by Unity

In the last few days we’ve seen a couple of classic pieces of lousy and wholly uncritical technology churnalism in the media.

One, the spurious claim that ‘Facebook cause syphilis’ was quickly taken apart by Ben Goldacre despite the somewhat worrying refusal of NHS Tees to provide Ben with access to the data on which the ridiculous claim, which, rather alarmingly, was made by the trust’s Director of Public Health.

That leaves me to tackle this story, which emerged as wire copy from the Press Association and rapidly found its way into both the Daily Mail and The Sun before, worryingly, creeping into the industry press as well:

Typing technology ‘pervert trap’ Paedophiles using the internet to target youngsters could be tracked down – by the way they use a keyboard. Researchers are investigating ways to use technology that can determine a typist’s age, sex and culture within 10 keystrokes by monitoring their speed and rhythm. Former Northumbria Police detective chief inspector Phil Butler believes the technology could be useful in tracking down online fraudsters and paedophiles. Professor Roy Maxion, associate professor at Newcastle University, has been carrying out the research in the US.

This is industrial-grade bullshit piece of advertorial from start to finish but, for reasons that will shortly become clear, still well worth picking to pieces.

Let’s start by telling you the truth about Dr Roy Maxion’s background and his actual research.

Dr. Maxion is, indeed, a bona fide academic who is actually based at prestigious private research university, Carnegie Mellon, in the United States. He is not, however, currently listed as an associate professor at Newcastle University nor is there anything to suggest that he has ever been given that particular title. He did, however, spend 12 months at the University, some six years ago, as a Senior Visiting Fellow thanks to a grant provided by the Engineering and Physical Sciences Research Council.

Dr. Maxion’s primary research field is, indeed, computer systems security and intrusion detection, and the development and evaluation of keystroke analysis algorithms is a significant part of his current work, much of which is helpfully available and accessible via his personal publications page. Having read several of his papers, including his most recent published work “Comparing Anomaly-Detection Algorithms for Keystroke Dynamics.” (Killourhy and Maxion,2009), I think its safe to say that he is very credible research academic and, moreover, one who not prone to exaggeration or to making overblown claims for his work that cannot be backed up by solid research evidence.

All of which would explain there are no direct quotations from Dr. Maxion in any of the coverage given to this story even thought it is ostensibly based on his work. Having read several of his papers I cannot imagine, in a million years, that he would willing put his good name and academic reputation to the proposition that’s being bandied around by Phil Butler:

Mr Butler said: “He takes 50 people at a time and hooks their fingers up to electronic sensors, then videos, monitors and records their typing patterns, speed and rhythms with a very accurate clock. “He can now identify anyone using a keyboard within a 95% accuracy within 10 keystrokes. As soon as you type 10 numbers or letters he can work out your sex, your culture, your age and whether you have any hand injuries.

With Phil Butler’s full claim now on the table, its time to separate science-fact from science-fiction.

The science of keystroke dynamics is based on the premise that the rhythm and manner in which we type on a keyboard can be recorded, analysed as used as a biometric identifier in computer security systems.

In very simple terms, were you to install such a system as a security device on your home computer then you would first have to provide it with a reference sample by, for example, typing in your access password several times in order to create a biometric signature. Once that biometric signature has been created then, every time to log on to your computer and type in the password, the system would check both that the password is correct and that the manner in which is was typed in matches up to your recorded signature, giving you access only if both match – and that is all there is to it.

It is an extra layer of security, one that, if it could be made to work reliably, would afford some additional protection against individuals gaining unauthorised access to computer systems using stolen passwords and, in that sense, its broadly analogous to the use of forensic document examination to authenticate written material by, amongst other things, comparing a suspect piece of handwriting, such a signature on a cheque, with a reference sample in order to identify whether the suspect item may be a forgery.

Forensic document examination of that kind is widely used in law enforcement circles in the detection and investigation of fraud and forgery and its a perfect respectable practice which generates evidence that is admissible in court – but it isn’t graphology, the pseudo-scientific notion that one can identify an individual’s gender, age or personality traits from their handwriting…

…and neither is the kind of keystroke analysis that Dr Maxion is researching.

This is where Phil Butler crosses the line from commenting on genuine research – the reference to analysing a mere ten keystroke is particularly revealing as this is a good length for a pretty secure password – into peddling pseudo-scientific bullshit. The research method that Butler is describing is accurate enough, but the suggestion that it could be used to identify an unknown typist’s gender, age, culture or even whether they have a hand injury is complete and utter bollocks.

That being the case, one has to wonder why Butler is bullshitting in such an obvious and easily debunked manner?

Is it just a matter of him being an overzealous ex-Plod trying to scare off a few on-line nonces?

Mr Butler said the university was planning to submit a proposal to the Engineering and Physical Sciences Research Council to fund further research. He said the technology could also be used to prevent fraud at devices such as cash machines. [Press Association] Mr Butler is also a director of iSafely, a training programme which teaches parents and businesses how to deal with issues such as online fraud or cyber-bullying. He is working with Checkstick, a company that produces software stored on a USB stick that takes a snapshot every five seconds while a child is browsing the internet. Checkstick’s Sean Kane said: “The internet is a very anonymous place and there are more and more people trying to take advantage of the situation. “But there are people out there trying to do something about it.” [The Sun]

Like selling internet monitoring software to over-anxious parents at £39.95 a throw.

As laughable as Butler’s claims about the capabilities of keystroke dynamics analysis might be, there is a much darker side to his arguments:

Mr Butler said the technology could also be used to prevent convicted sex offenders committing further crimes. “As part of a sexual offences prevention order, courts currently have the power to ban a sex offender from using a computer,” he said. “With this technology the courts could force the offender to provide an example of their typing as a way of ensuring they don’t use a computer. This could then be analysed to see whether the sex offender has been using internet chatrooms.”

For such a system to work the recording and transmission of keyboard dynamics information would have to built into every single computer connected to the internet; and at the operating system level in order to prevent users installing clean chat clients that don’t record/transmit keystroke data or using software to filter that data out of their upstream connection, turning the internet into a global electronic panopticon in the process.

As ideas go, that’s one that only an ex-Plod who’s trying to build a post-retirement career in the IT security sector could love, let alone take seriously.