays between keystrokes and release events reduces overall anonymity: [16]

kloak is a privacy tool that makes keystroke biometrics less effective. This is accomplished by obfuscating the time intervals between key press and release events, which are typically used for identification. This project is experimental.

...

kloak works by introducing a random delay to each key press and release event. This requires temporarily buffering the event before it reaches the application (e.g., a text editor).

The maximum delay is specified with the -d option. This is the maximum delay (in milliseconds) that can occur between the physical key events and writing key events to the user-level input device. The default is 100 ms, which was shown to achieve about a 20-30% reduction in identification accuracy and doesn't create too much lag between the user and the application (see the paper below). As the maximum delay increases, the ability to obfuscate typing behavior also increases and the responsive of the application decreases. This reflects a tradeoff between usability and privacy.

While kloak makes it hard for adversaries to identify individuals or to replicate their typing behavior -- for example to overcome two-factor authentication based on keystroke biometrics -- it is not perfect and has #Limitations.

Rescue Keys[edit]

Kloak by default recognizes a "rescue key" sequence, which will terminate the kloak process.

The default rescue key sequence is KEY_LEFTSHIFT + KEY_RIGHTSHIFT + KEY_ESC (i.e. left shift + right shift + escape).

Depending on how kloak is run:

  • A) daemon: If you are running kloak as a systemd service (the default), this will restart kloak (as systemd will automatically re-launch it after it terminates).
  • B) manual: If you are running kloak in a terminal, this will terminate kloak, which then will be no longer anonymizing keyboard and mouse actions.

Rescue Keys Customization[edit]

Kloak rescue keys may be customized by using the -k option, which takes a comma-separated list of key codes as an argument. The full list of supported key codes can be seen at keycodes.carchive.org iconarchive.today icon.

For instance, to run kloak with the rescue key set to KEY_LEFTSHIFT + KEY_ESC, run:

1. Stop background kloak process first.

Click = Copy Copied to clipboard! sudo systemctl stop kloak

2. Run kloak in terminal.

Click = Copy Copied to clipboard! sudo kloak -k KEY_LEFTSHIFT,KEY_ESC

3. Terminate with Ctrl+C or rescue key sequence when done.

4. Restart background kloak process.

Click = Copy Copied to clipboard! sudo systemctl start kloak

5. Persistent configuration change.

To make this change permanent, see setting persistent kloak settings.

6. Done.

Disabling rescue keys[edit]

Some users have reported that they are unable to use certain keyboard shortcuts on account of the rescue key functionality. To disable the rescue key feature entirely, you may use the -p option. Be warned that this will prevent you from terminating or restarting kloak using the rescue key sequence! To run kloak with the rescue key feature disabled:

1. Stop background kloak process first.

Click = Copy Copied to clipboard! sudo systemctl stop kloak

2. Run kloak in terminal.

Click = Copy Copied to clipboard! sudo kloak -p

3. Terminate with Ctrl+C when done.

4. Restart background kloak process.

Click = Copy Copied to clipboard! sudo systemctl start kloak

5. Persistent configuration change.

To make this change permanent, see setting persistent kloak settings.

6. Done.

Kloak Debug Mode[edit]

If you are experiencing problems with kloak, generating debug logs can be useful for determining what's going wrong.

Warning:

  • Only enable in case of issues when needing a log file for debugging or sharing with a trusted user.
  • Kloak acts as a keylogger when running in verbose mode! Logs contain detailed info of all keystrokes and mouse movements made while kloak is running. Sharing kloak logs with another individual reveals key logs, mouse activity logs, and keyboard/mouse biometrics to the receiving user. Do not do anything sensitive while kloak is generating debug logs! Under no circumstances should you share a kloak log with any user you do not fully trust! Do not publicize kloak logs, transmit them over an insecure channel, or store them online unencrypted!

Kloak provides a -v option that is useful in these scenarios. Due to the volume of data kloak produces during logging, it is recommended that you run kloak in a terminal when gathering logs. To run kloak in verbose mode, run the following commands:

1. Stop background kloak process first

Click = Copy Copied to clipboard! sudo systemctl stop kloak

2. Run kloak in terminal

Click = Copy Copied to clipboard! sudo kloak -v

3. Gather logs, then terminate with Ctrl+C or rescue key sequence.

4. Restart background kloak process

Click = Copy Copied to clipboard! sudo systemctl start kloak

5. Persistent configuration change.

To make this change permanent, see setting persistent kloak settings.

6. Done.

Setting persistent kloak settings[edit]

Notes:

  • Kloak's verbose mode can be enabled as a persistent setting by following these instructions. However, verbose mode generates copious amounts of data, which may consume large amounts of disk space or cause wear-and-tear on the disks. Enabling verbose mode as a persistent setting is not recommended.

