Behaviometrics & Privacy: Not Mutually Exclusive

Laptop Privacy.jpg Editor's Note: In part 2 of our blog series discussing behaviometrics, we explore the issue of privacy. There is no denying that a majority of what we do online and on our phones is tracked by various sites, companies, etc. The question is, how much privacy are we willing to give up if, at the end of the day, it means our personal information is actually safer?

As mentioned in the 270° View posting entitled Will Behaviometrics Finally Make User IDs and Password Extinct? this method for authenticating an individual is coming of age. Some of what is powering development in this area are directly tied to the technology available but other contributing factors include certain changes in the behavior of individuals themselves.

To accurately identify a user, the more historical data collected the better, which improves the accuracy of identification in the future. In the past, one of the biggest complications with identification through behaviometrics was the collection of baseline data. Growing adoption of mobile devices and social media applications like Facebook, Instagram, Snapchat, and Twitter provide the ability to collect information about users to create a historical data baseline specific to them. Patterns in this data coupled with mobile device information, including location, produce a reasonably accurate way to identify a user.

Data scientist and CEO Raul Popa claims with AI, his company has been able to improve identifying users from 60-70% to greater than 99% accuracy using statistical analysis and mathematical equations alone. By utilizing improvements in AI developed over the past 10 years, combined with the growing willingness for the public to interact with social media to share personal data, AI has been provided with the significant sampling of data required to reach this high level of accuracy.

This brings the dilemma of privacy into the mix and at what point does the tracking of users with these systems border an invasion of privacy. What rights do individuals have relative to knowing if they are being sampled? Furthermore, does the user really care if this activity results in improved security minus the considerable friction of using passwords? When you take into account how many people have flocked to social media applications and freely share personal data, it would seem individuals will trade privacy to get these attributes.

The application of the social media and search data collected has been used by Facebook to send friend suggestions based on relationships detected in other applications and Google has displayed banner ads based on an individual's activity. The scope of what is already happening in this area is significant and any assertion of privacy somewhat naïve. As former Google CEO, Eric Schmidt was quoted to say, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

With this thought, it appears that companies like Google see the lack of user concern with sharing data to enable convenience of access is a fair trade-off. Interestingly enough, according to a study in a TechRepublic story, users under age 45 believe their phone data to be more private than on a personal computer. A study by The Science Daily suggests that users are more willing to share their location when using social media applications. Based on these findings, it appears users may not care or understand the level of data they share on social media on a daily basis. By enabling location services, it seems users don't correlate sharing of location with privacy. 

This consumer perception may be key to the adoption of behaviometrics as the effectiveness of it requires a user to be tracked continuously and consistently. Continuous tracking of a user increases the security of a device and can identify when a device has changed hands. The technology to accomplish this has been around for a number of years. A 1990 study conducted by Rick Joyce and Gopal Gupta, claims, "with consistent user monitoring, the event of one user taking over for another user on a computer can be detected based on typing patterns." In other words, if an entity can effectively collect enough data on a user and identify a user based on their activity, the collected data can be used to determine when another user has taken over on a given machine.

It is fair to say, a user may be able to be identified on any machine where the same monitoring techniques and data are gathered and used. By applying this data, a monitoring system should be able to raise a concern if there is a change in these patterns that might indicate a machine is being used by another person and require that person to re-authenticate themselves. To accomplish identity of this level, user interaction with applications will require continuous monitoring and evaluation. 

In our modern world, technology and connectivity, security and data privacy should be continually evaluated. As the world becomes more connected through ease of access to data at the local coffee shop, public WiFi hotspots, and cellular connectivity, those who are responsible for data security should consider all aspects of accurately identifying users in the interest of protecting against data leakage. Enabling the freedom of access to manage our personal data should employ techniques of gathering and evaluating user interaction with applications but also be respectful of the user's privacy. Ultimately, it is not a matter of if behaviometrics will be a part of our security, but a matter of when, and how much.