With JavaScript enabled, user behavior can be tracked and profiled. Tor Browser implements defenses against user behavior tracking as of the beginning of the 5.x.x series.[1]
It reveals, how fast you type, how long your breaks are[2], which mistakes you make and how you correct them while writing the draft, also which type of local keyboard you are using.
Mouse tracking[3] analyzes the position and speed of cursor movement unique to each person as they interact with webpages.
Combined with stylometry which works with less data (final text only), keystroke fingerprinting will completely de-anonymize you. An adversary can compare statistics about user’s typing over clearnet, then compares it to texts composed over Tor in real-time.
I use the method kwrite–>browser in tor, if I have to use a VPS, would a virtual keyboard be useless to avoid keyword fingerprint between clearnet, where I use that of my pc, and VPS?
I am talking just about keyword fingerprint
If you use a virtual, i.e. on-screen keyboard, keystroke fingerprinting isn’t possible, since the speed you type isn’t reflected in the speed you click on the on-screen keyboard.
high accuracy achieved in limited situations - active authentication during log-on. Does not clear EU false positive requirements however so they recommend it for combining with keystroke dynamics as extra confirmation:
In the scenario of static verification, a user is required to perform a series of mouse movements and its mouse data is verified within a certain amount of time (e.g., login time). A good example of this scenario is a click-based graphical password for user login, where five clicks are estimated to be made in no more than 25 seconds.
By contrast, in the scenario of continuous verification, a user’s mouse data is continuously collected and verified throughout the entire session. This is non-intrusive to users and meets the goal of passive monitoring. However, the frequency of user mouse actions varies significantly in different sessions. In general, the average frequency of user mouse actions will be much lower than that of the static scenario.
Even for the same user at different times, the number of mouse events per unit time varies a lot. However, to the best of our knowledge, our work is the first to achieve high accuracy with a reasonably small number of mouse events.
Hi
Resume this topic without creating another, since it is related to my question
I don’t remember well but seem to have read something about the issue of wireless mouse that can send “something” because their connection isn’t encrypted, is right? Always about mouse is good idea to take it out of screen when not in use?