If you use kloak as a systemd service and wish to use some of its options, you may do so by adding a configuration file for kloak. To do this:

1. Open file /lib/systemd/system/kloak.service.d/50_user.conf in an editor with root rights.

Non-Qubes-Whonix

See Kicksecure logo Open File with Root RightsOnion Logo for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

Click = Copy Copied to clipboard! sudoedit /lib/systemd/system/kloak.service.d/50_user.conf

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

Click = Copy Copied to clipboard! sudoedit /lib/systemd/system/kloak.service.d/50_user.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

Click = Copy Copied to clipboard! sudoedit /lib/systemd/system/kloak.service.d/50_user.conf

2. Paste.

Note: Replace <options> with the options you wish to pass to kloak.

Click = Copy Copied to clipboard! [Service] ExecStart=/usr/sbin/kloak <options>

3. Save and exit.

4. Reload systemd manager configuration.

Click = Copy Copied to clipboard! sudo systemctl daemon-reload

5. Restart kloak.

Click = Copy Copied to clipboard! sudo systemctl restart kloak

6. Done.

Kloak will now run with custom options.

View kloak journal log[edit]

If you want to look at any info kloak may have output since starting it, you may do so by checking the journal logs. To do this, run:

Click = Copy Copied to clipboard! sudo journalctl -u kloak | cat

xrdp[edit]

Looked into what would be necessary to make kloak work over xrdp. Sadly this does not seem possible, as xrdp acts as its own X server (to my awareness) and thus intercepting and delaying keystrokes would require kloak to somehow intercept the keystrokes at the layer between the X server and the applications. I looked ways of doing this but failed to find them - there are ways of logging keystrokes at the X server level, but my research failed to find a way to block keystrokes or otherwise keep them from being delivered to applications for the purpose of delaying them. This issue affects any use of kloak over a remote desktop session - unless the remote desktop application creates uinput devices on the remote machine and then feeds user input into them, kloak will not be able to intercept them. Recommendation - xrdp users should run kloak on the client machine to obfuscate their typing patterns on the client. This will then naturally obfuscate them on the remote machine as well.ArrayBolt3

Stop Kloak[edit]

It is usually not required to stop kloak unless for testing, debugging.

Stop clock until restart or reboot.

Click = Copy Copied to clipboard! sudo systemctl stop kloak

Start Kloak[edit]

It is usually not required to start kloak as it is running by default.

Start kloak.

Click = Copy Copied to clipboard! sudo systemctl restart kloak

Kloak Status[edit]

Click = Copy Copied to clipboard! sudo systemctl status kloak

Qubes Event Buffering[edit]

Info This feature is only available in Qubes OS R4.3 and later. At the time of this writing, Qubes OS R4.3 has not yet been released. Use of the pre-release builds is not recommended for inexperienced users or users with high security requirements.

This is a feature built into Qubes OS. It is not a part of Whonix itself, and can be used with any Qubes OS virtual machine except for Qubes HVMs.

Qubes Event Buffering is Kloak-alike software.

Qubes OS is incompatible with Kloak, due to the fact that most VMs in Qubes OS do not use evdev to receive input. To provide the same benefits as Kloak despite these limitations, Qubes OS R4.3 provides a feature known as "event buffering". Whereas Kloak would run within each individual VM, intercepting and buffering evdev input events, Qubes event buffering runs on dom0, catching X11 input events intended for a particular VM and buffering them before sending them to the VM. Qubes event buffering uses the same underlying algorithms as Kloak, and should be similarly effective.

Qubes event buffering does not mask mouse movement behavior as well as it masks typing behavior, see Limitations below.

To enable event buffering for a particular VM:

1. Determine the VM you want to enable event buffering on. We will use whonix-workstation-17-dvm as our example here.

2. Open a terminal in dom0.

3. Run:

Click = Copy Copied to clipboard! qvm-features whonix-workstation-17-dvm gui-events-max-delay 200

This will enable event buffering on whonix-workstation-17-dvm, with a maximum buffer time of 200ms. If you want a longer buffer time, specify a larger number as the last argument.

4. This setting does not take effect on currently running VMs. If whonix-workstation-17-dvm or any DispVMs based on it are running, shut them down.

5. Done. Event buffering is now enabled for whonix-workstation-17-dvm. You should notice a delay in typing when you launch the VM next.

