I know how you swipe on your device!!!
Dealing with the risks of behavior biometrics
Behavior biometrics pertains to using keystroke cadence, touch dynamics, swipe patterns, mouse movements, clicks, device orientation, and time spent on screen by the user. Combined with other information, including user and device or network identities, these are unique and provide high-level reliability against physiological biometrics (face scanning). Behavior biometrics can be active or passive. Active behavior biometrics are those where the user is aware that his biometrics are collected, while passive is when no user awareness is necessary for managing or tracking such behavior.
The adopted approach enables the designer to navigate the user through sensing, perceiving, decision-making, and acting processes using design and nudges. It analyses users' physical and cognitive behavior in digital services. Behavior biometrics is becoming a widely used tool for user experience design, including addictive design. It is also used in fraud, cyber-attacks, and defenses to mimic human behavior or avert bot attacks. Behavior biometrics is often used to examine the time between data activities (keystrokes, mouse movement, clicks, etc.). Behavior biometrics are also used to identify ailments (in e-health applications), emotions (in games, interactive media, or health applications), gender, age, and hands used for typing.
Behavior biometrics is collected using
(1) Business / other Apps or websites using behavioral monitoring or tracking (includes fake apps floated for gathering biometric behavior information)
(2) through events tracking on a website and implementing listeners on mobile apps,
(3) Researchers gather information in their test study with a game or other apps.
Behaviour Biometric are used in the following areas prominently:
- User and Entity Behaviour Analytics focuses on gathering insights from user behavior and planning better design to engage users with the service. App providers have inherent options to track behaviors as part of app development to track user behavior using listeners and event handlers with smart sensors available on mobile or IoT devices. Such analyses are used in the context of cybersecurity also.
- Similarly, user access to websites, the pages they look at, the time they spend on pages, the mouse moves, clicks, and the time between activities are increasingly tracked by web pages to create more engaging pages.
- Service and tool providers have APIs, tools, and tech interventions to enable and integrate technology with digital services for cyber defense (authentication and continuous authentication). These are currently used in payments, internet banking, e-commerce, and high-security authentication environments. Behavior biometrics offers benefits, including flexibility of their use for different use cases, the convenience of collection without any exact condition, and the opportunity to enhance security.
- However, it has certain downside risks. There is the increased use of behavior biometrics (a) in attention engineering of the user with addictive design and deceptive patterns and (b) in cyber-attacks by adversaries to mimic human behavior, thereby exposing the user to privacy threats, data breaches, financial loss or exploits and misused digital footprints (including for criminal activities).
- Attackers use behavior biometrics to mimic user behavior with keystrokes, mouse movement, or audio to appear genuine. The unique signatures collected from behavior biometrics could be used for data-based type attacks bypassing existing behavior biometric systems. As per Nu DataSecurity (a Mastercard Company), in H1 2021, there was an increase in sophisticated automated attacks (e.g., imitating human keystrokes and mouse movements) by 23% compared to the previous period.
- Above all, the strategic intelligence value of such behavior biometrics can be significant for the nation-state and geopolitical environments. In addition, gathering insights around attentiveness, mental fatigue, stress, anxiousness, fear, or cheerfulness using behavior biometrics can be exploitative and catastrophic exposure to user identity. Also, identifying gender using behavior biometrics can increasingly contribute to today's mounting algorithmic bias.
Overuse, misuse, and abuse of Behaviour biometrics can lead to:
(a) Design of deceptive patterns (that exploits cognitive bias of people) that influences people,
(b) Limited accessibility or increased bias caused by models are trained on the limited or less balanced dataset,
(c) Inaccuracies in anomaly detection algorithms using behavior biometrics resulting in unintended consequences, including adversarial attacks bypassing them, and
(d) Breach or exposure of data and potential misuse of them.
Regulations like GDPR and the California Consumer Privacy Act (CCPA) clarify the need for express consent as one of the lawful bases. However, businesses dealing with behavior biometrics choose the effort to protect the user as a legal base for collecting and using behavior biometrics, thereby eliminating the need for consent that has a risk of being revoked. This further exposes the lack of regulatory guidelines or policy in this regard.
Given the above, there is a need for policy guidelines expressing the role of different actors across the ecosystem, namely Government, App marketplaces, website owners, commercial and social organizations, ethical hackers/ red teams/adversaries, and consumers.
At an organization level, (a) threat validations using biometrics as a combination of other features and (b) bio hashing while using behavior biometrics. Further, being transparent about the collection, use, and sharing of the behavior biometrics information is advisable. The App market places, on the other hand, need to have a mechanism to enforce minimum expectations regarding explicit declarations for the use of behavior biometrics. Governments across geographies must consider mandating disclosure and audit mechanism for behavior biometrics, including audits on adversarial robustness.
These solutions will take a couple of years to emerge in different geographies. However, it is necessary to initiate efforts to uphold privacy and protect people from adverse effects caused by such models.