Owl Content

Authentication or identification techniques are often divided into something you have (a key, a chipcard), something you know (a password, your mother's maiden name), or something you are (your fingerprint, your retina). I already wrote about why I think the term "what you are" should not be used for biometric data, because you have fingers, you don't be them.

Here is a new angle: Increasingly, researchers are working on identifying people by what they do. At the University of Leicester, according to the Telegraph,

"scientists are analysing the way people write mobile phone text messages so police can use them as evidence." (more from the New Scientist)

At the same time, researchers at the University of Pennsylvania are trying to identify users by their browsers' clickstream data:

"We develop formal methods to solve this problem and thereby determine the optimal amount of user data that must be aggregated before unique clickprints can be deemed to exist."

And at the Georgia Institute of Technology, researchers are trying to identify you by the way you walk:

One primary focus of our work is on gait recognition. We propose a technique that recovers static body and stride parameters of subjects as they walk.

They also have most clearly spelled out what this is all about:

This approach is an example of an activity-specific biometric: a method of extracting some identifying properties of an individual or of an individual's behavior that is only applicable when a person is performing that specific action.

As I said, the core of all this is: You are identified by what you do and how you do it.

The problems I can imagine here are manyfold. Michael Zimmer points at clickstream identification and anonymous web browsing:

Would Amazon monitor your clickstream data (when you are logged in) in order to provide better recommendations for you? Would they sell that data to 3rd parties? Could they identify you if you aren’t logged in?

It could get worse when this kind of evidence is used in court. I am not a legal expert, but the way I understand criminal procedures is that you have an individual and an action, and you convict the individual for this action based on witnesses or other evidence. What happens if the identification of the suspect is itself done by measuring some action? Especially if this action is phone text messaging or web surfing, you can easily think of reverse-engineering the identification mechanism and blaming the crime on someone else.

Of course, this "identification by actions" model can be taken even further, like: "This must be him - we know his shopping patterns". Scary, yes. But analytically, I also think that there needs to be some conceptual clarification. While this all resembles graphology, calling it "biometrics" is missing the point. What you do and how you behave is clearly different from what your retina looks like. And the way you type your text messages is not dependent on your body, but on how you communicate on the language - not speech - level.