Limitations[edit]

Kloak and Qubes Event Buffering[edit]

Both Kloak and Qubes event buffering have some limitations users MUST be aware of before relying on them for security:

  • Mouse events are cloaked, but not as effectively as keyboard events. Pointing devices (mice, touchpads, trackballs, etc.) produce a very large number of events when the pointer is being moved by the user. Both Kloak and Qubes event buffering use a scheduling system that queues events as they arrive and tries to ensure no event is delayed longer than the set maximum delay value. Because pointing devices flood the queue with events when the pointer is moved, this usually results in almost all of the events involved in a pointer movement being delayed for exactly the maximum delay time. This removes almost all anonymizing jitter and may allow an adversary to fingerprint and identify the user via mouse movements even if Kloak or event buffering is being used.
  • Typing may be substantially more difficult. Because Kloak and event buffering both queue, delay, and release keystrokes at semi-randomly chosen times, typing is not as easy when using Kloak. Lag is usually noticeable and unpredictable. Shorter maximum delay times can improve usability, but only at the cost of providing less anonymity.
  • Biometric software can tell that you're using Kloak. When using Kloak, one's typing rhythm will appear very unnatural and strange to biometric software, which is a clear indicator that one is using Kloak or similar software. Kloak makes no attempt to mask its use; it only ensures that all Kloak and Kloak-alike users appear similar to each other. This is similar to the limitations of Tor - one cannot tell which Tor user is accessing a resource or the true identity of the Tor user, but they can very easily tell that the resource is being accessed over Tor.
  • Legitimate uses of biometric software will break. If you use software that relies on keystroke biometrics to identify you, it will almost certainly fail to do so if you are using Kloak. This may require you to temporarily disable Kloak before using certain services.
  • Small delays are not effective; higher values that can be tolerated are preferable.
  • It does not address Stylometry threats.
  • Repeated (held-down) key presses that repeat at a unique rate can lead to identification.

Kloak only[edit]

The following limitations apply only to Kloak, not to Qubes event buffering:

  • Kloak only works if the system uses the evdev input driver. Almost all modern Linux distributions use evdev by default for input devices. Qubes OS is a notable exception - it uses its own virtual input device, which the X server in each Qube reads from. Kloak is not capable of intercepting events from non-evdev-based input devices.
  • Kloak does not intercept events that are fed directly to the system's display server without going through an input device driver. Any form of emulated input cannot be intercepted by Kloak. Remote desktop software frequently uses emulated input for obvious reasons. Another common class of software that makes use of emulated input is Keyboard-Video-Mouse (KVM) software such as Barrier, Synergy, and Input Leap. If you need Kloak to provide anonymity in these scenarios, you must run Kloak on the machine that the physical keyboard and mouse are attached to. This will obfuscate the movements the host machine sees and, therefore, obfuscate the movements that are sent to other machines via emulated input.

Qubes event buffering only[edit]

The following limitations apply only to Qubes event buffering, not Kloak:

  • Event buffering is not available in any version of Qubes R4.2 or earlier. It will be present in Qubes R4.3.0 and later.
  • There is no easy way to enable or configure event buffering. The only way to enable and configure event buffering is using the qvm-features command in a dom0 terminal. A configuration feature for event buffering may be added to Qube Manager in the future.
  • Event buffering is not enabled by default on Qubes-Whonix-Workstation. It must be explicitly enabled by the end user. This is expected to be fixed. See Enable X11 event buffering in Whonix by defaultarchive.org iconarchive.today icon.

Defense Testing[edit]

You can test that kloak actually works by trying a keystroke test website. https://vmonaco.com/device-fingerprinting/archive.org iconarchive.today icon is a good choice as it is free, open source, and requires no personal data or signup process to use. The code is visible at https://github.com/vmonaco/device-fingerprintingarchive.org iconarchive.today icon.

To use the test:

  • Ensure kloak is not running.
  • Open the website.
  • Move the mouse around and click on random locations on the page. You will see a graph labeled "mousemove" start to update. As the mouse moves, the graph should eventually show a few (oftentimes only one) orange-marked spikes that act as a fingerprint for your device.
  • Click inside the text area and type for some amount of time. A graph labeled "keydown" should show one or more prominent orange-marked spikes after a bit of typing.
  • Start kloak. then refresh the page.
  • Move the mouse around again. The graph will act erratically and fail to obtain an orange-marked spike for very long.
  • Click inside the text area and type for some amount of time. The graph should act erratically similar to the mouse graph.
  • By default, the website uses event.timeStamp as a time source for fingerprint extraction. If desired, repeat the above steps with the other time sources (Date.now(), performance.now(), and Web Worker).

A device or biometric fingerprint can be obtained quickly and with high certainty when kloak is not used. The tests done with kloak enabled show that kloak obfuscated typing behavior, making it difficult to authenticate or identify a particular user.

Note that websites that observe typing behavior will likely see users running kloak as being distinctly different from other users (due to the randomized, unnatural typing rhythms and mouse movements). This is similar to how Tor users can be detected separately from internet users who do not use Tor, but telling individual Tor users from each other is very difficult. As more users use kloak, the anonymity set will increase.

Other potential tests (not recommended):

Previously KeyTrac was recommended for testing kloak. However, the KeyTrac demo is no longer available. When KeyTrac did exist, the following results were obtained by training and testing KeyTrac with and without kloak:

Table: Sample KeyTrac versus Kloak Test Results

Kloak Configuration Results and Interpretation
Train normal, test normal
  • trial 1: 94% accuracy identified
  • trial 2: 92% accuracy
  • trial 3: 94% ..
Train normal, test Kloak
  • trial 1: 18%
  • trial 2: 15%
  • trial 3: 19%
Train Kloak, test Kloak
  • trial 1: 40%
  • trial 2: 42%
  • trial 3 36%

Without Kloak users can be identified with very high certainty. The second set of tests show that Kloak definitely obfuscates typing behavior, making it difficult to authenticate or identify a particular user. Third set: users running Kloak may look "similar" to other users running Kloak. That is, it might be possible to identify Kloak users from non-Kloak users. These results are similar to the results obtained using vmonaco's device fingerprinting test.

Potential future development research[edit]

  • Do X11 or Wayland provide hooks that would allow intercepting input events as read by the Wayland compositor or X server, before those events are sent directly to applications? This would allow Kloak to work even with setups that don't use evdev.
  • Could a "toggle" feature be added to Kloak to allow temporarily enabling and disabling it without having to stop the Kloak service entirely? This would be useful for users who have high anonymity requirements but also have to use systems that use keystroke biometrics as a legitimate method of authentication.
  • Can mouse events be obfuscated better? It might be possible to randomly select times at which to deliver mouse events, then deliver all queued mouse events at once at those selected times, with intermediate events "squashed" together so that the mouse simply jumps to the position it would have ended up in had all mouse events been processed normally. If this is done, mouse events should probably be handled in a separate queue from keyboard events. Planned: https://forums.whonix.org/t/better-mouse-obfuscation/21445archive.org iconarchive.today icon

Resources[edit]

See Also[edit]

References[edit]

  1. [...]

    we collected a data set containing information about the top 80k most popular websites according to the Tranco list [28].

    [...]

    Our results show that over 599 scripts fall within the criteria explained in Section 3 to be considered as files suspicious of containing mouse tracking. Those scripts are present in 28,854 of the websites (36% of the total 80,000 websites scanned). In order to evaluate them, a human expert has to explore its code to distinguish between mouse tracking instances and false positives. However, nowadays most JavaScript resources are minimized or obfuscated, both techniques that render the code very hard to analyze by humans, reducing the number of scripts that can be studied because of time constraints.

    [...]Detecting and Analyzing Mouse Tracking in the Wildarchive.org iconarchive.today icon

    https://ieeexplore.ieee.org/document/10190681/archive.org iconarchive.today icon

  2. [...]

    mouse tracking has very practical applications for webmasters, and in particular for search engines. Dr. Ioannis Aparakis from Telefonica Research and co-author of both publications, clarifies: “When you search for something at Google or Bing, your mouse movements are sending a tiny signal to the search engine indicating if you are interested or not in the content you have been shown. As mouse tracking may have privacy issues, we investigated the possibility of recording only a small part of the whole movement trajectory and see if we can still infer how people make choices in web search.”

    [...]University of Luxembourg, Faculty of Science, Technology and Medicine (FSTM) University / Central Administration and Rectorate, Mouse movements reveal your behaviourarchive.org iconarchive.today icon
  3. Jump up to: 3.0 3.1 3.2
  4. Other details websites can record, additional mouse tracking techniques:
    • the exact time of every mouse movement or click
    • maps showing where most users move their mouse
    • full replays of your mouse path
    • scrolling behavior using the mouse wheel
  6. This deanonymization technique is likely to succeed, as it is already used to lock individuals out of secure accounts (pending identity verification) when their monitored behavior significantly deviates from previously learned patterns.
  8. https://github.com/vmonaco/kloak/issues/7#issuecomment-893817507archive.org iconarchive.today icon
  9. https://github.com/vmonaco/keystroke-obfuscationarchive.org iconarchive.today icon
  10. Jump up to: 10.0 10.1 https://en.wikipedia.org/wiki/Keystroke_dynamicsarchive.org iconarchive.today icon
  11. These are known as "seek time," "hold time," and "flight time" in keystroke dynamics research.
  12. Mouse fingerprinting can analyze factors like cursor speed, scrolling style, pause durations, and path curvature. These traits can be just as unique as typing patterns.
  13. Technically, kloak anonymizes input device signals by introducing random delays in keyboard and mouse events, disrupting timing-based biometric identification. See:
  14. Ongoing development is stalled. See: https://github.com/vmonaco/kloak/pull/50archive.org iconarchive.today icon More info: community forum guidearchive.org iconarchive.today icon Deprecated issues:
  16. https://github.com/Whonix/kloakarchive.org iconarchive.today icon
Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

Retrieved from "https://www.whonix.org/w/index.php?title=Keystroke_and_Mouse_Deanonymization&oldid=103526"